DecorateDelegatedAssertion (Shibboleth IdP :: SAML Profile Implementation 3.3.2 API)

java.lang.Object
- net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
- - org.opensaml.profile.action.AbstractProfileAction<InboundMessageType,OutboundMessageType>
  - - org.opensaml.profile.action.AbstractConditionalProfileAction<InboundMessageType,OutboundMessageType>
    - - net.shibboleth.idp.profile.AbstractProfileAction
      - net.shibboleth.idp.saml.saml2.profile.delegation.impl.DecorateDelegatedAssertion

All Implemented Interfaces:

Component, DestructableComponent, InitializableComponent, org.opensaml.profile.action.ProfileAction, org.springframework.beans.factory.Aware, org.springframework.context.MessageSource, org.springframework.context.MessageSourceAware, org.springframework.webflow.execution.Action
```
@Prototype
public class DecorateDelegatedAssertion
extends AbstractProfileAction
```
A profile action which decorates instances of Assertion appropriately for use as delegation tokens.
An instance of DelegationContext is resolved via the strategy set via setDelegationContextLookupStrategy(Function). If no delegation context is found or if DelegationContext.isIssuingDelegatedAssertion() is false, then no decoration occurs.

The decoration consists of 3 primary parts:
1. A holder-of-key SubjectConfirmation is added to the assertion's Subject. The credentials used are taken from DelegationContext.getSubjectConfirmationCredentials().
2. An additional Audience is added to the assertion condition AudienceRestriction, indicating the IdP's own entityID as an acceptable audience. The IdP entityID is resolved from the active RelyingPartyContext, which is resolved via the strategy set by setRelyingPartyContextLookupStrategy(Function).
3. An additional Attribute is added to the assertion's AttributeStatement containing an EndpointReference, indicating the location and other info necessary for the recipient to present the delegated assertion at the IdP for delegated SSO. The attribute name is a URI type with name LibertyConstants.SERVICE_TYPE_SSOS. The endpoint URL is either set directly on this action via setLibertySSOSEndpointURL(String), or is resolved via the strategy setLibertySSOSEndpointURLLookupStrategy(Function).
Event:

EventIds.INVALID_PROFILE_CTX

Nested Class Summary

Nested Classes
Modifier and Type	Class and Description
`private class`	`DecorateDelegatedAssertion.AssertionStrategy` Default strategy for obtaining assertion to modify.
`static class`	`DecorateDelegatedAssertion.LibertySSOSEndpointURLStrategy` Strategy that builds the SSOS endpoint URL based on the current HTTP request using default values for scheme, port and URI path suffix.

Field Summary

Fields
Modifier and Type	Field and Description
`private Function<org.opensaml.profile.context.ProfileRequestContext,List<org.opensaml.saml.saml2.core.Assertion>>`	`assertionLookupStrategy` Strategy used to locate the `Assertion`s on which to operate.
`private List<org.opensaml.saml.saml2.core.Assertion>`	`assertions` The list of assertions on which to operate.
`private DelegationContext`	`delegationContext` The delegation context instance to be populated.
`private Function<org.opensaml.profile.context.ProfileRequestContext,DelegationContext>`	`delegationContextLookupStrategy` Strategy used to lookup the {@link DelegationContext.
`private org.opensaml.xmlsec.keyinfo.NamedKeyInfoGeneratorManager`	`keyInfoGeneratorManager` The manager used to generate KeyInfo instances from Credentials.
`private String`	`libertySSOSEndpointURL` The URL at which the IdP will accept Liberty ID-WSF SSOS requests.
`private Function<Pair<org.opensaml.profile.context.ProfileRequestContext,HttpServletRequest>,String>`	`libertySSOSEndpointURLLookupStrategy` The strategy used to resolve the URL at which the IdP will accept Liberty ID-WSF SSOS requests.
`private org.slf4j.Logger`	`log` Class logger.
`private RelyingPartyContext`	`relyingPartyContext` The current RelyingPartyContext.
`private Function<org.opensaml.profile.context.ProfileRequestContext,RelyingPartyContext>`	`relyingPartyContextLookupStrategy` Strategy used to lookup the RelyingPartyContext.
`private String`	`relyingPartyId` The entityID of the SAML relying party.
`private String`	`responderId` The entityID of the local responder entity.

Constructor Summary

Constructors
Constructor and Description

DecorateDelegatedAssertion()
Constructor.

Constructors
Constructor and Description
`DecorateDelegatedAssertion()` Constructor.

Method Summary

Methods
Modifier and Type	Method and Description
`private void`	`addIdPAudienceRestriction(org.opensaml.profile.context.ProfileRequestContext requestContext, org.opensaml.saml.saml2.core.Assertion assertion)` An an AudienceRestriction condition indicating the IdP as an acceptable Audience.
`private void`	`addLibertySSOSEPRAttribute(org.opensaml.profile.context.ProfileRequestContext requestContext, org.opensaml.saml.saml2.core.Assertion assertion)` Add Liberty SSOS service Endpoint Reference (EPR) attribute to Assertion's AttributeStatement.
`private void`	`addSAMLPeerSubjectConfirmation(org.opensaml.profile.context.ProfileRequestContext requestContext, org.opensaml.saml.saml2.core.Assertion assertion)` Add SubjectConfirmation to the Assertion Subject to allow confirmation when wielded by the SAML requester.
`private org.opensaml.core.xml.XMLObject`	`buildLibertSSOSEPRAttributeValue(org.opensaml.profile.context.ProfileRequestContext requestContext, org.opensaml.saml.saml2.core.Assertion assertion)` Build the Liberty SSOS EPR AttributeValue object.
`private void`	`decorateDelegatedAssertion(org.opensaml.profile.context.ProfileRequestContext requestContext)` Decorate the Assertion to allow use as a delegated security token by the SAML requester.
`protected void`	`doExecute(org.opensaml.profile.context.ProfileRequestContext profileRequestContext)`
`protected void`	`doInitialize()`
`protected boolean`	`doPreExecute(org.opensaml.profile.context.ProfileRequestContext profileRequestContext)`
`protected boolean`	`doPreExecuteDelegationInfo(org.opensaml.profile.context.ProfileRequestContext profileRequestContext)` Pre-execute actions on the delegation-specific info.
`protected boolean`	`doPreExecuteRelyingParty(org.opensaml.profile.context.ProfileRequestContext profileRequestContext)` Pre-execute actions on the relying party context info.
`private void`	`resolveLibertySSOSEndpointURL(org.opensaml.profile.context.ProfileRequestContext profileRequestContext)` Resolve and store the effective Liberty SSOS endpoint URL to use.
`void`	`setAssertionLookupStrategy(Function<org.opensaml.profile.context.ProfileRequestContext,List<org.opensaml.saml.saml2.core.Assertion>> strategy)` Set the strategy used to locate the `Assertion` to operate on.
`void`	`setDelegationContextLookupStrategy(Function<org.opensaml.profile.context.ProfileRequestContext,DelegationContext> strategy)` Set the strategy used to locate the current `DelegationContext`.
`void`	`setKeyInfoGeneratorManager(org.opensaml.xmlsec.keyinfo.NamedKeyInfoGeneratorManager manager)` Set the `KeyInfoGeneratorManager` instance used to generate `KeyInfo` from `Credential`.
`void`	`setLibertySSOSEndpointURL(String url)` Set the statically-configured URL at which the IdP will accept Liberty ID-WSF SSOS requests.
`void`	`setLibertySSOSEndpointURLLookupStrategy(Function<Pair<org.opensaml.profile.context.ProfileRequestContext,HttpServletRequest>,String> strategy)` Set strategy used to resolve the URL at which the IdP will accept Liberty ID-WSF SSOS requests.
`void`	`setRelyingPartyContextLookupStrategy(Function<org.opensaml.profile.context.ProfileRequestContext,RelyingPartyContext> strategy)` Set the strategy used to locate the current `RelyingPartyContext`.

Methods inherited from class net.shibboleth.idp.profile.AbstractProfileAction
doExecute, execute, getMessage, getMessage, getMessage, getProfileContextLookupStrategy, getRequestContext, getResult, setMessageSource, setProfileContextLookupStrategy

Methods inherited from class org.opensaml.profile.action.AbstractConditionalProfileAction
getActivationCondition, setActivationCondition

Methods inherited from class org.opensaml.profile.action.AbstractProfileAction
doPostExecute, doPostExecute, execute, getHttpServletRequest, getHttpServletResponse, getLogPrefix, setHttpServletRequest, setHttpServletResponse

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
destroy, doDestroy, initialize, isDestroyed, isInitialized

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface net.shibboleth.utilities.java.support.component.InitializableComponent
initialize, isInitialized

Field Detail

log
```
private final org.slf4j.Logger log
```
Class logger.

libertySSOSEndpointURL
```
private String libertySSOSEndpointURL
```
The URL at which the IdP will accept Liberty ID-WSF SSOS requests.

libertySSOSEndpointURLLookupStrategy

@Nullable
private Function<Pair<org.opensaml.profile.context.ProfileRequestContext,HttpServletRequest>,String> libertySSOSEndpointURLLookupStrategy

The strategy used to resolve the URL at which the IdP will accept Liberty ID-WSF SSOS requests.

relyingPartyContextLookupStrategy

@Nonnull
private Function<org.opensaml.profile.context.ProfileRequestContext,RelyingPartyContext> relyingPartyContextLookupStrategy

Strategy used to lookup the RelyingPartyContext.

delegationContextLookupStrategy

@Nonnull
private Function<org.opensaml.profile.context.ProfileRequestContext,DelegationContext> delegationContextLookupStrategy

Strategy used to lookup the {@link DelegationContext.

assertionLookupStrategy

@Nonnull
private Function<org.opensaml.profile.context.ProfileRequestContext,List<org.opensaml.saml.saml2.core.Assertion>> assertionLookupStrategy

Strategy used to locate the Assertions on which to operate.

keyInfoGeneratorManager

@Nonnull
private org.opensaml.xmlsec.keyinfo.NamedKeyInfoGeneratorManager keyInfoGeneratorManager

The manager used to generate KeyInfo instances from Credentials.

delegationContext
```
private DelegationContext delegationContext
```
The delegation context instance to be populated.

assertions

private List<org.opensaml.saml.saml2.core.Assertion> assertions

The list of assertions on which to operate.

relyingPartyContext

private RelyingPartyContext relyingPartyContext

The current RelyingPartyContext.

responderId
```
private String responderId
```
The entityID of the local responder entity.

relyingPartyId
```
private String relyingPartyId
```
The entityID of the SAML relying party.

Constructor Detail
- DecorateDelegatedAssertion
```
public DecorateDelegatedAssertion()
```
  Constructor.

Method Detail

setLibertySSOSEndpointURL
```
public void setLibertySSOSEndpointURL(@Nullable
                             String url)
```
Set the statically-configured URL at which the IdP will accept Liberty ID-WSF SSOS requests.

Parameters:
url - the Liberty ID-WSF SSOS endpoint URL, or null

setLibertySSOSEndpointURLLookupStrategy

public void setLibertySSOSEndpointURLLookupStrategy(@Nullable
                                           Function<Pair<org.opensaml.profile.context.ProfileRequestContext,HttpServletRequest>,String> strategy)

Set strategy used to resolve the URL at which the IdP will accept Liberty ID-WSF SSOS requests.

Parameters:: strategy - the Liberty ID-WSF SSOS endpoint URL lookup strategy, or null

setRelyingPartyContextLookupStrategy

public void setRelyingPartyContextLookupStrategy(@Nonnull
                                        Function<org.opensaml.profile.context.ProfileRequestContext,RelyingPartyContext> strategy)

Set the strategy used to locate the current RelyingPartyContext.

Parameters:: strategy - strategy used to locate the current RelyingPartyContext

setDelegationContextLookupStrategy

public void setDelegationContextLookupStrategy(@Nonnull
                                      Function<org.opensaml.profile.context.ProfileRequestContext,DelegationContext> strategy)

Set the strategy used to locate the current DelegationContext.

Parameters:: strategy - strategy used to locate the current DelegationContext

setAssertionLookupStrategy

public void setAssertionLookupStrategy(@Nonnull
                              Function<org.opensaml.profile.context.ProfileRequestContext,List<org.opensaml.saml.saml2.core.Assertion>> strategy)

Set the strategy used to locate the Assertion to operate on.

Parameters:: strategy - strategy used to locate the Assertion to operate on

setKeyInfoGeneratorManager

public void setKeyInfoGeneratorManager(@Nonnull
                              org.opensaml.xmlsec.keyinfo.NamedKeyInfoGeneratorManager manager)

Set the KeyInfoGeneratorManager instance used to generate KeyInfo from Credential.

Parameters:: manager - the manager instance to use

doInitialize
```
protected void doInitialize()
                     throws ComponentInitializationException
```
Overrides:

doInitialize in class AbstractInitializableComponent

Throws:

ComponentInitializationException

doPreExecute

protected boolean doPreExecute(@Nonnull
                   org.opensaml.profile.context.ProfileRequestContext profileRequestContext)

Overrides:: doPreExecute in class org.opensaml.profile.action.AbstractConditionalProfileAction

doPreExecuteDelegationInfo
```
protected boolean doPreExecuteDelegationInfo(@Nonnull
                                 org.opensaml.profile.context.ProfileRequestContext profileRequestContext)
```
Pre-execute actions on the delegation-specific info.

Parameters:
profileRequestContext - the current profile request context

Returns:
true iff doExecute(ProfileRequestContext) should proceed

doPreExecuteRelyingParty
```
protected boolean doPreExecuteRelyingParty(@Nonnull
                               org.opensaml.profile.context.ProfileRequestContext profileRequestContext)
```
Pre-execute actions on the relying party context info.

Parameters:
profileRequestContext - the current profile request context

Returns:
true iff doExecute(ProfileRequestContext) should proceed

doExecute

protected void doExecute(@Nonnull
             org.opensaml.profile.context.ProfileRequestContext profileRequestContext)

Overrides:: doExecute in class org.opensaml.profile.action.AbstractProfileAction

resolveLibertySSOSEndpointURL
```
private void resolveLibertySSOSEndpointURL(org.opensaml.profile.context.ProfileRequestContext profileRequestContext)
```
Resolve and store the effective Liberty SSOS endpoint URL to use.

Parameters:
profileRequestContext - the current request context

decorateDelegatedAssertion

private void decorateDelegatedAssertion(@Nonnull
                              org.opensaml.profile.context.ProfileRequestContext requestContext)

Decorate the Assertion to allow use as a delegated security token by the SAML requester.

Parameters:: requestContext - the current request context

addLibertySSOSEPRAttribute

private void addLibertySSOSEPRAttribute(@Nonnull
                              org.opensaml.profile.context.ProfileRequestContext requestContext,
                              @Nonnull
                              org.opensaml.saml.saml2.core.Assertion assertion)

Add Liberty SSOS service Endpoint Reference (EPR) attribute to Assertion's AttributeStatement.

Parameters:: requestContext - the current request context; assertion - the delegated assertion being issued

buildLibertSSOSEPRAttributeValue

@Nonnull
private org.opensaml.core.xml.XMLObject buildLibertSSOSEPRAttributeValue(@Nonnull
                                                                       org.opensaml.profile.context.ProfileRequestContext requestContext,
                                                                       @Nonnull
                                                                       org.opensaml.saml.saml2.core.Assertion assertion)

Build the Liberty SSOS EPR AttributeValue object.

Parameters:: requestContext - the current request context; assertion - the delegated assertion being issued
Returns:: the AttributeValue object containing the EPR

addIdPAudienceRestriction

private void addIdPAudienceRestriction(@Nonnull
                             org.opensaml.profile.context.ProfileRequestContext requestContext,
                             @Nonnull
                             org.opensaml.saml.saml2.core.Assertion assertion)

An an AudienceRestriction condition indicating the IdP as an acceptable Audience.

Parameters:: requestContext - the current request context; assertion - the assertion being isued

addSAMLPeerSubjectConfirmation

private void addSAMLPeerSubjectConfirmation(@Nonnull
                                  org.opensaml.profile.context.ProfileRequestContext requestContext,
                                  @Nonnull
                                  org.opensaml.saml.saml2.core.Assertion assertion)

Add SubjectConfirmation to the Assertion Subject to allow confirmation when wielded by the SAML requester.

Parameters:: requestContext - the current request context; assertion - the assertion being issued

Class DecorateDelegatedAssertion

Nested Class Summary

Field Summary

Constructor Summary

Method Summary

Methods inherited from class net.shibboleth.idp.profile.AbstractProfileAction

Methods inherited from class org.opensaml.profile.action.AbstractConditionalProfileAction

Methods inherited from class org.opensaml.profile.action.AbstractProfileAction

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

Methods inherited from class java.lang.Object

Methods inherited from interface net.shibboleth.utilities.java.support.component.InitializableComponent

Field Detail

log

libertySSOSEndpointURL

libertySSOSEndpointURLLookupStrategy

relyingPartyContextLookupStrategy

delegationContextLookupStrategy

assertionLookupStrategy

keyInfoGeneratorManager

delegationContext

assertions

relyingPartyContext

responderId

relyingPartyId

Constructor Detail

DecorateDelegatedAssertion