net.shibboleth.idp.saml.saml2.profile.delegation.impl

Class PopulateDelegationContext

java.lang.Object

net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

org.opensaml.profile.action.AbstractProfileAction<InboundMessageType,OutboundMessageType>

org.opensaml.profile.action.AbstractConditionalProfileAction<InboundMessageType,OutboundMessageType>

net.shibboleth.idp.profile.AbstractProfileAction

net.shibboleth.idp.saml.saml2.profile.delegation.impl.PopulateDelegationContext

All Implemented Interfaces:

Component, DestructableComponent, InitializableComponent, org.opensaml.profile.action.ProfileAction, org.springframework.beans.factory.Aware, org.springframework.context.MessageSource, org.springframework.context.MessageSourceAware, org.springframework.webflow.execution.Action

@Prototype
public class PopulateDelegationContext
extends AbstractProfileAction

A profile action which determines whether issuance of a delegated Assertion token is active, and populates a DelegationContext appropriately.

The output of 3 different evaluations is combined to produce the final result:

1. Determination is made whether delegation is requested by the relying party, as a value of type DelegationRequest. Delegation may be requested via:
   • The inclusion of the IdP entityID as an Audience in the AudienceRestriction condition of the inbound AuthnRequest.
   • The presence of a RequestedAttribute with name LibertyConstants.SERVICE_TYPE_SSOS in the relying party's metadata via AttributeConsumingService.
2. Determination is made whether issuance of a delegated token is allowed for the relying party, based on the (legacy) static value BrowserSSOProfileConfiguration.isAllowingDelegation() or the predicate BrowserSSOProfileConfiguration.getAllowDelegation().
3. Holder-of-key subject confirmation Credential instances are resolved for the relying party from its resolved metadata RoleDescriptor.

If 1) delegation is allowed, 2) subject confirmation credentials were resolved, and 3) request status was either DelegationRequest.REQUESTED_OPTIONAL or DelegationRequest.REQUESTED_REQUIRED, a DelegationContext is populated indicating issuance of delegated token to be active, and containing the resolved subject confirmation credentials.

If request status was DelegationRequest.REQUESTED_REQUIRED but delegation was not allowed and/or no subject confirmation credentials could be resolved, a fatal event is produced.

Otherwise, issuance of a delegated token is not active and so no DelegationContext is populated.

Event:

EventIds.INVALID_MSG_CTX, EventIds.INVALID_PROFILE_CTX, EventIds.MESSAGE_PROC_ERROR, EventIds.INVALID_SEC_CFG

Field Summary

Fields

Modifier and Type	Field and Description
private org.opensaml.saml.saml2.metadata.AttributeConsumingService	attributeConsumingService The AttributeConsumingService for the SAML peer entity.
private List<org.opensaml.security.credential.Credential>	confirmationCredentials The subject confirmation credentials.
private org.opensaml.security.credential.CredentialResolver	credentialResolver The credential resolver used to resolve HoK Credentials for the peer.
private DelegationRequest	defaultDelegationRequested Default delegation request value.
private boolean	delegationAllowed Whether delegation is allowed for the current relying party.
private Function<org.opensaml.profile.context.ProfileRequestContext,DelegationContext>	delegationContextLookupStrategy Strategy used to lookup the {@link DelegationContext.
private DelegationRequest	delegationRequested The delegation requested state for the current request.
private org.slf4j.Logger	log Class logger.
private RelyingPartyContext	relyingPartyContext The current RelyingPartyContext.
private Function<org.opensaml.profile.context.ProfileRequestContext,RelyingPartyContext>	relyingPartyContextLookupStrategy Strategy used to lookup the RelyingPartyContext.
private String	relyingPartyId The entityID of the SAML relying party.
private String	responderId The entityID of the local responder entity.
private org.opensaml.saml.saml2.metadata.RoleDescriptor	roleDescriptor The RoleDescriptor for the SAML peer entity.
private Function<org.opensaml.profile.context.ProfileRequestContext,org.opensaml.saml.common.messaging.context.SAMLMetadataContext>	samlMetadataContextLookupStrategy Strategy used to lookup the SAMLMetadataContext.

Constructor Summary

Constructors

Constructor and Description
PopulateDelegationContext() Constructor.

Method Summary

Methods

Modifier and Type	Method and Description
private void	createAndPopulateDelegationContext(org.opensaml.profile.context.ProfileRequestContext profileRequestContext) Create and populate the DelegationContext using the available information.
protected void	doExecute(org.opensaml.profile.context.ProfileRequestContext profileRequestContext)
protected void	doInitialize()
protected boolean	doPreExecute(org.opensaml.profile.context.ProfileRequestContext profileRequestContext)
protected boolean	doPreExecuteInbound(org.opensaml.profile.context.ProfileRequestContext profileRequestContext) Pre-execute actions on the inbound message.
protected boolean	doPreExecuteMetadata(org.opensaml.profile.context.ProfileRequestContext profileRequestContext) Pre-execute actions on the relying party metadata.
protected boolean	doPreExecuteRelyingParty(org.opensaml.profile.context.ProfileRequestContext profileRequestContext) Pre-execute actions on the relying party context info.
DelegationRequest	getDefaultDelegationRequested() Get the effective default value for whether request processing should proceed with issuance of a delegation token.
private DelegationRequest	getDelegationRequested(org.opensaml.profile.context.ProfileRequestContext requestContext) Check whether issuance of a delegated token has been requested.
private DelegationRequest	getDelegationRequestedByMetadata(org.opensaml.profile.context.ProfileRequestContext requestContext) Determine whether a delegation token was requested via the SP's SPSSODescriptor AttributeConsumingService.
private boolean	isDelegationRequestedByAudience(org.opensaml.profile.context.ProfileRequestContext requestContext) Determine whether a delegation token was requested via the inbound AuthnRequest's Conditions' AudienceRestriction.
private List<org.opensaml.security.credential.Credential>	resolveConfirmationCredentials(org.opensaml.profile.context.ProfileRequestContext requestContext) Resolve the subject confirmation credentials.
void	setCredentialResolver(org.opensaml.security.credential.CredentialResolver resolver) Set the CredentialResolver instance to use to resolve HoK Credential.
void	setDefaultDelegationRequested(DelegationRequest delegationRequest) Set the effective default value for whether request processing should proceed with issuance of a delegation token.
void	setDelegationContextLookupStrategy(Function<org.opensaml.profile.context.ProfileRequestContext,DelegationContext> strategy) Set the strategy used to locate the current DelegationContext.
void	setRelyingPartyContextLookupStrategy(Function<org.opensaml.profile.context.ProfileRequestContext,RelyingPartyContext> strategy) Set the strategy used to locate the current RelyingPartyContext.
void	setSAMLMetadataContextLookupStrategy(Function<org.opensaml.profile.context.ProfileRequestContext,org.opensaml.saml.common.messaging.context.SAMLMetadataContext> strategy) Set the strategy used to locate the current SAMLMetadataContext.

Methods inherited from class net.shibboleth.idp.profile.AbstractProfileAction

doExecute, execute, getMessage, getMessage, getMessage, getProfileContextLookupStrategy, getRequestContext, getResult, setMessageSource, setProfileContextLookupStrategy

Methods inherited from class org.opensaml.profile.action.AbstractConditionalProfileAction

getActivationCondition, setActivationCondition

Methods inherited from class org.opensaml.profile.action.AbstractProfileAction

doPostExecute, doPostExecute, execute, getHttpServletRequest, getHttpServletResponse, getLogPrefix, setHttpServletRequest, setHttpServletResponse

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

destroy, doDestroy, initialize, isDestroyed, isInitialized

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface net.shibboleth.utilities.java.support.component.InitializableComponent

initialize, isInitialized

Field Detail

log

private final org.slf4j.Logger log

Class logger.

relyingPartyContextLookupStrategy

@Nonnull
private Function<org.opensaml.profile.context.ProfileRequestContext,RelyingPartyContext> relyingPartyContextLookupStrategy

Strategy used to lookup the RelyingPartyContext.

samlMetadataContextLookupStrategy

@Nonnull
private Function<org.opensaml.profile.context.ProfileRequestContext,org.opensaml.saml.common.messaging.context.SAMLMetadataContext> samlMetadataContextLookupStrategy

Strategy used to lookup the SAMLMetadataContext.

delegationContextLookupStrategy

@Nonnull
private Function<org.opensaml.profile.context.ProfileRequestContext,DelegationContext> delegationContextLookupStrategy

Strategy used to lookup the {@link DelegationContext.

defaultDelegationRequested

private DelegationRequest defaultDelegationRequested

Default delegation request value.

credentialResolver

@Nonnull
private org.opensaml.security.credential.CredentialResolver credentialResolver

The credential resolver used to resolve HoK Credentials for the peer.

delegationRequested

private DelegationRequest delegationRequested

The delegation requested state for the current request.

relyingPartyContext

private RelyingPartyContext relyingPartyContext

The current RelyingPartyContext.

delegationAllowed

private boolean delegationAllowed

Whether delegation is allowed for the current relying party.

responderId

private String responderId

The entityID of the local responder entity.

relyingPartyId

private String relyingPartyId

The entityID of the SAML relying party.

roleDescriptor

private org.opensaml.saml.saml2.metadata.RoleDescriptor roleDescriptor

The RoleDescriptor for the SAML peer entity.

attributeConsumingService

private org.opensaml.saml.saml2.metadata.AttributeConsumingService attributeConsumingService

The AttributeConsumingService for the SAML peer entity.

confirmationCredentials

private List<org.opensaml.security.credential.Credential> confirmationCredentials

The subject confirmation credentials.

Constructor Detail

PopulateDelegationContext

public PopulateDelegationContext()

Constructor.

Method Detail

setRelyingPartyContextLookupStrategy

public void setRelyingPartyContextLookupStrategy(@Nonnull
                                        Function<org.opensaml.profile.context.ProfileRequestContext,RelyingPartyContext> strategy)

Set the strategy used to locate the current RelyingPartyContext.

Parameters:

strategy - strategy used to locate the current RelyingPartyContext

setSAMLMetadataContextLookupStrategy

public void setSAMLMetadataContextLookupStrategy(@Nonnull
                                        Function<org.opensaml.profile.context.ProfileRequestContext,org.opensaml.saml.common.messaging.context.SAMLMetadataContext> strategy)

Set the strategy used to locate the current SAMLMetadataContext.

Parameters:

strategy - strategy used to locate the current SAMLMetadataContext

setDelegationContextLookupStrategy

public void setDelegationContextLookupStrategy(@Nonnull
                                      Function<org.opensaml.profile.context.ProfileRequestContext,DelegationContext> strategy)

Set the strategy used to locate the current DelegationContext.

Parameters:

strategy - strategy used to locate the current DelegationContext

setCredentialResolver

public void setCredentialResolver(@Nonnull
                         org.opensaml.security.credential.CredentialResolver resolver)

Set the CredentialResolver instance to use to resolve HoK Credential.

Typically this should be a metadata-based resolver which accepts input as the peer's RoleDescriptor.

Parameters:

resolver - the resolver instance to use

getDefaultDelegationRequested

@Nonnull
public DelegationRequest getDefaultDelegationRequested()

Get the effective default value for whether request processing should proceed with issuance of a delegation token.

Returns:

the default value

setDefaultDelegationRequested

public void setDefaultDelegationRequested(@Nonnull
                                 DelegationRequest delegationRequest)

Set the effective default value for whether request processing should proceed with issuance of a delegation token.

Parameters:

delegationRequest - the default delegation requested value

doInitialize

protected void doInitialize()
                     throws ComponentInitializationException

Overrides:

doInitialize in class AbstractInitializableComponent

Throws:

ComponentInitializationException

doPreExecute

protected boolean doPreExecute(@Nonnull
                   org.opensaml.profile.context.ProfileRequestContext profileRequestContext)

Overrides:

doPreExecute in class org.opensaml.profile.action.AbstractConditionalProfileAction

doPreExecuteInbound

protected boolean doPreExecuteInbound(@Nonnull
                          org.opensaml.profile.context.ProfileRequestContext profileRequestContext)

Pre-execute actions on the inbound message.

Parameters:

profileRequestContext - the current profile request context

Returns:

true iff doExecute(ProfileRequestContext) should proceed

doPreExecuteRelyingParty

protected boolean doPreExecuteRelyingParty(@Nonnull
                               org.opensaml.profile.context.ProfileRequestContext profileRequestContext)

Pre-execute actions on the relying party context info.

Parameters:

profileRequestContext - the current profile request context

Returns:

true iff doExecute(ProfileRequestContext) should proceed

doPreExecuteMetadata

protected boolean doPreExecuteMetadata(@Nonnull
                           org.opensaml.profile.context.ProfileRequestContext profileRequestContext)

Pre-execute actions on the relying party metadata.

Parameters:

profileRequestContext - the current profile request context

Returns:

true iff doExecute(ProfileRequestContext) should proceed, false otherwise

doExecute

protected void doExecute(@Nonnull
             org.opensaml.profile.context.ProfileRequestContext profileRequestContext)

Overrides:

doExecute in class org.opensaml.profile.action.AbstractProfileAction

createAndPopulateDelegationContext

private void createAndPopulateDelegationContext(org.opensaml.profile.context.ProfileRequestContext profileRequestContext)

Create and populate the DelegationContext using the available information.

Parameters:

profileRequestContext - the current request context

resolveConfirmationCredentials

private List<org.opensaml.security.credential.Credential> resolveConfirmationCredentials(@Nonnull
                                                                               org.opensaml.profile.context.ProfileRequestContext requestContext)

Resolve the subject confirmation credentials.

Parameters:

requestContext - the current request context

Returns:

the subject confirmation credentials, or null if not resolveable or there is an error

getDelegationRequested

private DelegationRequest getDelegationRequested(@Nonnull
                                       org.opensaml.profile.context.ProfileRequestContext requestContext)

Check whether issuance of a delegated token has been requested.

Parameters:

requestContext - the current request context

Returns:

true if delegation is requested, false otherwise

getDelegationRequestedByMetadata

@Nonnull
private DelegationRequest getDelegationRequestedByMetadata(@Nonnull
                                                         org.opensaml.profile.context.ProfileRequestContext requestContext)

Determine whether a delegation token was requested via the SP's SPSSODescriptor AttributeConsumingService.

Parameters:

requestContext - the current request context

Returns:

DelegationRequest enum value as appropriate

isDelegationRequestedByAudience

private boolean isDelegationRequestedByAudience(@Nonnull
                                      org.opensaml.profile.context.ProfileRequestContext requestContext)

Determine whether a delegation token was requested via the inbound AuthnRequest's Conditions' AudienceRestriction.

Parameters:

requestContext - the current request context

Returns:

true if the AudienceRestrictions condition contained the local entity Id, false otherwise