java.lang.Object
- net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
- - org.opensaml.profile.action.AbstractProfileAction
  - - org.opensaml.profile.action.AbstractConditionalProfileAction
    - - net.shibboleth.idp.profile.AbstractProfileAction
      - net.shibboleth.idp.saml.saml2.profile.delegation.impl.DecorateDelegatedAssertion

All Implemented Interfaces:

Component, DestructableComponent, InitializableComponent, ProfileAction, Aware, MessageSource, MessageSourceAware, Action
```
public class DecorateDelegatedAssertion
extends AbstractProfileAction
```
A profile action which decorates instances of Assertion appropriately for use as delegation tokens.
An instance of DelegationContext is resolved via the strategy set via setDelegationContextLookupStrategy(Function). If no delegation context is found or if DelegationContext.isIssuingDelegatedAssertion() is false, then no decoration occurs.

The decoration consists of 3 primary parts:
1. A holder-of-key SubjectConfirmation is added to the assertion's Subject. The credentials used are taken from DelegationContext.getSubjectConfirmationCredentials().
2. An additional Audience is added to the assertion condition AudienceRestriction, indicating the IdP's own entityID as an acceptable audience. The IdP entityID is resolved from the active RelyingPartyContext, which is resolved via the strategy set by setRelyingPartyContextLookupStrategy(Function).
3. An additional Attribute is added to the assertion's AttributeStatement containing an EndpointReference, indicating the location and other info necessary for the recipient to present the delegated assertion at the IdP for delegated SSO. The attribute name is a URI type with name LibertyConstants.SERVICE_TYPE_SSOS. The endpoint URL is either set directly on this action via setLibertySSOSEndpointURL(String), or is resolved via the strategy setLibertySSOSEndpointURLLookupStrategy(Function).
Event:

EventIds.INVALID_PROFILE_CTX

Nested Class Summary

Nested Classes
Modifier and Type	Class	Description
`private class`	`DecorateDelegatedAssertion.AssertionStrategy`	Default strategy for obtaining assertion to modify.
`static class`	`DecorateDelegatedAssertion.LibertySSOSEndpointURLStrategy`	Strategy that builds the SSOS endpoint URL based on the current HTTP request using default values for scheme, port and URI path suffix.

Field Summary

Fields
Modifier and Type	Field	Description
`private Function<ProfileRequestContext,List<Assertion>>`	`assertionLookupStrategy`	Strategy used to locate the `Assertion`s on which to operate.
`private List<Assertion>`	`assertions`	The list of assertions on which to operate.
`private DelegationContext`	`delegationContext`	The delegation context instance to be populated.
`private Function<ProfileRequestContext,DelegationContext>`	`delegationContextLookupStrategy`	Strategy used to lookup the `DelegationContext`.
`private NamedKeyInfoGeneratorManager`	`keyInfoGeneratorManager`	The manager used to generate KeyInfo instances from Credentials.
`private String`	`libertySSOSEndpointURL`	The URL at which the IdP will accept Liberty ID-WSF SSOS requests.
`private Function<Pair<ProfileRequestContext,javax.servlet.http.HttpServletRequest>,String>`	`libertySSOSEndpointURLLookupStrategy`	The strategy used to resolve the URL at which the IdP will accept Liberty ID-WSF SSOS requests.
`private org.slf4j.Logger`	`log`	Class logger.
`private RelyingPartyContext`	`relyingPartyContext`	The current RelyingPartyContext.
`private Function<ProfileRequestContext,RelyingPartyContext>`	`relyingPartyContextLookupStrategy`	Strategy used to lookup the RelyingPartyContext.
`private String`	`relyingPartyId`	The entityID of the SAML relying party.
`private String`	`responderId`	The entityID of the local responder entity.

Constructor Summary

Constructors
Constructor Description

DecorateDelegatedAssertion()
Constructor.

Method Summary

All Methods Instance Methods Concrete Methods
Modifier and Type	Method	Description
`private void`	`addIdPAudienceRestriction(ProfileRequestContext requestContext, Assertion assertion)`	An an AudienceRestriction condition indicating the IdP as an acceptable Audience.
`private void`	`addLibertySSOSEPRAttribute(ProfileRequestContext requestContext, Assertion assertion)`	Add Liberty SSOS service Endpoint Reference (EPR) attribute to Assertion's AttributeStatement.
`private void`	`addSAMLPeerSubjectConfirmation(ProfileRequestContext requestContext, Assertion assertion)`	Add SubjectConfirmation to the Assertion Subject to allow confirmation when wielded by the SAML requester.
`private XMLObject`	`buildLibertSSOSEPRAttributeValue(ProfileRequestContext requestContext, Assertion assertion)`	Build the Liberty SSOS EPR AttributeValue object.
`private void`	`decorateDelegatedAssertion(ProfileRequestContext requestContext)`	Decorate the Assertion to allow use as a delegated security token by the SAML requester.
`protected void`	`doExecute(ProfileRequestContext profileRequestContext)`
`protected void`	`doInitialize()`
`protected boolean`	`doPreExecute(ProfileRequestContext profileRequestContext)`
`protected boolean`	`doPreExecuteDelegationInfo(ProfileRequestContext profileRequestContext)`	Pre-execute actions on the delegation-specific info.
`protected boolean`	`doPreExecuteRelyingParty(ProfileRequestContext profileRequestContext)`	Pre-execute actions on the relying party context info.
`private void`	`resolveLibertySSOSEndpointURL(ProfileRequestContext profileRequestContext)`	Resolve and store the effective Liberty SSOS endpoint URL to use.
`void`	`setAssertionLookupStrategy(Function<ProfileRequestContext,List<Assertion>> strategy)`	Set the strategy used to locate the `Assertion` to operate on.
`void`	`setDelegationContextLookupStrategy(Function<ProfileRequestContext,DelegationContext> strategy)`	Set the strategy used to locate the current `DelegationContext`.
`void`	`setKeyInfoGeneratorManager(NamedKeyInfoGeneratorManager manager)`	Set the `KeyInfoGeneratorManager` instance used to generate `KeyInfo` from `Credential`.
`void`	`setLibertySSOSEndpointURL(String url)`	Set the statically-configured URL at which the IdP will accept Liberty ID-WSF SSOS requests.
`void`	`setLibertySSOSEndpointURLLookupStrategy(Function<Pair<ProfileRequestContext,javax.servlet.http.HttpServletRequest>,String> strategy)`	Set strategy used to resolve the URL at which the IdP will accept Liberty ID-WSF SSOS requests.
`void`	`setRelyingPartyContextLookupStrategy(Function<ProfileRequestContext,RelyingPartyContext> strategy)`	Set the strategy used to locate the current `RelyingPartyContext`.

Methods inherited from class net.shibboleth.idp.profile.AbstractProfileAction
doExecute, execute, getMessage, getMessage, getMessage, getProfileContextLookupStrategy, getRequestContext, getResult, setMessageSource, setProfileContextLookupStrategy

Methods inherited from class org.opensaml.profile.action.AbstractConditionalProfileAction
getActivationCondition, setActivationCondition

Methods inherited from class org.opensaml.profile.action.AbstractProfileAction
doPostExecute, doPostExecute, execute, getHttpServletRequest, getHttpServletResponse, getLogPrefix, setHttpServletRequest, setHttpServletResponse

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
destroy, doDestroy, initialize, isDestroyed, isInitialized

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface net.shibboleth.utilities.java.support.component.InitializableComponent
initialize, isInitialized

Field Detail
- log
```
private final org.slf4j.Logger log
```
  Class logger.
- libertySSOSEndpointURL
```
private String libertySSOSEndpointURL
```
  The URL at which the IdP will accept Liberty ID-WSF SSOS requests.
- libertySSOSEndpointURLLookupStrategy
```
@Nullable
private Function<Pair<ProfileRequestContext,javax.servlet.http.HttpServletRequest>,String> libertySSOSEndpointURLLookupStrategy
```
  The strategy used to resolve the URL at which the IdP will accept Liberty ID-WSF SSOS requests.
- relyingPartyContextLookupStrategy
```
@Nonnull
private Function<ProfileRequestContext,RelyingPartyContext> relyingPartyContextLookupStrategy
```
  Strategy used to lookup the RelyingPartyContext.
- delegationContextLookupStrategy
```
@Nonnull
private Function<ProfileRequestContext,DelegationContext> delegationContextLookupStrategy
```
  Strategy used to lookup the DelegationContext.
- assertionLookupStrategy
```
@Nonnull
private Function<ProfileRequestContext,List<Assertion>> assertionLookupStrategy
```
  Strategy used to locate the Assertions on which to operate.
- keyInfoGeneratorManager
```
@Nonnull
private NamedKeyInfoGeneratorManager keyInfoGeneratorManager
```
  The manager used to generate KeyInfo instances from Credentials.
- delegationContext
```
private DelegationContext delegationContext
```
  The delegation context instance to be populated.
- assertions
```
private List<Assertion> assertions
```
  The list of assertions on which to operate.
- relyingPartyContext
```
private RelyingPartyContext relyingPartyContext
```
  The current RelyingPartyContext.
- responderId
```
private String responderId
```
  The entityID of the local responder entity.
- relyingPartyId
```
private String relyingPartyId
```
  The entityID of the SAML relying party.

Constructor Detail
- DecorateDelegatedAssertion
```
public DecorateDelegatedAssertion()
```
  Constructor.

Method Detail

setLibertySSOSEndpointURL
```
public void setLibertySSOSEndpointURL(@Nullable
                                      String url)
```
Set the statically-configured URL at which the IdP will accept Liberty ID-WSF SSOS requests.

Parameters:

url - the Liberty ID-WSF SSOS endpoint URL, or null

setLibertySSOSEndpointURLLookupStrategy

public void setLibertySSOSEndpointURLLookupStrategy(@Nullable
                                                    Function<Pair<ProfileRequestContext,javax.servlet.http.HttpServletRequest>,String> strategy)

Set strategy used to resolve the URL at which the IdP will accept Liberty ID-WSF SSOS requests.

Parameters:: strategy - the Liberty ID-WSF SSOS endpoint URL lookup strategy, or null

setRelyingPartyContextLookupStrategy

public void setRelyingPartyContextLookupStrategy(@Nonnull
                                                 Function<ProfileRequestContext,RelyingPartyContext> strategy)

Set the strategy used to locate the current RelyingPartyContext.

Parameters:: strategy - strategy used to locate the current RelyingPartyContext

setDelegationContextLookupStrategy

public void setDelegationContextLookupStrategy(@Nonnull
                                               Function<ProfileRequestContext,DelegationContext> strategy)

Set the strategy used to locate the current DelegationContext.

Parameters:: strategy - strategy used to locate the current DelegationContext

setAssertionLookupStrategy

public void setAssertionLookupStrategy(@Nonnull
                                       Function<ProfileRequestContext,List<Assertion>> strategy)

Set the strategy used to locate the Assertion to operate on.

Parameters:: strategy - strategy used to locate the Assertion to operate on

setKeyInfoGeneratorManager

public void setKeyInfoGeneratorManager(@Nonnull
                                       NamedKeyInfoGeneratorManager manager)

Set the KeyInfoGeneratorManager instance used to generate KeyInfo from Credential.

Parameters:: manager - the manager instance to use

doInitialize
```
protected void doInitialize()
                     throws ComponentInitializationException
```
Overrides:

doInitialize in class AbstractInitializableComponent

Throws:

ComponentInitializationException

doPreExecute

protected boolean doPreExecute(@Nonnull
                               ProfileRequestContext profileRequestContext)

Overrides:: doPreExecute in class AbstractConditionalProfileAction

doPreExecuteDelegationInfo
```
protected boolean doPreExecuteDelegationInfo(@Nonnull
                                             ProfileRequestContext profileRequestContext)
```
Pre-execute actions on the delegation-specific info.

Parameters:

profileRequestContext - the current profile request context

Returns:

true iff doExecute(ProfileRequestContext) should proceed

doPreExecuteRelyingParty
```
protected boolean doPreExecuteRelyingParty(@Nonnull
                                           ProfileRequestContext profileRequestContext)
```
Pre-execute actions on the relying party context info.

Parameters:

profileRequestContext - the current profile request context

Returns:

true iff doExecute(ProfileRequestContext) should proceed

doExecute

protected void doExecute(@Nonnull
                         ProfileRequestContext profileRequestContext)

Overrides:: doExecute in class AbstractProfileAction

resolveLibertySSOSEndpointURL
```
private void resolveLibertySSOSEndpointURL(ProfileRequestContext profileRequestContext)
```
Resolve and store the effective Liberty SSOS endpoint URL to use.

Parameters:

profileRequestContext - the current request context

decorateDelegatedAssertion

private void decorateDelegatedAssertion(@Nonnull
                                        ProfileRequestContext requestContext)
                                 throws EventException

Decorate the Assertion to allow use as a delegated security token by the SAML requester.

Parameters:: requestContext - the current request context
Throws:: EventException - to propagate events

addLibertySSOSEPRAttribute

private void addLibertySSOSEPRAttribute(@Nonnull
                                        ProfileRequestContext requestContext,
                                        @Nonnull
                                        Assertion assertion)

Add Liberty SSOS service Endpoint Reference (EPR) attribute to Assertion's AttributeStatement.

Parameters:: requestContext - the current request context; assertion - the delegated assertion being issued

buildLibertSSOSEPRAttributeValue

@Nonnull
private XMLObject buildLibertSSOSEPRAttributeValue(@Nonnull
                                                   ProfileRequestContext requestContext,
                                                   @Nonnull
                                                   Assertion assertion)

Build the Liberty SSOS EPR AttributeValue object.

Parameters:: requestContext - the current request context; assertion - the delegated assertion being issued
Returns:: the AttributeValue object containing the EPR

addIdPAudienceRestriction

private void addIdPAudienceRestriction(@Nonnull
                                       ProfileRequestContext requestContext,
                                       @Nonnull
                                       Assertion assertion)

An an AudienceRestriction condition indicating the IdP as an acceptable Audience.

Parameters:: requestContext - the current request context; assertion - the assertion being isued

addSAMLPeerSubjectConfirmation

private void addSAMLPeerSubjectConfirmation(@Nonnull
                                            ProfileRequestContext requestContext,
                                            @Nonnull
                                            Assertion assertion)
                                     throws EventException

Add SubjectConfirmation to the Assertion Subject to allow confirmation when wielded by the SAML requester.

Parameters:: requestContext - the current request context; assertion - the assertion being issued
Throws:: EventException - to propagate event signals

Class DecorateDelegatedAssertion

Nested Class Summary

Field Summary

Constructor Summary

Method Summary

Methods inherited from class net.shibboleth.idp.profile.AbstractProfileAction

Methods inherited from class org.opensaml.profile.action.AbstractConditionalProfileAction

Methods inherited from class org.opensaml.profile.action.AbstractProfileAction

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

Methods inherited from class java.lang.Object

Methods inherited from interface net.shibboleth.utilities.java.support.component.InitializableComponent

Field Detail

log

libertySSOSEndpointURL

libertySSOSEndpointURLLookupStrategy

relyingPartyContextLookupStrategy

delegationContextLookupStrategy

assertionLookupStrategy

keyInfoGeneratorManager

delegationContext

assertions

relyingPartyContext

responderId

relyingPartyId

Constructor Detail

DecorateDelegatedAssertion