Package net.shibboleth.idp.saml.saml2.profile.delegation.impl

Class PopulateDelegationContext

java.lang.Object

net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

org.opensaml.profile.action.AbstractProfileAction

org.opensaml.profile.action.AbstractConditionalProfileAction

net.shibboleth.idp.profile.AbstractProfileAction

net.shibboleth.idp.saml.saml2.profile.delegation.impl.PopulateDelegationContext

All Implemented Interfaces:

Component, DestructableComponent, InitializableComponent, ProfileAction, Aware, MessageSource, MessageSourceAware, Action

public class PopulateDelegationContext
extends AbstractProfileAction

A profile action which determines whether issuance of a delegated Assertion token is active, and populates a DelegationContext appropriately.

The output of 3 different evaluations is combined to produce the final result:

1. Determination is made whether delegation is requested by the relying party, as a value of type DelegationRequest. Delegation may be requested via:
   • The inclusion of the IdP entityID as an Audience in the AudienceRestriction condition of the inbound AuthnRequest.
   • The presence of a RequestedAttribute with name LibertyConstants.SERVICE_TYPE_SSOS in the relying party's metadata via AttributeConsumingService.
2. Determination is made whether issuance of a delegated token is allowed for the relying party, based on the (predicate driven) BrowserSSOProfileConfiguration.isAllowDelegation(ProfileRequestContext) method.
3. Holder-of-key subject confirmation Credential instances are resolved for the relying party from its resolved metadata RoleDescriptor.

If 1) delegation is allowed, 2) subject confirmation credentials were resolved, and 3) request status was either DelegationRequest.REQUESTED_OPTIONAL or DelegationRequest.REQUESTED_REQUIRED, a DelegationContext is populated indicating issuance of delegated token to be active, and containing the resolved subject confirmation credentials.

If request status was DelegationRequest.REQUESTED_REQUIRED but delegation was not allowed and/or no subject confirmation credentials could be resolved, a fatal event is produced.

Otherwise, issuance of a delegated token is not active and so no DelegationContext is populated.

Event:

EventIds.INVALID_MSG_CTX, EventIds.INVALID_PROFILE_CTX, EventIds.MESSAGE_PROC_ERROR, EventIds.INVALID_SEC_CFG

Field Summary

Fields

Modifier and Type	Field	Description
private AttributeConsumingService	attributeConsumingService	The AttributeConsumingService for the SAML peer entity.
private List<Credential>	confirmationCredentials	The subject confirmation credentials.
private CredentialResolver	credentialResolver	The credential resolver used to resolve HoK Credentials for the peer.
private DelegationRequest	defaultDelegationRequested	Default delegation request value.
private boolean	delegationAllowed	Whether delegation is allowed for the current relying party.
private Function<ProfileRequestContext,DelegationContext>	delegationContextLookupStrategy	Strategy used to lookup the DelegationContext.
private DelegationRequest	delegationRequested	The delegation requested state for the current request.
private org.slf4j.Logger	log	Class logger.
private RelyingPartyContext	relyingPartyContext	The current RelyingPartyContext.
private Function<ProfileRequestContext,RelyingPartyContext>	relyingPartyContextLookupStrategy	Strategy used to lookup the RelyingPartyContext.
private String	relyingPartyId	The entityID of the SAML relying party.
private String	responderId	The entityID of the local responder entity.
private RoleDescriptor	roleDescriptor	The RoleDescriptor for the SAML peer entity.
private Function<ProfileRequestContext,SAMLMetadataContext>	samlMetadataContextLookupStrategy	Strategy used to lookup the SAMLMetadataContext.

Constructor Summary

Constructors

Constructor	Description
PopulateDelegationContext()	Constructor.

Method Summary

Modifier and Type	Method	Description
private void	createAndPopulateDelegationContext(ProfileRequestContext profileRequestContext)	Create and populate the DelegationContext using the available information.
protected void	doExecute(ProfileRequestContext profileRequestContext)
protected void	doInitialize()
protected boolean	doPreExecute(ProfileRequestContext profileRequestContext)
protected boolean	doPreExecuteInbound(ProfileRequestContext profileRequestContext)	Pre-execute actions on the inbound message.
protected boolean	doPreExecuteMetadata(ProfileRequestContext profileRequestContext)	Pre-execute actions on the relying party metadata.
protected boolean	doPreExecuteRelyingParty(ProfileRequestContext profileRequestContext)	Pre-execute actions on the relying party context info.
DelegationRequest	getDefaultDelegationRequested()	Get the effective default value for whether request processing should proceed with issuance of a delegation token.
private DelegationRequest	getDelegationRequested(ProfileRequestContext requestContext)	Check whether issuance of a delegated token has been requested.
private DelegationRequest	getDelegationRequestedByMetadata(ProfileRequestContext requestContext)	Determine whether a delegation token was requested via the SP's SPSSODescriptor AttributeConsumingService.
private boolean	isDelegationRequestedByAudience(ProfileRequestContext requestContext)	Determine whether a delegation token was requested via the inbound AuthnRequest's Conditions' AudienceRestriction.
private List<Credential>	resolveConfirmationCredentials(ProfileRequestContext requestContext)	Resolve the subject confirmation credentials.
void	setCredentialResolver(CredentialResolver resolver)	Set the CredentialResolver instance to use to resolve HoK Credential.
void	setDefaultDelegationRequested(DelegationRequest delegationRequest)	Set the effective default value for whether request processing should proceed with issuance of a delegation token.
void	setDelegationContextLookupStrategy(Function<ProfileRequestContext,DelegationContext> strategy)	Set the strategy used to locate the current DelegationContext.
void	setRelyingPartyContextLookupStrategy(Function<ProfileRequestContext,RelyingPartyContext> strategy)	Set the strategy used to locate the current RelyingPartyContext.
void	setSAMLMetadataContextLookupStrategy(Function<ProfileRequestContext,SAMLMetadataContext> strategy)	Set the strategy used to locate the current SAMLMetadataContext.

Methods inherited from class net.shibboleth.idp.profile.AbstractProfileAction

doExecute, execute, getMessage, getMessage, getMessage, getProfileContextLookupStrategy, getRequestContext, getResult, setMessageSource, setProfileContextLookupStrategy

Methods inherited from class org.opensaml.profile.action.AbstractConditionalProfileAction

getActivationCondition, setActivationCondition

Methods inherited from class org.opensaml.profile.action.AbstractProfileAction

doPostExecute, doPostExecute, execute, getHttpServletRequest, getHttpServletResponse, getLogPrefix, setHttpServletRequest, setHttpServletResponse

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

destroy, doDestroy, initialize, isDestroyed, isInitialized

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface net.shibboleth.utilities.java.support.component.InitializableComponent

initialize, isInitialized

Field Detail

log

@Nonnull
private final org.slf4j.Logger log

Class logger.

relyingPartyContextLookupStrategy

@Nonnull
private Function<ProfileRequestContext,RelyingPartyContext> relyingPartyContextLookupStrategy

Strategy used to lookup the RelyingPartyContext.

samlMetadataContextLookupStrategy

@Nonnull
private Function<ProfileRequestContext,SAMLMetadataContext> samlMetadataContextLookupStrategy

Strategy used to lookup the SAMLMetadataContext.

delegationContextLookupStrategy

@Nonnull
private Function<ProfileRequestContext,DelegationContext> delegationContextLookupStrategy

Strategy used to lookup the DelegationContext.

defaultDelegationRequested

private DelegationRequest defaultDelegationRequested

Default delegation request value.

credentialResolver

@Nonnull
private CredentialResolver credentialResolver

The credential resolver used to resolve HoK Credentials for the peer.

delegationRequested

private DelegationRequest delegationRequested

The delegation requested state for the current request.

relyingPartyContext

private RelyingPartyContext relyingPartyContext

The current RelyingPartyContext.

delegationAllowed

private boolean delegationAllowed

Whether delegation is allowed for the current relying party.

responderId

private String responderId

The entityID of the local responder entity.

relyingPartyId

private String relyingPartyId

The entityID of the SAML relying party.

roleDescriptor

private RoleDescriptor roleDescriptor

The RoleDescriptor for the SAML peer entity.

attributeConsumingService

private AttributeConsumingService attributeConsumingService

The AttributeConsumingService for the SAML peer entity.

confirmationCredentials

private List<Credential> confirmationCredentials

The subject confirmation credentials.

Constructor Detail

PopulateDelegationContext

public PopulateDelegationContext()

Constructor.

Method Detail

setRelyingPartyContextLookupStrategy

public void setRelyingPartyContextLookupStrategy(@Nonnull
                                                 Function<ProfileRequestContext,RelyingPartyContext> strategy)

Set the strategy used to locate the current RelyingPartyContext.

Parameters:

strategy - strategy used to locate the current RelyingPartyContext

setSAMLMetadataContextLookupStrategy

public void setSAMLMetadataContextLookupStrategy(@Nonnull
                                                 Function<ProfileRequestContext,SAMLMetadataContext> strategy)

Set the strategy used to locate the current SAMLMetadataContext.

Parameters:

strategy - strategy used to locate the current SAMLMetadataContext

setDelegationContextLookupStrategy

public void setDelegationContextLookupStrategy(@Nonnull
                                               Function<ProfileRequestContext,DelegationContext> strategy)

Set the strategy used to locate the current DelegationContext.

Parameters:

strategy - strategy used to locate the current DelegationContext

setCredentialResolver

public void setCredentialResolver(@Nonnull
                                  CredentialResolver resolver)

Set the CredentialResolver instance to use to resolve HoK Credential.

Typically this should be a metadata-based resolver which accepts input as the peer's RoleDescriptor.

Parameters:

resolver - the resolver instance to use

getDefaultDelegationRequested

@Nonnull
public DelegationRequest getDefaultDelegationRequested()

Get the effective default value for whether request processing should proceed with issuance of a delegation token.

Returns:

the default value

setDefaultDelegationRequested

public void setDefaultDelegationRequested(@Nonnull
                                          DelegationRequest delegationRequest)

Set the effective default value for whether request processing should proceed with issuance of a delegation token.

Parameters:

delegationRequest - the default delegation requested value

doInitialize

protected void doInitialize()
                     throws ComponentInitializationException

Overrides:

doInitialize in class AbstractInitializableComponent

Throws:

ComponentInitializationException

doPreExecute

protected boolean doPreExecute(@Nonnull
                               ProfileRequestContext profileRequestContext)

Overrides:

doPreExecute in class AbstractConditionalProfileAction

doPreExecuteInbound

protected boolean doPreExecuteInbound(@Nonnull
                                      ProfileRequestContext profileRequestContext)

Pre-execute actions on the inbound message.

Parameters:

profileRequestContext - the current profile request context

Returns:

true iff doExecute(ProfileRequestContext) should proceed

doPreExecuteRelyingParty

protected boolean doPreExecuteRelyingParty(@Nonnull
                                           ProfileRequestContext profileRequestContext)

Pre-execute actions on the relying party context info.

Parameters:

profileRequestContext - the current profile request context

Returns:

true iff doExecute(ProfileRequestContext) should proceed

doPreExecuteMetadata

protected boolean doPreExecuteMetadata(@Nonnull
                                       ProfileRequestContext profileRequestContext)

Pre-execute actions on the relying party metadata.

Parameters:

profileRequestContext - the current profile request context

Returns:

true iff doExecute(ProfileRequestContext) should proceed, false otherwise

doExecute

protected void doExecute(@Nonnull
                         ProfileRequestContext profileRequestContext)

Overrides:

doExecute in class AbstractProfileAction

createAndPopulateDelegationContext

private void createAndPopulateDelegationContext(ProfileRequestContext profileRequestContext)

Create and populate the DelegationContext using the available information.

Parameters:

profileRequestContext - the current request context

resolveConfirmationCredentials

private List<Credential> resolveConfirmationCredentials(@Nonnull
                                                        ProfileRequestContext requestContext)

Resolve the subject confirmation credentials.

Parameters:

requestContext - the current request context

Returns:

the subject confirmation credentials, or null if not resolveable or there is an error

getDelegationRequested

private DelegationRequest getDelegationRequested(@Nonnull
                                                 ProfileRequestContext requestContext)

Check whether issuance of a delegated token has been requested.

Parameters:

requestContext - the current request context

Returns:

true if delegation is requested, false otherwise

getDelegationRequestedByMetadata

@Nonnull
private DelegationRequest getDelegationRequestedByMetadata(@Nonnull
                                                           ProfileRequestContext requestContext)

Determine whether a delegation token was requested via the SP's SPSSODescriptor AttributeConsumingService.

Parameters:

requestContext - the current request context

Returns:

DelegationRequest enum value as appropriate

isDelegationRequestedByAudience

private boolean isDelegationRequestedByAudience(@Nonnull
                                                ProfileRequestContext requestContext)

Determine whether a delegation token was requested via the inbound AuthnRequest's Conditions' AudienceRestriction.

Parameters:

requestContext - the current request context

Returns:

true if the AudienceRestrictions condition contained the local entity Id, false otherwise