java.lang.Object
- net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
- - org.opensaml.profile.action.AbstractProfileAction
  - - org.opensaml.profile.action.AbstractConditionalProfileAction
    - - net.shibboleth.idp.profile.AbstractProfileAction
      - net.shibboleth.idp.authn.AbstractAuthenticationAction
        
        net.shibboleth.idp.authn.AbstractValidationAction
        
        net.shibboleth.idp.saml.saml2.profile.impl.ValidateSAMLAuthentication

All Implemented Interfaces:

PrincipalSupportingComponent, Component, DestructableComponent, InitializableComponent, ProfileAction, Aware, MessageSource, MessageSourceAware, Action
```
public class ValidateSAMLAuthentication
extends AbstractValidationAction
```
An action that produces an AuthenticationResult based on an inbound SAML 2.0 SSO response.
A SAMLAuthnContext is used as the basis of the result and the lack of a context is a signal to record a failure. Actual validation is all upstream of this action, but the use of the ValidationAction subclass is a convenience for auditing and handling the result.
Event:

EventIds.PROCEED_EVENT_ID, EventIds.INVALID_PROFILE_CTX, IdPEventIds.INVALID_RELYING_PARTY_CTX, IdPEventIds.INVALID_PROFILE_CONFIG

Precondition:
```
ProfileRequestContext.getSubcontext(AuthenticationContext.class).getAttemptedFlow() != null
```
Postcondition:

If AuthenticationContext.getSubcontext(SAMLAuthnContext.class) != null, then an AuthenticationResult is saved to the AuthenticationContext.

Field Summary

Fields
Modifier and Type	Field	Description
`private AttributeContext`	`attributeContext`	Context for externally supplied inbound attributes.
`private Function<ProfileRequestContext,Collection<IdPAttribute>>`	`attributeExtractionStrategy`	Pluggable strategy function for generalized extraction of data.
`private ReloadableService<AttributeFilter>`	`attributeFilterService`	Service used to get the engine used to filter attributes.
`private Function<AuthnContext,Collection<Principal>>`	`authnContextTranslator`	Incoming context translation function.
`private Function<ProfileRequestContext,Collection<Principal>>`	`authnContextTranslatorEx`	Incoming context extended translation function.
`private static String`	`DEFAULT_METRIC_NAME`	Default prefix for metrics.
`private org.slf4j.Logger`	`log`	Class logger.
`private String`	`loggedAttributeId`	An IdPAttribute ID to log as a "name" in place of the NameID for "info" purposes.
`private MetadataResolver`	`metadataResolver`	Optional supplemental metadata source for filtering.
`private BrowserSSOProfileConfiguration`	`profileConfiguration`	Store off profile config.
`private Function<ProfileRequestContext,RelyingPartyContext>`	`relyingPartyContextLookupStrategy`	Strategy used to look up a `RelyingPartyContext` for configuration options.
`private SAMLAuthnContext`	`samlAuthnContext`	Context containing the result to validate.
`private ReloadableService<AttributeTranscoderRegistry>`	`transcoderRegistry`	Transcoder registry service object.

Constructor Summary

Constructors
Constructor Description

ValidateSAMLAuthentication()
Constructor.

Method Summary

All Methods Instance Methods Concrete Methods
Modifier and Type	Method	Description
`private ProxyAuthenticationPrincipal`	`buildProxyPrincipal(AuthnContext authnContext)`	Construct a populated `ProxyAuthenticationPrincipal` based on the inbound assertion.
`private void`	`decodeAttribute(AttributeTranscoderRegistry registry, ProfileRequestContext profileRequestContext, Attribute input, Multimap<String,IdPAttribute> results)`	Access the registry of transcoding rules to decode the input `Attribute`.
`protected void`	`doExecute(ProfileRequestContext profileRequestContext, AuthenticationContext authenticationContext)`
`protected boolean`	`doPreExecute(ProfileRequestContext profileRequestContext, AuthenticationContext authenticationContext)`
`private void`	`filterAttributes(ProfileRequestContext profileRequestContext)`	Check for inbound attributes and apply filtering.
`protected void`	`logSuccess()`	Log a successful authentication based on a designated attribute ID or the NameID value.
`private void`	`populateFilterContext(ProfileRequestContext profileRequestContext, AttributeFilterContext filterContext)`	Fill in the filter context data.
`protected Subject`	`populateSubject(Subject subject)`
`private void`	`processAttributes(ProfileRequestContext profileRequestContext)`	Process the inbound SAML Attributes.
`void`	`setAttributeExtractionStrategy(Function<ProfileRequestContext,Collection<IdPAttribute>> strategy)`	Sets the strategy function to invoke for generalized extraction of data into `IdPAttribute` objects for inclusion in the `AuthenticationResult`.
`void`	`setAttributeFilter(ReloadableService<AttributeFilter> filterService)`	Sets the filter service to use for inbound attributes.
`void`	`setLoggedAttributeId(String id)`	An attribute ID to pull a "name" from for logging purposes.
`void`	`setMetadataResolver(MetadataResolver resolver)`	Set a metadata source to use during filtering.
`void`	`setRelyingPartyContextLookupStrategy(Function<ProfileRequestContext,RelyingPartyContext> strategy)`	Set the strategy used to return the `RelyingPartyContext` for configuration options.
`void`	`setTranscoderRegistry(ReloadableService<AttributeTranscoderRegistry> registry)`	Sets the registry of transcoding rules to apply to encode attributes.

Methods inherited from class net.shibboleth.idp.authn.AbstractAuthenticationAction
doExecute, doPreExecute, setAuthenticationContextLookupStrategy

Methods inherited from class net.shibboleth.idp.profile.AbstractProfileAction
doExecute, execute, getMessage, getMessage, getMessage, getProfileContextLookupStrategy, getRequestContext, getResult, setMessageSource, setProfileContextLookupStrategy

Methods inherited from class org.opensaml.profile.action.AbstractConditionalProfileAction
getActivationCondition, setActivationCondition

Methods inherited from class org.opensaml.profile.action.AbstractProfileAction
doPostExecute, doPostExecute, execute, getHttpServletRequest, getHttpServletResponse, getLogPrefix, setHttpServletRequest, setHttpServletResponse

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
destroy, doDestroy, doInitialize, initialize, isDestroyed, isInitialized

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface net.shibboleth.utilities.java.support.component.InitializableComponent
initialize, isInitialized

Field Detail

DEFAULT_METRIC_NAME
```
@Nonnull
@NotEmpty
private static final String DEFAULT_METRIC_NAME
```
Default prefix for metrics.

See Also:

Constant Field Values

log

@Nonnull
private final org.slf4j.Logger log

Class logger.

transcoderRegistry

@Nullable
private ReloadableService<AttributeTranscoderRegistry> transcoderRegistry

Transcoder registry service object.

attributeFilterService
```
@Nullable
private ReloadableService<AttributeFilter> attributeFilterService
```
Service used to get the engine used to filter attributes.

metadataResolver
```
@Nullable
private MetadataResolver metadataResolver
```
Optional supplemental metadata source for filtering.

relyingPartyContextLookupStrategy

@Nonnull
private Function<ProfileRequestContext,RelyingPartyContext> relyingPartyContextLookupStrategy

Strategy used to look up a RelyingPartyContext for configuration options.

attributeExtractionStrategy

@Nullable
private Function<ProfileRequestContext,Collection<IdPAttribute>> attributeExtractionStrategy

Pluggable strategy function for generalized extraction of data.

loggedAttributeId
```
@Nullable
@NotEmpty
private String loggedAttributeId
```
An IdPAttribute ID to log as a "name" in place of the NameID for "info" purposes.

samlAuthnContext
```
@Nullable
private SAMLAuthnContext samlAuthnContext
```
Context containing the result to validate.

profileConfiguration

@Nullable
private BrowserSSOProfileConfiguration profileConfiguration

Store off profile config.

authnContextTranslator

@Nullable
private Function<AuthnContext,Collection<Principal>> authnContextTranslator

Incoming context translation function.

authnContextTranslatorEx

@Nullable
private Function<ProfileRequestContext,Collection<Principal>> authnContextTranslatorEx

Incoming context extended translation function.

attributeContext
```
@Nullable
private AttributeContext attributeContext
```
Context for externally supplied inbound attributes.

Constructor Detail
- ValidateSAMLAuthentication
```
public ValidateSAMLAuthentication()
```
  Constructor.

Method Detail

setTranscoderRegistry

public void setTranscoderRegistry(@Nullable
                                  ReloadableService<AttributeTranscoderRegistry> registry)

Sets the registry of transcoding rules to apply to encode attributes.

Parameters:: registry - registry service interface

setAttributeFilter

public void setAttributeFilter(@Nullable
                               ReloadableService<AttributeFilter> filterService)

Sets the filter service to use for inbound attributes.

Parameters:: filterService - optional filter service for inbound attributes

setMetadataResolver

public void setMetadataResolver(@Nullable
                                MetadataResolver resolver)

Set a metadata source to use during filtering.

Parameters:: resolver - metadata resolver

setRelyingPartyContextLookupStrategy

public void setRelyingPartyContextLookupStrategy(@Nonnull
                                                 Function<ProfileRequestContext,RelyingPartyContext> strategy)

Set the strategy used to return the RelyingPartyContext for configuration options.

Parameters:: strategy - lookup strategy

setAttributeExtractionStrategy

public void setAttributeExtractionStrategy(@Nullable
                                           Function<ProfileRequestContext,Collection<IdPAttribute>> strategy)

Sets the strategy function to invoke for generalized extraction of data into IdPAttribute objects for inclusion in the AuthenticationResult.

Parameters:: strategy - extraction strategy

setLoggedAttributeId

public void setLoggedAttributeId(@Nullable @NotEmpty
                                 String id)

An attribute ID to pull a "name" from for logging purposes.

Parameters:: id - attribute ID
Since:: 4.2.0

doPreExecute

protected boolean doPreExecute(@Nonnull
                               ProfileRequestContext profileRequestContext,
                               @Nonnull
                               AuthenticationContext authenticationContext)

Overrides:: doPreExecute in class AbstractValidationAction

doExecute

protected void doExecute(@Nonnull
                         ProfileRequestContext profileRequestContext,
                         @Nonnull
                         AuthenticationContext authenticationContext)

Overrides:: doExecute in class AbstractAuthenticationAction

logSuccess
```
protected void logSuccess()
```
Log a successful authentication based on a designated attribute ID or the NameID value.

populateSubject

@Nonnull
protected Subject populateSubject(@Nonnull
                                  Subject subject)

Specified by:: populateSubject in class AbstractValidationAction

buildProxyPrincipal
```
@Nonnull
private ProxyAuthenticationPrincipal buildProxyPrincipal(@Nonnull
                                                         AuthnContext authnContext)
```
Construct a populated ProxyAuthenticationPrincipal based on the inbound assertion.

Parameters:

authnContext - the SAML AuthnContext issued by the proxied IdP

Returns:

a constructed ProxyAuthenticationPrincipal to include in the Subject

processAttributes

private void processAttributes(@Nonnull
                               ProfileRequestContext profileRequestContext)

Process the inbound SAML Attributes.

Parameters:: profileRequestContext - current profile request context

decodeAttribute

private void decodeAttribute(@Nonnull
                             AttributeTranscoderRegistry registry,
                             @Nonnull
                             ProfileRequestContext profileRequestContext,
                             @Nonnull
                             Attribute input,
                             @Nonnull @NonnullElements @Live
                             Multimap<String,IdPAttribute> results)
                      throws AttributeDecodingException

Access the registry of transcoding rules to decode the input Attribute.

Parameters:: registry - registry of transcoding rules; profileRequestContext - current profile request context; input - input object; results - collection to add results to
Throws:: AttributeDecodingException - if an error occurs or no results were obtained

filterAttributes

private void filterAttributes(@Nonnull
                              ProfileRequestContext profileRequestContext)

Check for inbound attributes and apply filtering.

Parameters:: profileRequestContext - current profile request context

populateFilterContext

private void populateFilterContext(@Nonnull
                                   ProfileRequestContext profileRequestContext,
                                   @Nonnull
                                   AttributeFilterContext filterContext)

Fill in the filter context data.

Parameters:: profileRequestContext - current profile request context; filterContext - context to populate

Class ValidateSAMLAuthentication

Field Summary

Constructor Summary

Method Summary

Methods inherited from class net.shibboleth.idp.authn.AbstractValidationAction

Methods inherited from class net.shibboleth.idp.authn.AbstractAuthenticationAction

Methods inherited from class net.shibboleth.idp.profile.AbstractProfileAction

Methods inherited from class org.opensaml.profile.action.AbstractConditionalProfileAction

Methods inherited from class org.opensaml.profile.action.AbstractProfileAction

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

Methods inherited from class java.lang.Object

Methods inherited from interface net.shibboleth.utilities.java.support.component.InitializableComponent

Field Detail

DEFAULT_METRIC_NAME

log

transcoderRegistry

attributeFilterService

metadataResolver