org.opensaml
Class SAMLPOSTProfile

java.lang.Object
  extended byorg.opensaml.SAMLPOSTProfile

public class SAMLPOSTProfile
extends java.lang.Object

Basic implementation of SAML POST browser profile

Author:
Scott Cantor

Constructor Summary
SAMLPOSTProfile()
           
 
Method Summary
static SAMLResponse accept(byte[] buf, java.lang.String receiver, int ttlSeconds, boolean process)
          Parse a Base-64 encoded buffer back into a SAML response and optionally test its validity against the POST profile
static boolean checkReplayCache(SAMLAssertion a)
          Searches the replay cache for the specified assertion and inserts a newly seen assertion into the cache
static SAMLAssertion getSSOAssertion(SAMLResponse r, java.util.Collection audiences)
          Locates an assertion containing a "bearer" AuthenticationStatement in the response and validates the enclosing assertion with respect to the POST profile
static SAMLAuthenticationStatement getSSOStatement(SAMLAssertion a)
          Locates a "bearer" AuthenticationStatement in the assertion and validates the statement with respect to the POST profile
static SAMLResponse prepare(java.lang.String recipient, java.lang.String issuer, java.util.Collection audiences, SAMLNameIdentifier nameId, java.lang.String subjectIP, java.lang.String authMethod, java.util.Date authInstant, java.util.Collection bindings)
          Used by authenticating site to generate a SAML response conforming to the POST profile
static SAMLResponse prepare(java.lang.String recipient, java.lang.String issuer, java.util.Collection audiences, java.lang.String name, java.lang.String nameQualifier, java.lang.String format, java.lang.String subjectIP, java.lang.String authMethod, java.util.Date authInstant, java.util.Collection bindings)
          Deprecated. Callers should prefer the overloaded method that accepts SAMLNameIdentifier objects
static void process(SAMLResponse r, java.lang.String receiver, int ttlSeconds)
          Test the validity of a response against the POST profile
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

SAMLPOSTProfile

public SAMLPOSTProfile()
Method Detail

getSSOAssertion

public static SAMLAssertion getSSOAssertion(SAMLResponse r,
                                            java.util.Collection audiences)
                                     throws SAMLException
Locates an assertion containing a "bearer" AuthenticationStatement in the response and validates the enclosing assertion with respect to the POST profile

Parameters:
r - The response to the accepting site
audiences - The set of audience values to test any conditions against
Returns:
An SSO assertion
Throws:
SAMLException - Thrown if a valid SSO assertion cannot be found

getSSOStatement

public static SAMLAuthenticationStatement getSSOStatement(SAMLAssertion a)
                                                   throws SAMLException
Locates a "bearer" AuthenticationStatement in the assertion and validates the statement with respect to the POST profile

Parameters:
a - The SSO assertion sent to the accepting site
Returns:
A "bearer" authentication statement
Throws:
SAMLException - Thrown if a SSO statement cannot be found

checkReplayCache

public static boolean checkReplayCache(SAMLAssertion a)
Searches the replay cache for the specified assertion and inserts a newly seen assertion into the cache

Also performs garbage collection of the cache by deleting expired entries.

Parameters:
a - The assertion to look up and possibly add
Returns:
true iff the assertion has not been seen before

accept

public static SAMLResponse accept(byte[] buf,
                                  java.lang.String receiver,
                                  int ttlSeconds,
                                  boolean process)
                           throws SAMLException
Parse a Base-64 encoded buffer back into a SAML response and optionally test its validity against the POST profile

The signature over the response is not verified or examined, nor is the identity of the signer. The replay cache is also not checked.

Parameters:
buf - A Base-64 encoded buffer containing a SAML response
receiver - The URL of the intended consumer of the response
ttlSeconds - Seconds allowed to lapse from the issuance of the response
process - Process the response or just decode and parse it?
Returns:
SAML response sent by origin site
Throws:
SAMLException - Thrown if the response is invalid

process

public static void process(SAMLResponse r,
                           java.lang.String receiver,
                           int ttlSeconds)
                    throws SAMLException
Test the validity of a response against the POST profile

The signature over the response is not verified or examined, nor is the identity of the signer. The replay cache is also not checked.

Parameters:
r - The response to process
receiver - The URL of the intended consumer of the response
ttlSeconds - Seconds allowed to lapse from the issuance of the response
Returns:
SAML response sent by origin site
Throws:
SAMLException - Thrown if the response is invalid

prepare

public static SAMLResponse prepare(java.lang.String recipient,
                                   java.lang.String issuer,
                                   java.util.Collection audiences,
                                   java.lang.String name,
                                   java.lang.String nameQualifier,
                                   java.lang.String format,
                                   java.lang.String subjectIP,
                                   java.lang.String authMethod,
                                   java.util.Date authInstant,
                                   java.util.Collection bindings)
                            throws SAMLException
Deprecated. Callers should prefer the overloaded method that accepts SAMLNameIdentifier objects

Used by authenticating site to generate a SAML response conforming to the POST profile

The response MUST be signed by the caller before sending to relying site.

Implementations that need to embed additional statements or more complex conditions can override or ignore this class.

Parameters:
recipient - URL of intended consumer
issuer - Issuer of assertion
audiences - URIs identifying intended relying parties/communities (optional)
name - Name of subject
nameQualifier - Federates or qualifies subject name (optional)
format - URI describing name semantics and format (optional)
subjectIP - Client address of subject (optional)
authMethod - URI of authentication method being asserted
authInstant - Date and time of authentication being asserted
bindings - Set of SAML authorities the relying party may contact (optional)
Returns:
SAML response to send to accepting site
Throws:
SAMLException - Base class of exceptions that may be thrown during processing

prepare

public static SAMLResponse prepare(java.lang.String recipient,
                                   java.lang.String issuer,
                                   java.util.Collection audiences,
                                   SAMLNameIdentifier nameId,
                                   java.lang.String subjectIP,
                                   java.lang.String authMethod,
                                   java.util.Date authInstant,
                                   java.util.Collection bindings)
                            throws SAMLException
Used by authenticating site to generate a SAML response conforming to the POST profile

The response MUST be signed by the caller before sending to relying site.

Implementations that need to embed additional statements or more complex conditions can override or ignore this class.

Parameters:
recipient - URL of intended consumer
issuer - Issuer of assertion
audiences - URIs identifying intended relying parties/communities (optional)
nameId - Name Identifier representing the subject
subjectIP - Client address of subject (optional)
authMethod - URI of authentication method being asserted
authInstant - Date and time of authentication being asserted
bindings - Set of SAML authorities the relying party may contact (optional)
Returns:
SAML response to send to accepting site
Throws:
SAMLException - Base class of exceptions that may be thrown during processing


Copyright ? 2002 UCAID. All Rights Reserved.