public class SAML2TokenIssuer extends Object implements TokenIssuer
| Modifier and Type | Field and Description |
|---|---|
protected List<org.opensaml.xml.signature.Signature> |
signatureList |
| Constructor and Description |
|---|
SAML2TokenIssuer() |
| Modifier and Type | Method and Description |
|---|---|
protected org.opensaml.saml2.core.Assertion |
buildAssertion(Document doc,
org.apache.ws.security.components.crypto.Crypto crypto,
RahasData data)
This methods builds the SAML2 assertion.
|
protected org.opensaml.saml2.core.AttributeStatement |
createAttributeStatement(RahasData data)
This method creates an AttributeStatement.
|
protected org.opensaml.saml2.core.AuthnStatement |
createAuthenticationStatement(RahasData data)
This method creates an authentication statement.
|
protected org.opensaml.xml.signature.KeyInfo |
createKeyInfo(Document doc,
org.apache.ws.security.components.crypto.Crypto crypto,
RahasData data)
This method creates the KeyInfo relevant for the assertion.
|
protected org.apache.axiom.soap.SOAPEnvelope |
createRequestSecurityTokenResponse(RahasData rahasData,
org.opensaml.saml2.core.Assertion assertion,
org.apache.axiom.soap.SOAPEnvelope soapEnvelope)
This method prepares the final response.
|
protected org.opensaml.saml2.core.Subject |
createSubjectWithBearerSubjectConfirmation(RahasData data)
This method creates a subject element with the bearer subject confirmation method.
|
protected org.opensaml.saml2.core.Subject |
createSubjectWithHolderOfKeySubjectConfirmation(Document doc,
org.apache.ws.security.components.crypto.Crypto crypto,
org.joda.time.DateTime creationTime,
org.joda.time.DateTime expirationTime,
RahasData data)
This method will create a SAML 2 subject based on Holder of Key confirmation method.
|
String |
getResponseAction(RahasData data)
Returns the
wsa:Action of the response. |
org.apache.axiom.soap.SOAPEnvelope |
issue(RahasData data)
This is the main method which issues SAML2 assertions as security token responses.
|
void |
setConfigurationElement(org.apache.axiom.om.OMElement configElement)
Set the configuration element of this TokenIssuer.
|
void |
setConfigurationFile(String configFile)
Set the configuration file of this TokenIssuer.
|
void |
setConfigurationParamName(String configParamName)
Set the name of the configuration parameter.
|
protected static void |
setSubjectNamedIdentifierData(org.opensaml.saml2.core.Subject subject,
String subjectNameId,
String format)
This method will set the subject principal details to the given subject.
|
protected org.opensaml.saml2.core.Assertion |
signAssertion(Document document,
org.opensaml.saml2.core.Assertion assertion,
org.apache.ws.security.components.crypto.Crypto crypto)
This method signs the given assertion with issuer's private key.
|
protected List<org.opensaml.xml.signature.Signature> signatureList
public org.apache.axiom.soap.SOAPEnvelope issue(RahasData data) throws TrustException
issue in interface TokenIssuerdata - A populated RahasData instanceTrustException - If an error occurred while creating the response.protected org.apache.axiom.soap.SOAPEnvelope createRequestSecurityTokenResponse(RahasData rahasData, org.opensaml.saml2.core.Assertion assertion, org.apache.axiom.soap.SOAPEnvelope soapEnvelope) throws TrustException
<wst:RequestSecurityTokenResponse xmlns:wst="...">
<wst:TokenType>...</wst:TokenType>
<wst:RequestedSecurityToken>...</wst:RequestedSecurityToken>
...
<wsp:AppliesTo xmlns:wsp="...">...</wsp:AppliesTo>
<wst:RequestedAttachedReference>
...
</wst:RequestedAttachedReference>
<wst:RequestedUnattachedReference>
...
</wst:RequestedUnattachedReference>
<wst:RequestedProofToken>...</wst:RequestedProofToken>
<wst:Entropy>
<wst:BinarySecret>...</wst:BinarySecret>
</wst:Entropy>
<wst:Lifetime>...</wst:Lifetime>
</wst:RequestSecurityTokenResponse>
Thus the RequestedSecurityToken will have SAML2 assertion passed.rahasData - The configuration data which comes with RSTassertion - OpenSAM representation of SAML2 assertion.soapEnvelope - SOAP message envelopeTrustException - If an error occurred while creating RequestSecurityTokenResponse.protected org.opensaml.saml2.core.Assertion buildAssertion(Document doc, org.apache.ws.security.components.crypto.Crypto crypto, RahasData data) throws TrustException
<saml:Assertion
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
ID="b07b804c-7c29-ea16-7300-4f3d6f7928ac"
Version="2.0"
IssueInstant="2004-12-05T09:22:05Z">
<saml:Issuer>https://idp.example.org/SAML2</saml:Issuer>
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:Signature>
<saml:Subject>
<saml:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">
3f7b3dcf-1674-4ecd-92c8-1544f346baf8
</saml:NameID>
<saml:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData
InResponseTo="aaf23196-1773-2113-474a-fe114412ab72"
Recipient="https://sp.example.com/SAML2/SSO/POST"
NotOnOrAfter="2004-12-05T09:27:05Z"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions
NotBefore="2004-12-05T09:17:05Z"
NotOnOrAfter="2004-12-05T09:27:05Z">
<saml:AudienceRestriction>
<saml:Audience>https://sp.example.com/SAML2</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement
AuthnInstant="2004-12-05T09:22:00Z"
SessionIndex="b07b804c-7c29-ea16-7300-4f3d6f7928ac">
<saml:AuthnContext>
<saml:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute
xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500"
x500:Encoding="LDAP"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
FriendlyName="eduPersonAffiliation">
<saml:AttributeValue
xsi:type="xs:string">member</saml:AttributeValue>
<saml:AttributeValue
xsi:type="xs:string">staff</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
Reference - en.wikipedia.org/wiki/SAML_2.0#SAML_2.0_Assertionsdoc - The Document which comprises SAML 2 assertion.crypto - Crypto properties.data - The RST data and other configuration information.TrustException - If an error occurred while creating the Assertion.protected org.opensaml.saml2.core.Subject createSubjectWithHolderOfKeySubjectConfirmation(Document doc, org.apache.ws.security.components.crypto.Crypto crypto, org.joda.time.DateTime creationTime, org.joda.time.DateTime expirationTime, RahasData data) throws TrustException
<saml2:Subject>
<saml2:NameID>
...
</saml2:NameID>
<saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
<saml2:SubjectConfirmationData
xsi:type="saml2:KeyInfoConfirmationDataType">
<ds:KeyInfo>
<ds:KeyValue>...</ds:KeyValue>
</ds:KeyInfo>
</saml2:SubjectConfirmationData>
</saml2:SubjectConfirmation>
</saml2:Subject>
KeyInfo can be created based on public key or symmetric key. That is decided by looking at
the RahasData.getKeyType. TODO make sure this implementation is correct.
Theoretically we should be able to have many subject confirmation methods in a SAML2 subject.
TODO - Do we need to support that ?doc - The original XML document which we need to include the assertion.crypto - The relevant crypto propertiescreationTime - The time that assertion was created.expirationTime - The expiring timedata - The configuration data relevant request.TrustException - If an error occurred while creating the subject.protected org.opensaml.saml2.core.Subject createSubjectWithBearerSubjectConfirmation(RahasData data) throws TrustException
<saml:Subject>
<saml:NameIdentifier
NameQualifier="www.example.com"
Format="urn:oasis:names:tc:SAML:1.1:nameid-
format:X509SubjectName">
uid=joe,ou=people,ou=saml-demo,o=baltimore.com
</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>
urn:oasis:names:tc:SAML:1.0:cm:bearer
</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>data - RahasData elementTrustException - if an error occurred while creating the subject.protected org.opensaml.saml2.core.Assertion signAssertion(Document document, org.opensaml.saml2.core.Assertion assertion, org.apache.ws.security.components.crypto.Crypto crypto) throws TrustException
document - The original RST document.assertion - Assertion to be signed.crypto - The cryptographic properties.TrustException - If an error occurred while signing the assertion.protected org.opensaml.saml2.core.AttributeStatement createAttributeStatement(RahasData data) throws TrustException
<saml:AttributeStatement>
<saml:Attribute
xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500"
x500:Encoding="LDAP"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
FriendlyName="eduPersonAffiliation">
<saml:AttributeValue
xsi:type="xs:string">member</saml:AttributeValue>
<saml:AttributeValue
xsi:type="xs:string">staff</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
Reference - http://en.wikipedia.org/wiki/SAML_2.0#SAML_2.0_Assertionsdata - The RahasData which carry information about RST.TrustException - If an error occurred while creating the AttributeStatement.protected org.opensaml.saml2.core.AuthnStatement createAuthenticationStatement(RahasData data) throws TrustException
<saml:AuthnStatement
AuthnInstant="2004-12-05T09:22:00Z"
SessionIndex="b07b804c-7c29-ea16-7300-4f3d6f7928ac">
<saml:AuthnContext>
<saml:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>data - The RahasData which carry information about RST.TrustException - If an error occurred while creating the authentication statement.protected static void setSubjectNamedIdentifierData(org.opensaml.saml2.core.Subject subject,
String subjectNameId,
String format)
throws TrustException
subject - The subject.subjectNameId - Subject name id, to identify the principalformat - Format of the subjectNameId, i.e. email, x509subject etc ...TrustException - If an error occurred while building NameID.protected org.opensaml.xml.signature.KeyInfo createKeyInfo(Document doc, org.apache.ws.security.components.crypto.Crypto crypto, RahasData data) throws TrustException
doc - The document which we are processing.crypto - Includes crypto properties relevant to issuer.data - Includes metadata about the RST.TrustException - If an error occurred while creating the KeyInfo object.public String getResponseAction(RahasData data) throws TrustException
TokenIssuerwsa:Action of the response.getResponseAction in interface TokenIssuerdata - A populated RahasData instancewsa:Action of the responseTrustException - If an error occurred while during operation.public void setConfigurationFile(String configFile)
TokenIssuerThis is the text value of the <configuration-file> element of the token-dispatcher-configuration
setConfigurationFile in interface TokenIssuerconfigFile - Sets the token issuer configuration file.public void setConfigurationElement(org.apache.axiom.om.OMElement configElement)
TokenIssuerThis is the <configuration> element of the token-dispatcher-configuration
setConfigurationElement in interface TokenIssuerconfigElement - OMElement representing the configurationpublic void setConfigurationParamName(String configParamName)
TokenIssuer
If this is used then there must be a
org.apache.axis2.description.Parameter object available in
the via the messageContext when the TokenIssuer is called.
setConfigurationParamName in interface TokenIssuerconfigParamName - The configuration parameter to be set.ParameterCopyright © Apache Software Foundation. All Rights Reserved.