SAMLSession (Delegated SAML Authentication 1.1.2 API)

Package

Class

Use

Tree

Deprecated

Index

Help

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: NESTED | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

org.jasig.portal.security.provider.saml
Class SAMLSession

java.lang.Object
  org.jasig.portal.security.provider.saml.SAMLSession

public class SAMLSession
extends Object
extends Object

This class is used to maintain the state of delegated SAML authentication before, during, and after the authentication. Please note that some of the methods of this class are package-scoped. This rather unusual scoping is used to permit access to other classes, most notably SAMLDelegatedAuthenticationService, to methods in this class, but to keep those methods from the public API documentation.

Author:: Adam Rybicki

Constructor Summary
`SAMLSession(String samlAssertion, org.apache.http.conn.ClientConnectionManager connectionManager, org.apache.http.params.HttpParams params)` Public constructor that initializes the SAML session.

Method Summary
`org.apache.http.client.HttpClient`	`getHttpClient()` Returns the Apache Commons HTTP Client that is set up with an authenticated session to the WSP.
`IdPEPRResolver`	`getIdpResolver()`
`org.apache.http.conn.ssl.SSLSocketFactory`	`getIdPSocketFactory()` Returns an instance of `SSLSocketFactory` suitable for use with the Apache Commons HTTP Client.
`String`	`getPortalEntityID()` Returns the portal's entityID.
`String`	`getSamlAssertion()` Returns the same String representation of SAML assertion that was passed to the constructor.
`Document`	`getSamlAssertionDom()` Returns the DOM representation of the SAML assertion.
`boolean`	`isSkipValidateIdp()`
`void`	`setIdPClientKeystore(String ks, String pass)` This method provides an alternative method of providing client TLS certificate to send to the IdP to identify the client.
`void`	`setIdPClientPrivateKeyAndCert(String pkFile, String certFile)` This method is used to specify the private key and certificate to use to identify the client to the IdP.
`void`	`setIdPClientTrustStore(String ks, String pass)` This method allows to specify a Java TrustStore of server X.509 certificates to trust.
`void`	`setIdpResolver(IdPEPRResolver idpResolver)` Provide an implementation of the IdPEPRResolver interface to resolve the IdP endpoint to which the delegated SAML authentication requests must be presented.
`void`	`setIdPServerPublicKeys(String publicKeys)` This method allows to specify the public key(s) to verify and trust when communicating with the IdP.
`void`	`setPortalEntityID(String portalEntityID)` Sets the portal's entityID.
`void`	`setSkipValidateIdp(boolean skipValidateIdp)` Set if the IDP host name validation step should be skipped during authentication.

Methods inherited from class java.lang.Object
`clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait`

Constructor Detail

SAMLSession

public SAMLSession(String samlAssertion,
                   org.apache.http.conn.ClientConnectionManager connectionManager,
                   org.apache.http.params.HttpParams params)

Public constructor that initializes the SAML session. This sets up the ThreadSafeConnectionManager because the connection interceptor will be making a secondary connection to authenticate to the IdP while the primary connection is blocked.

Parameters:: samlAssertion - SAML assertion that was passed to the portal for authentication; connectionManager - The connection manager to use for the HttpClient used for making authenticated requests. The caller is responsible for the ClientConnectionManager lifecycle.; params - the HttpClient configuration parameters to use.

Method Detail

getSamlAssertion

public String getSamlAssertion()

Returns the same String representation of SAML assertion that was passed to the constructor.

Returns:: the SAML assertion

getSamlAssertionDom

public Document getSamlAssertionDom()

Returns the DOM representation of the SAML assertion. Assertions are usually digitally signed, so it is important to keep them unchanged.

Returns:: the samlAssertionDom

getHttpClient

public org.apache.http.client.HttpClient getHttpClient()

Returns the Apache Commons HTTP Client that is set up with an authenticated session to the WSP. Since the session management of the WSP is WSP-specific, there is no way to guarantee that this HttpClient will continue the session set up by the authentication process, but because Apache Commons HTTP Client works much like a browser, it should continue sending cookies that were established during authentication. Shibboleth SP was specifically tested, and its session works as expected. It is probably important to use the same scheme, host, and base context as those used in the initial Resource passed during authentication.

Returns:: wspHttpClient instance of Apache Commons HTTP Client HttpClient class

getIdpResolver

public IdPEPRResolver getIdpResolver()

Returns:: the idpResolver
See Also:: setIdPResolver

setIdpResolver

public void setIdpResolver(IdPEPRResolver idpResolver)

Provide an implementation of the IdPEPRResolver interface to resolve the IdP endpoint to which the delegated SAML authentication requests must be presented. The default implementation, AssertionIdPResolver resolved the endpoint from SAML assertion. Shibboleth IdP provides an endpoint reference in the assertion.

Parameters:: idpResolver - the implementation of the IdPEPRResolver interface

setIdPClientPrivateKeyAndCert

public void setIdPClientPrivateKeyAndCert(String pkFile,
                                          String certFile)

This method is used to specify the private key and certificate to use to identify the client to the IdP. The TLS layer will present the certificate to the IdP. Because, as far as the IdP is concerned, the portal and its SP are one and the same, the parameters to this method will be the PEM-encoded private key and certificate files that the SP uses.

Parameters:: pkFile - file name of the PEM-encoded private key; certFile - file name of the PEM-encoded certificate

setIdPClientKeystore

public void setIdPClientKeystore(String ks,
                                 String pass)

This method provides an alternative method of providing client TLS certificate to send to the IdP to identify the client.

Parameters:: ks - file name of Java KeyStore containing the certificate and private key to present to the IdP; pass - KeyStore password (must not be null)
See Also:: #setIdPClientPrivateKeyAndCert()

setIdPClientTrustStore

public void setIdPClientTrustStore(String ks,
                                   String pass)

This method allows to specify a Java TrustStore of server X.509 certificates to trust. These may be either signing Certificate Authority (CA) certificates of self-signed certificates for IdPs to trust. Java normally trusts all servers that present valid certificates signed by a recognized CA. This method allows to securely communicate with institution-specific IdP.

Parameters:: ks - file name of a Java KeyStore; pass - password to access the KeyStore

setIdPServerPublicKeys

public void setIdPServerPublicKeys(String publicKeys)

This method allows to specify the public key(s) to verify and trust when communicating with the IdP. Shibboleth SP can provide the public key(s) of the IdP to trust. When the caller specifies the public key(s) to trust, the connection to the IdP will not proceed if the IdP does not present a matching public key.

Parameters:: publicKeys - Base64-encoded public key(s) to verify before allowing a connection to the IdP to proceed.

getIdPSocketFactory

public org.apache.http.conn.ssl.SSLSocketFactory getIdPSocketFactory()

Returns an instance of SSLSocketFactory suitable for use with the Apache Commons HTTP Client. This socket factory is set up with the previously set keys and/or certificates for communicating with the IdP.

Returns:: SSLSocketFactory suitable for use with the Apache Commons HTTP Client

getPortalEntityID

public String getPortalEntityID()

Returns the portal's entityID. This entityID is used to identify the portal to the IdP when the IdP is contacted for delegated authentication.

Returns:: the portalEntityID

setPortalEntityID

public void setPortalEntityID(String portalEntityID)

Sets the portal's entityID. This entityID is used to identify the portal to the IdP when the IdP is contacted for delegated authentication.

Parameters:: portalEntityID - the portalEntityID to set

isSkipValidateIdp

public boolean isSkipValidateIdp()

Returns:: If the IDP host name validation step should be skipped

setSkipValidateIdp

public void setSkipValidateIdp(boolean skipValidateIdp)

Set if the IDP host name validation step should be skipped during authentication. This is generally needed when using a WAYF since the target site will reference the WAYF and not the IDP in the response.