Field Detail

• signatureList

  protected List<org.opensaml.xml.signature.Signature> signatureList

Constructor Detail

• SAML2TokenIssuer

  public SAML2TokenIssuer()

Method Detail

• issue

  public org.apache.axiom.soap.SOAPEnvelope issue(RahasData data)
                                           throws TrustException

  This is the main method which issues SAML2 assertions as security token responses. This method will read issuer configuration and in message context properties (Basically request security token properties) and will create a security token response with SAML2 assertion. The attributes are retrieved from a callback class.

  Specified by:

  issue in interface TokenIssuer

  Parameters:

  data - A populated RahasData instance

  Returns:

  A SOAP message with security token response (as per ws-trust spec) with a SAML2 assertion.

  Throws:

  TrustException - If an error occurred while creating the response.

• createRequestSecurityTokenResponse

  protected org.apache.axiom.soap.SOAPEnvelope createRequestSecurityTokenResponse(RahasData rahasData,
                                                                      org.opensaml.saml2.core.Assertion assertion,
                                                                      org.apache.axiom.soap.SOAPEnvelope soapEnvelope)
                                                                           throws TrustException

  This method prepares the final response. This method will create a request security token response as specified in WS-Trust specification. The equivalent XML would take following format,

    <wst:RequestSecurityTokenResponse xmlns:wst="...">
         <wst:TokenType>...</wst:TokenType>
         <wst:RequestedSecurityToken>...</wst:RequestedSecurityToken>
         ...
         <wsp:AppliesTo xmlns:wsp="...">...</wsp:AppliesTo>
         <wst:RequestedAttachedReference>
         ...
         </wst:RequestedAttachedReference>
         <wst:RequestedUnattachedReference>
         ...
         </wst:RequestedUnattachedReference>
         <wst:RequestedProofToken>...</wst:RequestedProofToken>
         <wst:Entropy>
         <wst:BinarySecret>...</wst:BinarySecret>
         </wst:Entropy>
         <wst:Lifetime>...</wst:Lifetime>
     </wst:RequestSecurityTokenResponse>

  Thus the RequestedSecurityToken will have SAML2 assertion passed.

  Parameters:

  rahasData - The configuration data which comes with RST

  assertion - OpenSAM representation of SAML2 assertion.

  soapEnvelope - SOAP message envelope

  Returns:

  SOAPEnvelope which includes RequestSecurityTokenResponse

  Throws:

  TrustException - If an error occurred while creating RequestSecurityTokenResponse.

• buildAssertion

  protected org.opensaml.saml2.core.Assertion buildAssertion(Document doc,
                                                 org.apache.ws.security.components.crypto.Crypto crypto,
                                                 RahasData data)
                                                      throws TrustException

  This methods builds the SAML2 assertion. The equivalent XML would look as follows,

  <saml:Assertion
        xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
        xmlns:xs="http://www.w3.org/2001/XMLSchema"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        ID="b07b804c-7c29-ea16-7300-4f3d6f7928ac"
        Version="2.0"
        IssueInstant="2004-12-05T09:22:05Z">
        <saml:Issuer>https://idp.example.org/SAML2</saml:Issuer>
        <ds:Signature
          xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:Signature>
        <saml:Subject>
          <saml:NameID
            Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">
            3f7b3dcf-1674-4ecd-92c8-1544f346baf8
          </saml:NameID>
          <saml:SubjectConfirmation
            Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData
              InResponseTo="aaf23196-1773-2113-474a-fe114412ab72"
              Recipient="https://sp.example.com/SAML2/SSO/POST"
              NotOnOrAfter="2004-12-05T09:27:05Z"/>
          </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions
          NotBefore="2004-12-05T09:17:05Z"
          NotOnOrAfter="2004-12-05T09:27:05Z">
          <saml:AudienceRestriction>
            <saml:Audience>https://sp.example.com/SAML2</saml:Audience>
          </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AuthnStatement
          AuthnInstant="2004-12-05T09:22:00Z"
          SessionIndex="b07b804c-7c29-ea16-7300-4f3d6f7928ac">
          <saml:AuthnContext>
            <saml:AuthnContextClassRef>
              urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
           </saml:AuthnContextClassRef>
          </saml:AuthnContext>
        </saml:AuthnStatement>
        <saml:AttributeStatement>
          <saml:Attribute
            xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500"
            x500:Encoding="LDAP"
            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
            Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
            FriendlyName="eduPersonAffiliation">
            <saml:AttributeValue
              xsi:type="xs:string">member</saml:AttributeValue>
            <saml:AttributeValue
              xsi:type="xs:string">staff</saml:AttributeValue>
          </saml:Attribute>
        </saml:AttributeStatement>
      </saml:Assertion>

  Reference - en.wikipedia.org/wiki/SAML_2.0#SAML_2.0_Assertions

  Parameters:

  doc - The Document which comprises SAML 2 assertion.

  crypto - Crypto properties.

  data - The RST data and other configuration information.

  Returns:

  OpenSAML representation of an Assertion.

  Throws:

  TrustException - If an error occurred while creating the Assertion.

• createSubjectWithHolderOfKeySubjectConfirmation

  protected org.opensaml.saml2.core.Subject createSubjectWithHolderOfKeySubjectConfirmation(Document doc,
                                                                                org.apache.ws.security.components.crypto.Crypto crypto,
                                                                                org.joda.time.DateTime creationTime,
                                                                                org.joda.time.DateTime expirationTime,
                                                                                RahasData data)
                                                                                     throws TrustException

  This method will create a SAML 2 subject based on Holder of Key confirmation method. The relevant XML would look as follows,

    <saml2:Subject>
         <saml2:NameID>
             ...
         </saml2:NameID>
         <saml2:SubjectConfirmation
                 Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
             <saml2:SubjectConfirmationData
                     xsi:type="saml2:KeyInfoConfirmationDataType">
                 <ds:KeyInfo>
                     <ds:KeyValue>...</ds:KeyValue>
                 </ds:KeyInfo>
             </saml2:SubjectConfirmationData>
         </saml2:SubjectConfirmation>
     </saml2:Subject>

  KeyInfo can be created based on public key or symmetric key. That is decided by looking at the RahasData.getKeyType. TODO make sure this implementation is correct. Theoretically we should be able to have many subject confirmation methods in a SAML2 subject. TODO - Do we need to support that ?

  Parameters:

  doc - The original XML document which we need to include the assertion.

  crypto - The relevant crypto properties

  creationTime - The time that assertion was created.

  expirationTime - The expiring time

  data - The configuration data relevant request.

  Returns:

  OpenSAML representation of the SAML2 object.

  Throws:

  TrustException - If an error occurred while creating the subject.

• createSubjectWithBearerSubjectConfirmation

  protected org.opensaml.saml2.core.Subject createSubjectWithBearerSubjectConfirmation(RahasData data)
                                                                                throws TrustException

  This method creates a subject element with the bearer subject confirmation method.

     <saml:Subject>
         <saml:NameIdentifier
                     NameQualifier="www.example.com"
                     Format="urn:oasis:names:tc:SAML:1.1:nameid-
             format:X509SubjectName">
             uid=joe,ou=people,ou=saml-demo,o=baltimore.com
         </saml:NameIdentifier>
         <saml:SubjectConfirmation>
             <saml:ConfirmationMethod>
                 urn:oasis:names:tc:SAML:1.0:cm:bearer
             </saml:ConfirmationMethod>
         </saml:SubjectConfirmation>
     </saml:Subject>

  Parameters:

  data - RahasData element

  Returns:

  SAML 2.0 Subject element with Bearer subject confirmation

  Throws:

  TrustException - if an error occurred while creating the subject.

• signAssertion

  protected org.opensaml.saml2.core.Assertion signAssertion(Document document,
                                                org.opensaml.saml2.core.Assertion assertion,
                                                org.apache.ws.security.components.crypto.Crypto crypto)
                                                     throws TrustException

  This method signs the given assertion with issuer's private key.

  Parameters:

  document - The original RST document.

  assertion - Assertion to be signed.

  crypto - The cryptographic properties.

  Returns:

  The signed assertion.

  Throws:

  TrustException - If an error occurred while signing the assertion.

• createAttributeStatement

  protected org.opensaml.saml2.core.AttributeStatement createAttributeStatement(RahasData data)
                                                                         throws TrustException

  This method creates an AttributeStatement. The relevant XML would look like as follows,

    <saml:AttributeStatement>
      <saml:Attribute
        xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500"
        x500:Encoding="LDAP"
        NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
        Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
        FriendlyName="eduPersonAffiliation">
        <saml:AttributeValue
          xsi:type="xs:string">member</saml:AttributeValue>
        <saml:AttributeValue
          xsi:type="xs:string">staff</saml:AttributeValue>
      </saml:Attribute>
    </saml:AttributeStatement>

  Reference - http://en.wikipedia.org/wiki/SAML_2.0#SAML_2.0_Assertions

  Parameters:

  data - The RahasData which carry information about RST.

  Returns:

  An AttributeStatement with filled attributes retrieved by calling callback class.

  Throws:

  TrustException - If an error occurred while creating the AttributeStatement.

• createAuthenticationStatement

  protected org.opensaml.saml2.core.AuthnStatement createAuthenticationStatement(RahasData data)
                                                                          throws TrustException

  This method creates an authentication statement. The equivalent XML would look as follows,

    <saml:AuthnStatement
      AuthnInstant="2004-12-05T09:22:00Z"
      SessionIndex="b07b804c-7c29-ea16-7300-4f3d6f7928ac">
      <saml:AuthnContext>
        <saml:AuthnContextClassRef>
          urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
       </saml:AuthnContextClassRef>
      </saml:AuthnContext>
    </saml:AuthnStatement>

  Parameters:

  data - The RahasData which carry information about RST.

  Returns:

  OpenSAML representation of an AuthnStatement class.

  Throws:

  TrustException - If an error occurred while creating the authentication statement.

• setSubjectNamedIdentifierData

  protected static void setSubjectNamedIdentifierData(org.opensaml.saml2.core.Subject subject,
                                   String subjectNameId,
                                   String format)
                                               throws TrustException

  This method will set the subject principal details to the given subject.

  Parameters:

  subject - The subject.

  subjectNameId - Subject name id, to identify the principal

  format - Format of the subjectNameId, i.e. email, x509subject etc ...

  Throws:

  TrustException - If an error occurred while building NameID.

• createKeyInfo

  protected org.opensaml.xml.signature.KeyInfo createKeyInfo(Document doc,
                                                 org.apache.ws.security.components.crypto.Crypto crypto,
                                                 RahasData data)
                                                      throws TrustException

  This method creates the KeyInfo relevant for the assertion. The KeyInfo could be created in 2 ways. 1. Using symmetric key - KeyInfo is created using a symmetric key 2. Using a public key - KeyInfo created using a public key The methodology is decided by looking at RahasData.getKeyType() method.

  Parameters:

  doc - The document which we are processing.

  crypto - Includes crypto properties relevant to issuer.

  data - Includes metadata about the RST.

  Returns:

  OpenSAML representation of KeyInfo.

  Throws:

  TrustException - If an error occurred while creating the KeyInfo object.

• getResponseAction

  public String getResponseAction(RahasData data)
                           throws TrustException

  Description copied from interface: TokenIssuer
  Returns the wsa:Action of the response.

  Specified by:

  getResponseAction in interface TokenIssuer

  Parameters:

  data - A populated RahasData instance

  Returns:

  Returns the wsa:Action of the response

  Throws:

  TrustException - If an error occurred while during operation.

• setConfigurationFile

  public void setConfigurationFile(String configFile)

  Description copied from interface: TokenIssuer
  Set the configuration file of this TokenIssuer.

  This is the text value of the <configuration-file> element of the token-dispatcher-configuration

  Specified by:

  setConfigurationFile in interface TokenIssuer

  Parameters:

  configFile - Sets the token issuer configuration file.

• setConfigurationElement

  public void setConfigurationElement(org.apache.axiom.om.OMElement configElement)

  Description copied from interface: TokenIssuer
  Set the configuration element of this TokenIssuer.

  This is the <configuration> element of the token-dispatcher-configuration

  Specified by:

  setConfigurationElement in interface TokenIssuer

  Parameters:

  configElement - OMElement representing the configuration

• setConfigurationParamName

  public void setConfigurationParamName(String configParamName)

  Description copied from interface: TokenIssuer
  Set the name of the configuration parameter.

  If this is used then there must be a org.apache.axis2.description.Parameter object available in the via the messageContext when the TokenIssuer is called.

  Specified by:

  setConfigurationParamName in interface TokenIssuer

  Parameters:

  configParamName - The configuration parameter to be set.

  See Also:

  Parameter