View Javadoc
1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   *   http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied.  See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  package org.apache.syncope.common.lib.auth;
20  
21  import java.util.ArrayList;
22  import java.util.List;
23  import java.util.Map;
24  import org.apache.syncope.common.lib.to.AuthModuleTO;
25  import org.apache.syncope.common.lib.types.SAML2BindingType;
26  
27  public class SAML2IdPAuthModuleConf extends Pac4jAuthModuleConf implements AuthModuleConf {
28  
29      private static final long serialVersionUID = -471527731042579422L;
30  
31      /**
32       * The attribute value that should be used
33       * for the authenticated username, upon a successful authentication
34       * attempt.
35       */
36      protected String userIdAttribute;
37  
38      /**
39       * The destination binding to use
40       * when creating authentication requests.
41       */
42      protected SAML2BindingType destinationBinding = SAML2BindingType.REDIRECT;
43  
44      /**
45       * The Service Provider metadata path.
46       */
47      protected String serviceProviderMetadataPath;
48  
49      /**
50       * The path to the keystore.
51       */
52      protected String keystorePath;
53  
54      /**
55       * The password to use when generating the SP keystore.
56       */
57      protected String keystorePassword;
58  
59      /**
60       * The password to use when generating the private key for the SP keystore.
61       */
62      protected String protectedKeyPassword;
63  
64      /**
65       * The metadata location of the identity provider that is to handle authentications.
66       */
67      protected String identityProviderMetadataPath;
68  
69      /**
70       * Flag to indicate whether the allow-create flags
71       * for nameid policies should be set to true, false or ignored/defined.
72       * Accepted values are true, false or undefined.
73       */
74      protected String nameIdPolicyAllowCreate = "undefined";
75  
76      /**
77       * Once you have an authenticated session on the identity provider, usually it won't prompt you again to enter your
78       * credentials and it will automatically generate a new assertion for you. By default, the SAML client
79       * will accept assertions based on a previous authentication for one hour.
80       * You can adjust this behavior by modifying this setting. The unit of time here is seconds.
81       */
82      protected String maximumAuthenticationLifetime = "PT3600S";
83  
84      /**
85       * Maximum skew in seconds between SP and IDP clocks.
86       * This skew is added onto the {@code NotOnOrAfter} field in seconds
87       * for the SAML response validation.
88       */
89      protected String acceptedSkew = "PT300S";
90  
91      /**
92       * The entity id of the SP that is used in the SP metadata generation process.
93       */
94      protected String serviceProviderEntityId;
95  
96      /**
97       * Whether authentication requests should be tagged as forced auth.
98       */
99      protected boolean forceAuth;
100 
101     /**
102      * Whether authentication requests should be tagged as passive.
103      */
104     protected boolean passive;
105 
106     /**
107      * Requested authentication context class in authn requests.
108      */
109     protected final List<String> authnContextClassRefs = new ArrayList<>(0);
110 
111     /**
112      * Specifies the comparison rule that should be used to evaluate the specified authentication methods.
113      * For example, if exact is specified, the authentication method used must match one of the authentication
114      * methods specified by the AuthnContextClassRef elements.
115      * AuthContextClassRef element require comparison rule to be used to evaluate the specified
116      * authentication methods. If not explicitly specified "exact" rule will be used by default.
117      * Other acceptable values are minimum, maximum, better.
118      */
119     protected String authnContextComparisonType = "exact";
120 
121     /**
122      * The key alias used in the keystore.
123      */
124     protected String keystoreAlias;
125 
126     /**
127      * NameID policy to request in the authentication requests.
128      */
129     protected String nameIdPolicyFormat;
130 
131     /**
132      * Whether metadata should be marked to request response signed.
133      */
134     protected boolean responsesSigned;
135 
136     /**
137      * Whether metadata should be marked to request sign assertions.
138      */
139     protected boolean wantsAssertionsSigned;
140 
141     /**
142      * AttributeConsumingServiceIndex attribute of AuthnRequest element.
143      * The given index points out a specific AttributeConsumingService structure, declared into the
144      * Service Provider (SP)'s metadata, to be used to specify all the attributes that the Service Provider
145      * is asking to be released within the authentication assertion returned by the Identity Provider (IdP).
146      * This attribute won't be sent with the request unless a positive value (including 0) is defined.
147      */
148     protected int attributeConsumingServiceIndex;
149 
150     /**
151      * Allows the SAML client to select a specific ACS url from the metadata, if defined.
152      * A negative value de-activates the selection process and is the default.
153      */
154     protected int assertionConsumerServiceIndex = -1;
155 
156     /**
157      * Whether name qualifiers should be produced
158      * in the final saml response.
159      */
160     protected boolean useNameQualifier = true;
161 
162     /**
163      * Whether or not SAML SP metadata should be signed when generated.
164      */
165     protected boolean signServiceProviderMetadata;
166 
167     /**
168      * Whether or not the authnRequest should be signed.
169      */
170     protected boolean signAuthnRequest;
171 
172     /**
173      * Whether or not the Logout Request sent from the SP should be signed.
174      */
175     protected boolean signServiceProviderLogoutRequest;
176 
177     /**
178      * Collection of signing signature blacklisted algorithms, if any, to override the global defaults.
179      */
180     protected final List<String> blockedSignatureSigningAlgorithms = new ArrayList<>(0);
181 
182     /**
183      * Collection of signing signature algorithms, if any, to override the global defaults.
184      */
185     protected final List<String> signatureAlgorithms = new ArrayList<>(0);
186 
187     /**
188      * Collection of signing signature reference digest methods, if any, to override the global defaults.
189      */
190     protected final List<String> signatureReferenceDigestMethods = new ArrayList<>(0);
191 
192     /**
193      * The signing signature canonicalization algorithm, if any, to override the global defaults.
194      */
195     protected String signatureCanonicalizationAlgorithm;
196 
197     /**
198      * Provider name set for the saml authentication request.
199      * Sets the human-readable name of the requester for use by
200      * the presenter's user agent or the identity provider.
201      */
202     protected String providerName;
203 
204     public String getUserIdAttribute() {
205         return userIdAttribute;
206     }
207 
208     public void setUserIdAttribute(final String userIdAttribute) {
209         this.userIdAttribute = userIdAttribute;
210     }
211 
212     public SAML2BindingType getDestinationBinding() {
213         return destinationBinding;
214     }
215 
216     public void setDestinationBinding(final SAML2BindingType destinationBinding) {
217         this.destinationBinding = destinationBinding;
218     }
219 
220     public String getServiceProviderMetadataPath() {
221         return serviceProviderMetadataPath;
222     }
223 
224     public void setServiceProviderMetadataPath(final String serviceProviderMetadataPath) {
225         this.serviceProviderMetadataPath = serviceProviderMetadataPath;
226     }
227 
228     public String getKeystorePath() {
229         return keystorePath;
230     }
231 
232     public void setKeystorePath(final String keystorePath) {
233         this.keystorePath = keystorePath;
234     }
235 
236     public String getKeystorePassword() {
237         return keystorePassword;
238     }
239 
240     public void setKeystorePassword(final String keystorePassword) {
241         this.keystorePassword = keystorePassword;
242     }
243 
244     public String getPrivateKeyPassword() {
245         return protectedKeyPassword;
246     }
247 
248     public void setPrivateKeyPassword(final String protectedKeyPassword) {
249         this.protectedKeyPassword = protectedKeyPassword;
250     }
251 
252     public String getIdentityProviderMetadataPath() {
253         return identityProviderMetadataPath;
254     }
255 
256     public void setIdentityProviderMetadataPath(final String identityProviderMetadataPath) {
257         this.identityProviderMetadataPath = identityProviderMetadataPath;
258     }
259 
260     public String getMaximumAuthenticationLifetime() {
261         return maximumAuthenticationLifetime;
262     }
263 
264     public void setMaximumAuthenticationLifetime(final String maximumAuthenticationLifetime) {
265         this.maximumAuthenticationLifetime = maximumAuthenticationLifetime;
266     }
267 
268     public String getAcceptedSkew() {
269         return acceptedSkew;
270     }
271 
272     public void setAcceptedSkew(final String acceptedSkew) {
273         this.acceptedSkew = acceptedSkew;
274     }
275 
276     public String getServiceProviderEntityId() {
277         return serviceProviderEntityId;
278     }
279 
280     public void setServiceProviderEntityId(final String serviceProviderEntityId) {
281         this.serviceProviderEntityId = serviceProviderEntityId;
282     }
283 
284     public boolean isForceAuth() {
285         return forceAuth;
286     }
287 
288     public void setForceAuth(final boolean forceAuth) {
289         this.forceAuth = forceAuth;
290     }
291 
292     public boolean isPassive() {
293         return passive;
294     }
295 
296     public void setPassive(final boolean passive) {
297         this.passive = passive;
298     }
299 
300     public String getNameIdPolicyAllowCreate() {
301         return nameIdPolicyAllowCreate;
302     }
303 
304     public void setNameIdPolicyAllowCreate(final String nameIdPolicyAllowCreate) {
305         this.nameIdPolicyAllowCreate = nameIdPolicyAllowCreate;
306     }
307 
308     public List<String> getAuthnContextClassRefs() {
309         return authnContextClassRefs;
310     }
311 
312     public String getAuthnContextComparisonType() {
313         return authnContextComparisonType;
314     }
315 
316     public void setAuthnContextComparisonType(final String authnContextComparisonType) {
317         this.authnContextComparisonType = authnContextComparisonType;
318     }
319 
320     public String getKeystoreAlias() {
321         return keystoreAlias;
322     }
323 
324     public void setKeystoreAlias(final String keystoreAlias) {
325         this.keystoreAlias = keystoreAlias;
326     }
327 
328     public String getNameIdPolicyFormat() {
329         return nameIdPolicyFormat;
330     }
331 
332     public void setNameIdPolicyFormat(final String nameIdPolicyFormat) {
333         this.nameIdPolicyFormat = nameIdPolicyFormat;
334     }
335 
336     public boolean isResponsesSigned() {
337         return responsesSigned;
338     }
339 
340     public void setResponsesSigned(final boolean responsesSigned) {
341         this.responsesSigned = responsesSigned;
342     }
343 
344     public boolean isWantsAssertionsSigned() {
345         return wantsAssertionsSigned;
346     }
347 
348     public void setWantsAssertionsSigned(final boolean wantsAssertionsSigned) {
349         this.wantsAssertionsSigned = wantsAssertionsSigned;
350     }
351 
352     public int getAttributeConsumingServiceIndex() {
353         return attributeConsumingServiceIndex;
354     }
355 
356     public void setAttributeConsumingServiceIndex(final int attributeConsumingServiceIndex) {
357         this.attributeConsumingServiceIndex = attributeConsumingServiceIndex;
358     }
359 
360     public int getAssertionConsumerServiceIndex() {
361         return assertionConsumerServiceIndex;
362     }
363 
364     public void setAssertionConsumerServiceIndex(final int assertionConsumerServiceIndex) {
365         this.assertionConsumerServiceIndex = assertionConsumerServiceIndex;
366     }
367 
368     public boolean isUseNameQualifier() {
369         return useNameQualifier;
370     }
371 
372     public void setUseNameQualifier(final boolean useNameQualifier) {
373         this.useNameQualifier = useNameQualifier;
374     }
375 
376     public boolean isSignServiceProviderMetadata() {
377         return signServiceProviderMetadata;
378     }
379 
380     public void setSignServiceProviderMetadata(final boolean signServiceProviderMetadata) {
381         this.signServiceProviderMetadata = signServiceProviderMetadata;
382     }
383 
384     public boolean isSignAuthnRequest() {
385         return signAuthnRequest;
386     }
387 
388     public void setSignAuthnRequest(final boolean signAuthnRequest) {
389         this.signAuthnRequest = signAuthnRequest;
390     }
391 
392     public boolean isSignServiceProviderLogoutRequest() {
393         return signServiceProviderLogoutRequest;
394     }
395 
396     public void setSignServiceProviderLogoutRequest(final boolean signServiceProviderLogoutRequest) {
397         this.signServiceProviderLogoutRequest = signServiceProviderLogoutRequest;
398     }
399 
400     public List<String> getBlockedSignatureSigningAlgorithms() {
401         return blockedSignatureSigningAlgorithms;
402     }
403 
404     public List<String> getSignatureAlgorithms() {
405         return signatureAlgorithms;
406     }
407 
408     public List<String> getSignatureReferenceDigestMethods() {
409         return signatureReferenceDigestMethods;
410     }
411 
412     public String getSignatureCanonicalizationAlgorithm() {
413         return signatureCanonicalizationAlgorithm;
414     }
415 
416     public void setSignatureCanonicalizationAlgorithm(final String signatureCanonicalizationAlgorithm) {
417         this.signatureCanonicalizationAlgorithm = signatureCanonicalizationAlgorithm;
418     }
419 
420     public String getProviderName() {
421         return providerName;
422     }
423 
424     public void setProviderName(final String providerName) {
425         this.providerName = providerName;
426     }
427 
428     @Override
429     public Map<String, Object> map(final AuthModuleTO authModule, final Mapper mapper) {
430         return mapper.map(authModule, this);
431     }
432 }