Package se.swedenconnect.opensaml.saml2.assertion.validation

Class AssertionValidator

java.lang.Object
se.swedenconnect.opensaml.common.validation.AbstractObjectValidator<org.opensaml.saml.saml2.core.Assertion>
se.swedenconnect.opensaml.common.validation.AbstractSignableObjectValidator<org.opensaml.saml.saml2.core.Assertion>
se.swedenconnect.opensaml.saml2.assertion.validation.AssertionValidator
All Implemented Interfaces:
ObjectValidator<org.opensaml.saml.saml2.core.Assertion>
public class AssertionValidator extends AbstractSignableObjectValidator<org.opensaml.saml.saml2.core.Assertion>
A validator for Assertion objects.

Supports the following ValidationContext static parameters:

Supports the following ValidationContext dynamic parameters:

  • SAML2AssertionValidationParameters.CONFIRMED_SUBJECT_CONFIRMATION: Optional. Will be present after validation if subject confirmation was successfully performed.
  • HOK_PROFILE_ACTIVE: Is set to indicate whether the holder-of-key WebSSO profile is active.

Note: Also check the validation context parameters defined by the SubjectConfirmationValidator and ConditionValidator instances that are installed.

Author:
Martin Lindström (martin@idsec.se)

  • Field Summary

    Fields
    Modifier and Type
    Field
    Description
    protected Map<QName,org.opensaml.saml.saml2.assertion.ConditionValidator>
    conditionValidators
    Registered Condition validators.
    static final String
    HOK_PROFILE_ACTIVE
    Tells whether the AuthnRequest corresponding to this assertion was sent to the IdP's holder of key-endpoints, i.e., whether the Holder-of-key profile is in use.
    static final String
    RESPONSE_ISSUE_INSTANT
    Carries a Instant holding the issue instant of the Response that contained the assertion being validated.
    protected Map<String,org.opensaml.saml.saml2.assertion.SubjectConfirmationValidator>
    subjectConfirmationValidators
    Registered SubjectConfirmation validators.

    Fields inherited from class se.swedenconnect.opensaml.common.validation.AbstractSignableObjectValidator

    signaturePrevalidator, trustEngine

    Fields inherited from class se.swedenconnect.opensaml.common.validation.AbstractObjectValidator

    DEFAULT_MAX_AGE_RECEIVED_MESSAGE

  • Constructor Summary

    Constructors
    Constructor
    Description
    AssertionValidator(org.opensaml.xmlsec.signature.support.SignatureTrustEngine trustEngine, org.opensaml.xmlsec.signature.support.SignaturePrevalidator signaturePrevalidator, Collection<org.opensaml.saml.saml2.assertion.SubjectConfirmationValidator> confirmationValidators, Collection<org.opensaml.saml.saml2.assertion.ConditionValidator> conditionValidators, Collection<org.opensaml.saml.saml2.assertion.StatementValidator> statementValidators)
    Constructor.

  • Method Summary

    Modifier and Type
    Method
    Description
    protected String
    getID(org.opensaml.saml.saml2.core.Assertion signableObject)
    Returns the Assertion ID.
    protected String
    getIssuer(org.opensaml.saml.saml2.core.Assertion signableObject)
    Returns the Assertion issuer.
    protected String
    getObjectName()
    Returns the name of the object being validated, e.g.
    protected Instant
    getResponseIssueInstant(org.opensaml.saml.common.assertion.ValidationContext context)
    Gets the RESPONSE_ISSUE_INSTANT setting.
    org.opensaml.saml.common.assertion.ValidationResult
    validate(org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context)
    Validates the assertion.
    protected org.opensaml.saml.common.assertion.ValidationResult
    validateConditions(org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context)
    Validates the Conditions elements of the assertion.
    protected org.opensaml.saml.common.assertion.ValidationResult
    validateConditionsTimeBounds(org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context)
    Validates the NotBefore and NotOnOrAfter Conditions constraints on the assertion.
    protected org.opensaml.saml.common.assertion.ValidationResult
    validateHolderOfKeyRequirement(org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context)
    Performs initial validation concerning the Holder-of-key WebSSO Profile.
    protected org.opensaml.saml.common.assertion.ValidationResult
    validateID(org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context)
    Validates that the Assertion object has an ID attribute.
    protected org.opensaml.saml.common.assertion.ValidationResult
    validateIssueInstant(org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context)
    Validates that the Assertion object has a IssueInstant attribute and checks that its value is OK.
    protected org.opensaml.saml.common.assertion.ValidationResult
    validateIssuer(org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context)
    Ensures that the Issuer element is present and matches the expected issuer (if set in the context under the CoreValidatorParameters.EXPECTED_ISSUER key).
    protected org.opensaml.saml.common.assertion.ValidationResult
    validateStatements(org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context)
    Validates the statements of the assertion using the registered StatementValidator instance.
    protected org.opensaml.saml.common.assertion.ValidationResult
    validateSubject(org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context)
    Validates the Subject element of the assertion.
    protected org.opensaml.saml.common.assertion.ValidationResult
    validateSubjectConfirmations(org.opensaml.saml.saml2.core.Assertion assertion, List<org.opensaml.saml.saml2.core.SubjectConfirmation> subjectConfirmations, org.opensaml.saml.common.assertion.ValidationContext context)
    Validates the subject confirmations and for the one that is confirmed, it is saved in the validation context under the SAML2AssertionValidationParameters.CONFIRMED_SUBJECT_CONFIRMATION key.
    protected org.opensaml.saml.common.assertion.ValidationResult
    validateVersion(org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context)
    Validates that the Response object has a valid Version attribute.

    Methods inherited from class se.swedenconnect.opensaml.common.validation.AbstractSignableObjectValidator

    getSignatureValidationCriteriaSet, performSignatureValidation, validateSignature

    Methods inherited from class se.swedenconnect.opensaml.common.validation.AbstractObjectValidator

    getAllowedClockSkew, getMaxAgeReceivedMessage, getReceiveInstant, isStrictValidation

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Field Details

    • RESPONSE_ISSUE_INSTANT

      public static final String RESPONSE_ISSUE_INSTANT
      Carries a Instant holding the issue instant of the Response that contained the assertion being validated.
      See Also:

    • HOK_PROFILE_ACTIVE

      public static final String HOK_PROFILE_ACTIVE
      Tells whether the AuthnRequest corresponding to this assertion was sent to the IdP's holder of key-endpoints, i.e., whether the Holder-of-key profile is in use. Carries a Boolean.
      See Also:

    • subjectConfirmationValidators

      protected Map<String,org.opensaml.saml.saml2.assertion.SubjectConfirmationValidator> subjectConfirmationValidators
      Registered SubjectConfirmation validators.

    • conditionValidators

      protected Map<QName,org.opensaml.saml.saml2.assertion.ConditionValidator> conditionValidators
      Registered Condition validators.

  • Constructor Details

    • AssertionValidator

      public AssertionValidator(org.opensaml.xmlsec.signature.support.SignatureTrustEngine trustEngine, org.opensaml.xmlsec.signature.support.SignaturePrevalidator signaturePrevalidator, Collection<org.opensaml.saml.saml2.assertion.SubjectConfirmationValidator> confirmationValidators, Collection<org.opensaml.saml.saml2.assertion.ConditionValidator> conditionValidators, Collection<org.opensaml.saml.saml2.assertion.StatementValidator> statementValidators)
      Constructor.
      Parameters:
      trustEngine - the trust used to validate the object's signature
      signaturePrevalidator - the signature pre-validator used to pre-validate the object's signature
      confirmationValidators - validators used to validate SubjectConfirmation methods within the assertion
      conditionValidators - validators used to validate the Condition elements within the assertion
      statementValidators - validators used to validate Statements within the assertion

  • Method Details

    • validate

      public org.opensaml.saml.common.assertion.ValidationResult validate(org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context)
      Validates the assertion.
      Parameters:
      assertion - object to be evaluated
      context - current validation context
      Returns:
      the result of the evaluation

    • validateID

      protected org.opensaml.saml.common.assertion.ValidationResult validateID(org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context)
      Validates that the Assertion object has an ID attribute.
      Parameters:
      assertion - the assertion
      context - the validation context
      Returns:
      a validation result

    • validateVersion

      protected org.opensaml.saml.common.assertion.ValidationResult validateVersion(org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context)
      Validates that the Response object has a valid Version attribute.
      Parameters:
      assertion - the assertion
      context - the validation context
      Returns:
      a validation result

    • validateIssueInstant

      protected org.opensaml.saml.common.assertion.ValidationResult validateIssueInstant(org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context)
      Validates that the Assertion object has a IssueInstant attribute and checks that its value is OK. If the response that contained the assertion was previously validated the static context parameter RESPONSE_ISSUE_INSTANT should be passed. If so, the method checks that the assertion issue instant is not after the response issue instant. Otherwise, the method checks that the IssueInstant is not too old given the CoreValidatorParameters.MAX_AGE_MESSAGE and CoreValidatorParameters.RECEIVE_INSTANT context parameters.
      Parameters:
      assertion - the response
      context - the validation context
      Returns:
      a validation result

    • getResponseIssueInstant

      protected Instant getResponseIssueInstant(org.opensaml.saml.common.assertion.ValidationContext context)
      Gets the RESPONSE_ISSUE_INSTANT setting.
      Parameters:
      context - the context
      Returns:
      the response issue instant, or null if it is not set

    • validateIssuer

      protected org.opensaml.saml.common.assertion.ValidationResult validateIssuer(org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context)
      Ensures that the Issuer element is present and matches the expected issuer (if set in the context under the CoreValidatorParameters.EXPECTED_ISSUER key).
      Parameters:
      assertion - the assertion
      context - the validation context
      Returns:
      a validation result

    • validateHolderOfKeyRequirement

      protected org.opensaml.saml.common.assertion.ValidationResult validateHolderOfKeyRequirement(org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context)
      Performs initial validation concerning the Holder-of-key WebSSO Profile. The method checks that if the request was sent to an IdP HoK-endpoint, we verify that the SP received the response on an endpoint dedicated for HoK.

      The method also sets the dynamic validation parameter HOK_PROFILE_ACTIVE.

      Parameters:
      assertion - the assertion
      context - the validation context
      Returns:
      a validation result

    • validateSubject

      protected org.opensaml.saml.common.assertion.ValidationResult validateSubject(org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context)
      Validates the Subject element of the assertion. The default implementation returns ValidationResult.VALID if there is no Subject element since it is optional according to the SAML 2.0 Core specifications.
      Parameters:
      assertion - the assertion
      context - the validation context
      Returns:
      a validation result

    • validateSubjectConfirmations

      protected org.opensaml.saml.common.assertion.ValidationResult validateSubjectConfirmations(org.opensaml.saml.saml2.core.Assertion assertion, List<org.opensaml.saml.saml2.core.SubjectConfirmation> subjectConfirmations, org.opensaml.saml.common.assertion.ValidationContext context)
      Validates the subject confirmations and for the one that is confirmed, it is saved in the validation context under the SAML2AssertionValidationParameters.CONFIRMED_SUBJECT_CONFIRMATION key.
      Parameters:
      assertion - the assertion
      subjectConfirmations - the subject confirmations
      context - the validation context
      Returns:
      a validation result

    • validateConditions

      protected org.opensaml.saml.common.assertion.ValidationResult validateConditions(org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context)
      Validates the Conditions elements of the assertion.
      Parameters:
      assertion - the assertion
      context - the validation context
      Returns:
      the validation result

    • validateConditionsTimeBounds

      protected org.opensaml.saml.common.assertion.ValidationResult validateConditionsTimeBounds(org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context)
      Validates the NotBefore and NotOnOrAfter Conditions constraints on the assertion.
      Parameters:
      assertion - the assertion whose conditions will be validated
      context - current validation context
      Returns:
      the result of the validation evaluation

    • validateStatements

      protected org.opensaml.saml.common.assertion.ValidationResult validateStatements(org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context)
      Validates the statements of the assertion using the registered StatementValidator instance.
      Parameters:
      assertion - the assertion to validate
      context - the validation context
      Returns:
      validation result

    • getIssuer

      protected String getIssuer(org.opensaml.saml.saml2.core.Assertion signableObject)
      Returns the Assertion issuer.
      Specified by:
      getIssuer in class AbstractSignableObjectValidator<org.opensaml.saml.saml2.core.Assertion>
      Parameters:
      signableObject - the object being verified
      Returns:
      the issuer

    • getID

      protected String getID(org.opensaml.saml.saml2.core.Assertion signableObject)
      Returns the Assertion ID.
      Specified by:
      getID in class AbstractSignableObjectValidator<org.opensaml.saml.saml2.core.Assertion>
      Parameters:
      signableObject - the object being verified
      Returns:
      the ID

    • getObjectName

      protected String getObjectName()
      Returns the name of the object being validated, e.g. "Assertion". Used for logging.
      Specified by:
      getObjectName in class AbstractSignableObjectValidator<org.opensaml.saml.saml2.core.Assertion>
      Returns:
      the object name