Package se.swedenconnect.opensaml.saml2.assertion.validation

Class AuthnStatementValidator

java.lang.Object

org.opensaml.saml.saml2.assertion.impl.AuthnStatementValidator

se.swedenconnect.opensaml.saml2.assertion.validation.AuthnStatementValidator

All Implemented Interfaces:

StatementValidator

public class AuthnStatementValidator
extends AuthnStatementValidator

Core statement validator for AuthnStatements.

Supports the following ValidationContext static parameters:

• CoreValidatorParameters.AUTHN_REQUEST: Optional. If supplied will be used in a number of validations when information from the corresponding AuthnRequest is needed. If not supplied, other, more detailed parameters must be given.
• AUTHN_REQUEST_FORCE_AUTHN: If the above CoreValidatorParameters.AUTHN_REQUEST is not assigned, this parameter gives the ForceAuthn flag. This is used to determine if a valid assertion was issued based on SSO/non-SSO.
• AUTHN_REQUEST_ISSUE_INSTANT: If the above CoreValidatorParameters.AUTHN_REQUEST is not assigned, this parameter gives the issue instant of the authentication request. This is used to determine if a valid assertion was issued based on SSO/non-SSO.
• MAX_ACCEPTED_SSO_SESSION_TIME: For SSO, we may want to assert that the authentication is not too old. If so, this parameter gives the maximum accepted session time.

Author:

Martin Lindström (martin@idsec.se)

Field Summary

Fields

Modifier and Type	Field	Description
static final String	AUTHN_REQUEST_FORCE_AUTHN	Key for a validation context parameter.
static final String	AUTHN_REQUEST_ISSUE_INSTANT	Key for a validation context parameter.
static final String	MAX_ACCEPTED_SSO_SESSION_TIME	Key for a validation context parameter.

Constructor Summary

Constructors

Constructor	Description
AuthnStatementValidator()

Method Summary

Modifier and Type	Method	Description
protected static Instant	getAuthnRequestIssueInstant(ValidationContext context)	Gets the issue instant of the AuthnRequest from the validation context.
protected static Boolean	getForceAuthnFlag(ValidationContext context)	Gets the ForceAuthn flag from the validation context.
protected static Duration	getMaxAcceptedSsoSessionTime(ValidationContext context)	Gets the maximum time we allow for SSO sessions.
protected ValidationResult	validate(AuthnStatement statement, Assertion assertion, ValidationContext context)	Validates the AuthnStatement.
final ValidationResult	validate(Statement statement, Assertion assertion, ValidationContext context)
protected ValidationResult	validateAuthnContext(AuthnStatement statement, Assertion assertion, ValidationContext context)	Default implementation will only assert that the AuthnContext element is present.
protected ValidationResult	validateAuthnInstant(AuthnStatement statement, Assertion assertion, ValidationContext context)	Validates the AuthnInstant of the AuthnStatement.
protected ValidationResult	validateSessionIndex(AuthnStatement statement, Assertion assertion, ValidationContext context)	Default implementation does not perform any checks and returns ValidationResult.VALID.
protected ValidationResult	validateSessionNotOnOrAfter(AuthnStatement statement, Assertion assertion, ValidationContext context)	Default implementation does not perform any checks and returns ValidationResult.VALID.
protected ValidationResult	validateSsoAndSession(Instant authnInstant, AuthnStatement statement, Assertion assertion, ValidationContext context)	Makes checks for SSO and session lengths.

Methods inherited from class org.opensaml.saml.saml2.assertion.impl.AuthnStatementValidator

getServicedStatement, validateSubjectLocality

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

AUTHN_REQUEST_FORCE_AUTHN

public static final String AUTHN_REQUEST_FORCE_AUTHN

Key for a validation context parameter. Carries a Boolean holding the value of the ForceAuthn flag from the AuthnRequest.

See Also:

• Constant Field Values

AUTHN_REQUEST_ISSUE_INSTANT

public static final String AUTHN_REQUEST_ISSUE_INSTANT

Key for a validation context parameter. Carries a Instant holding the issuance time for the AuthnRequest.

See Also:

• Constant Field Values

MAX_ACCEPTED_SSO_SESSION_TIME

public static final String MAX_ACCEPTED_SSO_SESSION_TIME

Key for a validation context parameter. Carries a Duration holding the maximum session time that we can accept for SSO.

See Also:

• Constant Field Values

Constructor Details

AuthnStatementValidator

public AuthnStatementValidator()

Method Details

validate

@Nonnull
public final ValidationResult validate(@Nonnull
 Statement statement,
 @Nonnull
 Assertion assertion,
 @Nonnull
 ValidationContext context)
                                throws AssertionValidationException

Specified by:

validate in interface StatementValidator

Overrides:

validate in class AuthnStatementValidator

Throws:

AssertionValidationException

validate

protected ValidationResult validate(AuthnStatement statement,
 Assertion assertion,
 ValidationContext context)
                             throws AssertionValidationException

Validates the AuthnStatement.

Parameters:

statement - the statement to validate

assertion - the assertion containing the statement

context - validation context

Returns:

validation result

Throws:

AssertionValidationException - for internal validation errors

validateAuthnInstant

@Nonnull
protected ValidationResult validateAuthnInstant(@Nonnull
 AuthnStatement statement,
 @Nonnull
 Assertion assertion,
 @Nonnull
 ValidationContext context)

Validates the AuthnInstant of the AuthnStatement.

Overrides:

validateAuthnInstant in class AuthnStatementValidator

Parameters:

statement - the statement

assertion - the assertion containing the statement

context - validation context

Returns:

validation result

validateSsoAndSession

protected ValidationResult validateSsoAndSession(Instant authnInstant,
 AuthnStatement statement,
 Assertion assertion,
 ValidationContext context)

Makes checks for SSO and session lengths.

Parameters:

authnInstant - the authentication instant

statement - the statement

assertion - the assertion containing the statement

context - validation context

Returns:

validation result

getMaxAcceptedSsoSessionTime

protected static Duration getMaxAcceptedSsoSessionTime(ValidationContext context)

Gets the maximum time we allow for SSO sessions.

Parameters:

context - the validation context

Returns:

the max time, or null if the time is not set

getForceAuthnFlag

protected static Boolean getForceAuthnFlag(ValidationContext context)

Gets the ForceAuthn flag from the validation context. The method primarily checks for the AUTHN_REQUEST_FORCE_AUTHN parameter, and that does not exist, tries with the CoreValidatorParameters.AUTHN_REQUEST parameter.

Parameters:

context - the validation context

Returns:

the ForceAuthn flag or null if this is not set

getAuthnRequestIssueInstant

protected static Instant getAuthnRequestIssueInstant(ValidationContext context)

Gets the issue instant of the AuthnRequest from the validation context. The method primarily checks for the AUTHN_REQUEST_ISSUE_INSTANT parameter, and that does not exist, tries with the CoreValidatorParameters.AUTHN_REQUEST parameter.

Parameters:

context - the validation context

Returns:

the issuance time or null if not set

validateSessionIndex

protected ValidationResult validateSessionIndex(AuthnStatement statement,
 Assertion assertion,
 ValidationContext context)

Default implementation does not perform any checks and returns ValidationResult.VALID.

Parameters:

statement - the statement

assertion - the assertion

context - the validation context

Returns:

validation result

validateSessionNotOnOrAfter

protected ValidationResult validateSessionNotOnOrAfter(AuthnStatement statement,
 Assertion assertion,
 ValidationContext context)

Default implementation does not perform any checks and returns ValidationResult.VALID.

Parameters:

statement - the statement

assertion - the assertion

context - the validation context

Returns:

validation result

validateAuthnContext

@Nonnull
protected ValidationResult validateAuthnContext(@Nonnull
 AuthnStatement statement,
 @Nonnull
 Assertion assertion,
 @Nonnull
 ValidationContext context)

Default implementation will only assert that the AuthnContext element is present.

Overrides:

validateAuthnContext in class AuthnStatementValidator

Parameters:

statement - the statement

assertion - the assertion

context - the validation context

Returns:

validation result