Class AuthnStatementValidator

java.lang.Object
org.opensaml.saml.saml2.assertion.impl.AuthnStatementValidator
se.swedenconnect.opensaml.saml2.assertion.validation.AuthnStatementValidator
All Implemented Interfaces:
org.opensaml.saml.saml2.assertion.StatementValidator

public class AuthnStatementValidator extends org.opensaml.saml.saml2.assertion.impl.AuthnStatementValidator
Core statement validator for AuthnStatements.

Supports the following ValidationContext static parameters:

Author:
Martin Lindström (martin@idsec.se)
  • Field Summary

    Fields
    Modifier and Type
    Field
    Description
    static final String
    Key for a validation context parameter.
    static final String
    Key for a validation context parameter.
    static final String
    Key for a validation context parameter.
  • Constructor Summary

    Constructors
    Constructor
    Description
     
  • Method Summary

    Modifier and Type
    Method
    Description
    protected static Instant
    getAuthnRequestIssueInstant(org.opensaml.saml.common.assertion.ValidationContext context)
    Gets the issue instant of the AuthnRequest from the validation context.
    protected static Boolean
    getForceAuthnFlag(org.opensaml.saml.common.assertion.ValidationContext context)
    Gets the ForceAuthn flag from the validation context.
    protected static Duration
    getMaxAcceptedSsoSessionTime(org.opensaml.saml.common.assertion.ValidationContext context)
    Gets the maximum time we allow for SSO sessions.
    protected org.opensaml.saml.common.assertion.ValidationResult
    validate(org.opensaml.saml.saml2.core.AuthnStatement statement, org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context)
    Validates the AuthnStatement.
    final org.opensaml.saml.common.assertion.ValidationResult
    validate(org.opensaml.saml.saml2.core.Statement statement, org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context)
    protected org.opensaml.saml.common.assertion.ValidationResult
    validateAuthnContext(org.opensaml.saml.saml2.core.AuthnStatement statement, org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context)
    Default implementation will only assert that the AuthnContext element is present.
    protected org.opensaml.saml.common.assertion.ValidationResult
    validateAuthnInstant(org.opensaml.saml.saml2.core.AuthnStatement statement, org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context)
    Validates the AuthnInstant of the AuthnStatement.
    protected org.opensaml.saml.common.assertion.ValidationResult
    validateSessionIndex(org.opensaml.saml.saml2.core.AuthnStatement statement, org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context)
    Default implementation does not perform any checks and returns ValidationResult.VALID.
    protected org.opensaml.saml.common.assertion.ValidationResult
    validateSessionNotOnOrAfter(org.opensaml.saml.saml2.core.AuthnStatement statement, org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context)
    Default implementation does not perform any checks and returns ValidationResult.VALID.
    protected org.opensaml.saml.common.assertion.ValidationResult
    validateSsoAndSession(Instant authnInstant, org.opensaml.saml.saml2.core.AuthnStatement statement, org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context)
    Makes checks for SSO and session lengths.

    Methods inherited from class org.opensaml.saml.saml2.assertion.impl.AuthnStatementValidator

    getServicedStatement, validateSubjectLocality

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
  • Field Details

    • AUTHN_REQUEST_FORCE_AUTHN

      public static final String AUTHN_REQUEST_FORCE_AUTHN
      Key for a validation context parameter. Carries a Boolean holding the value of the ForceAuthn flag from the AuthnRequest.
      See Also:
    • AUTHN_REQUEST_ISSUE_INSTANT

      public static final String AUTHN_REQUEST_ISSUE_INSTANT
      Key for a validation context parameter. Carries a Instant holding the issuance time for the AuthnRequest.
      See Also:
    • MAX_ACCEPTED_SSO_SESSION_TIME

      public static final String MAX_ACCEPTED_SSO_SESSION_TIME
      Key for a validation context parameter. Carries a Duration holding the maximum session time that we can accept for SSO.
      See Also:
  • Constructor Details

    • AuthnStatementValidator

      public AuthnStatementValidator()
  • Method Details

    • validate

      @Nonnull public final org.opensaml.saml.common.assertion.ValidationResult validate(@Nonnull org.opensaml.saml.saml2.core.Statement statement, @Nonnull org.opensaml.saml.saml2.core.Assertion assertion, @Nonnull org.opensaml.saml.common.assertion.ValidationContext context) throws org.opensaml.saml.common.assertion.AssertionValidationException
      Specified by:
      validate in interface org.opensaml.saml.saml2.assertion.StatementValidator
      Overrides:
      validate in class org.opensaml.saml.saml2.assertion.impl.AuthnStatementValidator
      Throws:
      org.opensaml.saml.common.assertion.AssertionValidationException
    • validate

      protected org.opensaml.saml.common.assertion.ValidationResult validate(org.opensaml.saml.saml2.core.AuthnStatement statement, org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context) throws org.opensaml.saml.common.assertion.AssertionValidationException
      Validates the AuthnStatement.
      Parameters:
      statement - the statement to validate
      assertion - the assertion containing the statement
      context - validation context
      Returns:
      validation result
      Throws:
      org.opensaml.saml.common.assertion.AssertionValidationException - for internal validation errors
    • validateAuthnInstant

      @Nonnull protected org.opensaml.saml.common.assertion.ValidationResult validateAuthnInstant(@Nonnull org.opensaml.saml.saml2.core.AuthnStatement statement, @Nonnull org.opensaml.saml.saml2.core.Assertion assertion, @Nonnull org.opensaml.saml.common.assertion.ValidationContext context)
      Validates the AuthnInstant of the AuthnStatement.
      Overrides:
      validateAuthnInstant in class org.opensaml.saml.saml2.assertion.impl.AuthnStatementValidator
      Parameters:
      statement - the statement
      assertion - the assertion containing the statement
      context - validation context
      Returns:
      validation result
    • validateSsoAndSession

      protected org.opensaml.saml.common.assertion.ValidationResult validateSsoAndSession(Instant authnInstant, org.opensaml.saml.saml2.core.AuthnStatement statement, org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context)
      Makes checks for SSO and session lengths.
      Parameters:
      authnInstant - the authentication instant
      statement - the statement
      assertion - the assertion containing the statement
      context - validation context
      Returns:
      validation result
    • getMaxAcceptedSsoSessionTime

      protected static Duration getMaxAcceptedSsoSessionTime(org.opensaml.saml.common.assertion.ValidationContext context)
      Gets the maximum time we allow for SSO sessions.
      Parameters:
      context - the validation context
      Returns:
      the max time, or null if the time is not set
    • getForceAuthnFlag

      protected static Boolean getForceAuthnFlag(org.opensaml.saml.common.assertion.ValidationContext context)
      Gets the ForceAuthn flag from the validation context. The method primarily checks for the AUTHN_REQUEST_FORCE_AUTHN parameter, and that does not exist, tries with the CoreValidatorParameters.AUTHN_REQUEST parameter.
      Parameters:
      context - the validation context
      Returns:
      the ForceAuthn flag or null if this is not set
    • getAuthnRequestIssueInstant

      protected static Instant getAuthnRequestIssueInstant(org.opensaml.saml.common.assertion.ValidationContext context)
      Gets the issue instant of the AuthnRequest from the validation context. The method primarily checks for the AUTHN_REQUEST_ISSUE_INSTANT parameter, and that does not exist, tries with the CoreValidatorParameters.AUTHN_REQUEST parameter.
      Parameters:
      context - the validation context
      Returns:
      the issuance time or null if not set
    • validateSessionIndex

      protected org.opensaml.saml.common.assertion.ValidationResult validateSessionIndex(org.opensaml.saml.saml2.core.AuthnStatement statement, org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context)
      Default implementation does not perform any checks and returns ValidationResult.VALID.
      Parameters:
      statement - the statement
      assertion - the assertion
      context - the validation context
      Returns:
      validation result
    • validateSessionNotOnOrAfter

      protected org.opensaml.saml.common.assertion.ValidationResult validateSessionNotOnOrAfter(org.opensaml.saml.saml2.core.AuthnStatement statement, org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.common.assertion.ValidationContext context)
      Default implementation does not perform any checks and returns ValidationResult.VALID.
      Parameters:
      statement - the statement
      assertion - the assertion
      context - the validation context
      Returns:
      validation result
    • validateAuthnContext

      @Nonnull protected org.opensaml.saml.common.assertion.ValidationResult validateAuthnContext(@Nonnull org.opensaml.saml.saml2.core.AuthnStatement statement, @Nonnull org.opensaml.saml.saml2.core.Assertion assertion, @Nonnull org.opensaml.saml.common.assertion.ValidationContext context)
      Default implementation will only assert that the AuthnContext element is present.
      Overrides:
      validateAuthnContext in class org.opensaml.saml.saml2.assertion.impl.AuthnStatementValidator
      Parameters:
      statement - the statement
      assertion - the assertion
      context - the validation context
      Returns:
      validation result