Interface AuthnRequestGeneratorContext
AuthnRequestGenerator.generateAuthnRequest(String, String, AuthnRequestGeneratorContext)
creates an
authentication request.- Author:
- Martin Lindström (martin@idsec.se)
-
Nested Class Summary
Modifier and TypeInterfaceDescriptionstatic interface
When the generator is about to add theAssertionConsumerServiceURL
orAssertionConsumerServiceIndex
attribute it will invoke thegetAssertionConsumerServiceResolver()
method in order to get a function that given all possibleAssertionConsumerService
elements (found in the SP metadata) will either return aString
(holding theAssertionConsumerServiceURL
to use) or anInteger
(holding theAssertionConsumerServiceIndex
to use).static interface
If the SP metadata contains one or moreAttributeConsumingService
elements, the generator needs to know whether to include theAttributeConsumingServiceIndex
attribute, and if so, which index to use.static interface
When the generator is done building theAuthnRequest
, but before it is signed, it will ask thegetAuthnRequestCustomizer()
method for the customizer that may operate and add customizations to the request object.static enum
Enumeration that tells whether the Holder-of-key WebSSO profile is required, optional or not active.static interface
ANameIDPolicyBuilderFunction
is used by the generator to create theNameIDPolicy
element.static interface
The generator will need to know how to build theRequestedAuthnContext
element that is to be included in theAuthnRequest
. -
Method Summary
Modifier and TypeMethodDescriptionGets theAuthnRequestGeneratorContext.AssertionConsumerServiceResolver
to use for resolving whichAssertionConsumerService
to use and whether to produce anAssertionConsumerServiceURL
orAssertionConsumerServiceIndex
attribute.Gets the resolver function for determining how to create theAttributeConsumingServiceIndex
attribute.default Boolean
Gets theForceAuthn
attribute value.Gets the SP requirement for using the Holder-of-key profile.default Boolean
Gets theIsPassive
attribute value.Gets the builder for creating aNameIDPolicy
element.default org.opensaml.security.x509.X509Credential
TheAuthnRequestGenerator
is normally configured with a signing credential (AuthnRequestGenerator#getSignCredential()}.default String
Gets the binding to use when generating a request (redirect/POST).Gets the builder function for creating theRequestedAuthnContext
element to add to theAuthnRequest
.default org.opensaml.xmlsec.SignatureSigningConfiguration
If a signature configuration, other than the default (SecurityConfigurationSupport.getGlobalSignatureSigningConfiguration()
) should be used to sign the request this method should return this configuration.
-
Method Details
-
getPreferredBinding
Gets the binding to use when generating a request (redirect/POST).This binding will be used in all cases except when the IdP does not support the binding.
The default implementation returns "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect".
- Returns:
- the preferred binding
-
getHokRequirement
Gets the SP requirement for using the Holder-of-key profile. The default is that the SP does not support HoK.- Returns:
- a HoK requirement
-
getForceAuthnAttribute
Gets theForceAuthn
attribute value.The default implementation returns
true
.If
null
is returned, theForceAuthn
attribute will not be included.- Returns:
- the ForceAuthn attribute
-
getIsPassiveAttribute
Gets theIsPassive
attribute value.The default implementation returns
null
.If
null
is returned, theIsPassive
attribute will not be included.- Returns:
- the IsPassive attribute
-
getSignatureSigningConfiguration
default org.opensaml.xmlsec.SignatureSigningConfiguration getSignatureSigningConfiguration()If a signature configuration, other than the default (SecurityConfigurationSupport.getGlobalSignatureSigningConfiguration()
) should be used to sign the request this method should return this configuration.The default implementation returns
null
.- Returns:
- the signature configuration, or null
-
getAssertionConsumerServiceResolver
default AuthnRequestGeneratorContext.AssertionConsumerServiceResolver getAssertionConsumerServiceResolver()Gets theAuthnRequestGeneratorContext.AssertionConsumerServiceResolver
to use for resolving whichAssertionConsumerService
to use and whether to produce anAssertionConsumerServiceURL
orAssertionConsumerServiceIndex
attribute.The default implementation will return a
AssertionConsumerServiceURL
based on (1)isDefault
attribute and (2) the lowestIndex
.- Returns:
- a function for resolving AssertionConsumerService elements
-
getAttributeConsumingServiceIndexResolver
default AuthnRequestGeneratorContext.AttributeConsumingServiceIndexResolver getAttributeConsumingServiceIndexResolver()Gets the resolver function for determining how to create theAttributeConsumingServiceIndex
attribute.The default implementation returns
null
, meaning that no attribute is added.- Returns:
- a resolver function
-
getNameIDPolicyBuilderFunction
Gets the builder for creating aNameIDPolicy
element.The default implementation will use the first
NameIDFormat
in the list and create aNameIDPolicy
element with this value as theFormat
attribute and theAllowCreate
set to true. If the supplied list is empty, the format will be set tourn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
.- Returns:
- a builder function
-
getRequestedAuthnContextBuilderFunction
default AuthnRequestGeneratorContext.RequestedAuthnContextBuilderFunction getRequestedAuthnContextBuilderFunction()Gets the builder function for creating theRequestedAuthnContext
element to add to theAuthnRequest
.The default implementation will create a
RequestedAuthnContext
object with exact matching and all assurance certification URI:s included in the supplied list.- Returns:
- a function that returns a RequestedAuthnContext (or null).
-
getAuthnRequestCustomizer
Gets theAuthnRequestGeneratorContext.AuthnRequestCustomizer
.The default implementation returns a NO-OP consumer, meaning no customizations are done.
- Returns:
- a consumer working on the AuthnRequest object being built
-
getOverrideSignCredential
default org.opensaml.security.x509.X509Credential getOverrideSignCredential()TheAuthnRequestGenerator
is normally configured with a signing credential (AuthnRequestGenerator#getSignCredential()}. This method exist so that we may override the default credential. Mainly for testing purposes.The default implementation returns
null
.- Returns:
- the signing credential to use, or null if no override should be done
-