Package se.swedenconnect.opensaml.sweid.saml2.signservice

Class SADParser.SADValidator

java.lang.Object

se.swedenconnect.opensaml.sweid.saml2.signservice.SADParser.SADValidator

Enclosing class:

SADParser

public static class SADParser.SADValidator
extends Object

A validator for verifying the SAD JWT.

Author:

Martin Lindström (martin@idsec.se)

Field Summary

Fields

Modifier and Type	Field	Description
static final Duration	DEFAULT_ALLOWED_CLOCK_SKEW	Default allowed clock skew.

Constructor Summary

Constructors

Constructor	Description
SADValidator(X509Certificate... certificates)	Constructor initializing the validator with a set of certificates that are to be used for JWT signature validation.
SADValidator(org.opensaml.saml.saml2.metadata.EntityDescriptor idpMetadata)	Creates a SAD validator initialized with the IdP EntityDescriptor (metadata) from which the IdP signing key/certificate will be read (needed for JWT signature validation).
SADValidator(MetadataProvider metadataProvider)	Constructor creating a SAD validator initialized with a MetadataProvider instance.

Method Summary

Modifier and Type	Method	Description
void	setAllowedClockSkew(Duration allowedClockSkew)	Assigned the allowed clock skew.
SAD	validate(String sadJwt, String idpEntityID, String expectedRecipientEntityID, String expectedSubject, String expectedLoa, String sadRequestID, int expectedNoDocs, String signRequestID)	Validates a SAD based on expected data.
SAD	validate(org.opensaml.saml.saml2.core.AuthnRequest authnRequest, org.opensaml.saml.saml2.core.Assertion assertion)	A method that validates the SAD issued in an Assertion based on the AuthnRequest containing a SADRequest.
void	verifyJwtSignature(String sadJwt, String idpEntityID)	Verifies the signature on the supplied SAD JWT.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

DEFAULT_ALLOWED_CLOCK_SKEW

public static final Duration DEFAULT_ALLOWED_CLOCK_SKEW

Default allowed clock skew.

Constructor Details

SADValidator

public SADValidator(X509Certificate... certificates)

Constructor initializing the validator with a set of certificates that are to be used for JWT signature validation. These certificates are the IdP signing certificates obtained from the IdP metadata entry.

Parameters:

certificates - certificate(s) to be used when verifying the JWT signature

SADValidator

public SADValidator(MetadataProvider metadataProvider)

Constructor creating a SAD validator initialized with a MetadataProvider instance. During JWT signature validation the IdP signature certificate will be obtained from the IdP metadata entry held by the metadata provider.

Parameters:

metadataProvider - metadata provider

SADValidator

public SADValidator(org.opensaml.saml.saml2.metadata.EntityDescriptor idpMetadata)

Creates a SAD validator initialized with the IdP EntityDescriptor (metadata) from which the IdP signing key/certificate will be read (needed for JWT signature validation).

Parameters:

idpMetadata - the IdP metadata

Method Details

validate

public SAD validate(org.opensaml.saml.saml2.core.AuthnRequest authnRequest,
 org.opensaml.saml.saml2.core.Assertion assertion)
             throws SADValidationException,
IllegalArgumentException

A method that validates the SAD issued in an Assertion based on the AuthnRequest containing a SADRequest.

Parameters:

authnRequest - the AuthnRequest holding the SADRequest

assertion - the Assertion holding the sad attribute (as a encoded JWT)

Returns:

a SAD object, or null if no SAD was requested (and issued)

Throws:

SADValidationException - for SAD validation errors

IllegalArgumentException - if the supplied AuthnRequest does not contain a SADRequest extension, or is invalid by other means (e.g., missing LoA)

See Also:

• validate(String, String, String, String, String, String, int, String)

validate

public SAD validate(String sadJwt,
 String idpEntityID,
 String expectedRecipientEntityID,
 String expectedSubject,
 String expectedLoa,
 String sadRequestID,
 int expectedNoDocs,
 String signRequestID)
             throws SADValidationException

Validates a SAD based on expected data. If the AuthnRequest and issued Assertion is available, the method validate(AuthnRequest, Assertion) is a better option.

Note: It is assumed that the supplied expectedSubject parameter is a attribute value read from the assertion having the attribute name indicated in the 'attr' field of the SAD. If this attribute name is not known in advance, the SAD needs to be parsed (SADParser.parse(String)) so that the 'attr' field can be read, and the correct attribute value be located from the assertion.

Parameters:

sadJwt - the encoded SAD JWT (found in the sad attribute of a received assertion)

idpEntityID - the entityID of the issuing IdP (the issuer of the received assertion holding the sad attribute)

expectedRecipientEntityID - the entityID of the recipient (the signature service SP that issued the SADRequest)

expectedSubject - the expected subject name (user ID). See note above

expectedLoa - the expected level of assurance to be found in the SAD (should be the LoA found in the assertion)

sadRequestID - the ID of the SADRequest extension that was sent to the IdP

expectedNoDocs - expected number of documents (from the DocCount element of the SADRequest)

signRequestID - ID for the SignRequest that was included in the SADRequest

Returns:

a SAD object

Throws:

SADValidationException - for validation errors

verifyJwtSignature

public void verifyJwtSignature(String sadJwt,
 String idpEntityID)
                        throws SADValidationException

Verifies the signature on the supplied SAD JWT.

Parameters:

sadJwt - the SAD JWT

idpEntityID - the entityID of the IdP that signed the JWT

Throws:

SADValidationException - for signature validation errors

setAllowedClockSkew

public void setAllowedClockSkew(Duration allowedClockSkew)

Assigned the allowed clock skew. The default is DEFAULT_ALLOWED_CLOCK_SKEW.

Parameters:

allowedClockSkew - allowed clock skew