Package se.swedenconnect.spring.saml.idp.authentication.provider

Class BaseSsoVoter

java.lang.Object

se.swedenconnect.spring.saml.idp.authentication.provider.BaseSsoVoter

All Implemented Interfaces:

SsoVoter

public class BaseSsoVoter
extends Object
implements SsoVoter

A SsoVoter that checks basic conditions. It denies SSO for the following cases:

• The time that has passed since the original authentication exceeds the configured limit.
• The authentication context used in the original authentication does not match the current request or the ones supported by the IdP.

Author:

Martin Lindström

Nested Class Summary

Nested classes/interfaces inherited from interface se.swedenconnect.spring.saml.idp.authentication.provider.SsoVoter

SsoVoter.Vote

Constructor Summary

Constructors

Constructor	Description
BaseSsoVoter()

Method Summary

Modifier and Type	Method	Description
SsoVoter.Vote	mayReuse(Saml2UserAuthentication userAuthn, Saml2UserAuthenticationInputToken token, Collection<String> allowedAuthnContexts)	Predicate that tells whether the supplied Authentication object may be used in SSO (according to the voter's logic).
void	setSsoDurationLimit(Duration ssoDurationLimit)	Assigns the limit for accepting an older authentication for SSO (compared from its original authentication instant).

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

BaseSsoVoter

public BaseSsoVoter()

Method Details

mayReuse

public SsoVoter.Vote mayReuse(Saml2UserAuthentication userAuthn,
 Saml2UserAuthenticationInputToken token,
 Collection<String> allowedAuthnContexts)

Predicate that tells whether the supplied Authentication object may be used in SSO (according to the voter's logic).

Specified by:

mayReuse in interface SsoVoter

Parameters:

userAuthn - the user authentication object

token - the authentication input token (for the current authentication)

allowedAuthnContexts - a collection of the allowed authentication contexts

Returns:

SsoVoter.Vote.OK if the voter is OK with re-using the authentication, SsoVoter.Vote.DENY if the voter states that the authentication may noy be re-used, and SsoVoter.Vote.DONT_KNOW if the voter doesn't know

setSsoDurationLimit

public void setSsoDurationLimit(Duration ssoDurationLimit)

Assigns the limit for accepting an older authentication for SSO (compared from its original authentication instant). The default is IdentityProviderSettings.SSO_DURATION_LIMIT_DEFAULT.

Parameters:

ssoDurationLimit - the duration