Module org.codelibs.saml2.core
Package org.codelibs.saml2.core.authn

Class SamlResponse

java.lang.Object
org.codelibs.saml2.core.authn.SamlResponse
public class SamlResponse extends Object
SamlResponse class of Java Toolkit. A class that implements SAML 2 Authentication Response parser/validator

  • Constructor Details

    • SamlResponse

      public SamlResponse(Saml2Settings settings, String currentUrl, String samlResponse)
      Constructor to have a Response object fully built and ready to validate the saml response.
      Parameters:
      settings - Saml2Settings object. Setting data
      currentUrl - URL of the current host + current view
      samlResponse - A string containting the base64 encoded response from the IdP

    • SamlResponse

      public SamlResponse(Saml2Settings settings, HttpRequest request)
      Constructor to have a Response object fully built and ready to validate the saml response.
      Parameters:
      settings - Saml2Settings object. Setting data
      request - the HttpRequest object to be processed (Contains GET and POST parameters, request URL, ...).

  • Method Details

    • loadXmlFromBase64

      public void loadXmlFromBase64(String responseStr)
      Load a XML base64encoded SAMLResponse
      Parameters:
      responseStr - Saml2Settings object. Setting data

    • isValid

      public boolean isValid(String requestId)
      Determines if the SAML Response is valid using the certificate.
      Parameters:
      requestId - The ID of the AuthNRequest sent by this SP to the IdP
      Returns:
      if the response is valid or not

    • isValid

      public boolean isValid()
      Determines if the SAML Response is valid using the certificate.
      Returns:
      if the response is valid or not

    • getNameIdData

      public Map<String,String> getNameIdData()
      Gets the NameID provided from the SAML Response Document.
      Returns:
      the Name ID Data (Value, Format, NameQualifier, SPNameQualifier)

    • getNameId

      public String getNameId()
      Gets the NameID value provided from the SAML Response String.
      Returns:
      string Name ID Value

    • getNameIdFormat

      public String getNameIdFormat()
      Gets the NameID Format provided from the SAML Response String.
      Returns:
      string NameID Format

    • getNameIdNameQualifier

      public String getNameIdNameQualifier()
      Gets the NameID NameQualifier provided from the SAML Response String.
      Returns:
      string NameQualifier

    • getNameIdSPNameQualifier

      public String getNameIdSPNameQualifier()
      Gets the NameID SP NameQualifier provided from the SAML Response String.
      Returns:
      string SP NameQualifier

    • getAttributes

      public Map<String,List<String>> getAttributes()
      Gets the Attributes from the AttributeStatement element.
      Returns:
      the attributes of the SAML Assertion

    • getResponseStatus

      public SamlResponseStatus getResponseStatus()
      Returns the ResponseStatus object
      Returns:

    • checkStatus

      public void checkStatus()
      Checks the Status If status is not success

    • getStatus

      public static SamlResponseStatus getStatus(Document dom)
      Get Status from a Response
      Parameters:
      dom - The Response as XML
      Returns:
      SamlResponseStatus

    • checkOneCondition

      public Boolean checkOneCondition()
      Checks that the samlp:Response/saml:Assertion/saml:Conditions element exists and is unique.
      Returns:
      true if the Conditions element exists and is unique

    • checkOneAuthnStatement

      public Boolean checkOneAuthnStatement()
      Checks that the samlp:Response/saml:Assertion/saml:AuthnStatement element exists and is unique.
      Returns:
      true if the AuthnStatement element exists and is unique

    • getAudiences

      public List<String> getAudiences()
      Gets the audiences.
      Returns:
      the audiences of the response

    • getResponseIssuer

      public String getResponseIssuer()
      Gets the Response Issuer.
      Returns:
      the Response Issuer, or null if not specified if multiple Response issuers were found
      See Also:

    • getAssertionIssuer

      public String getAssertionIssuer()
      Gets the Assertion Issuer.
      Returns:
      the Assertion Issuer if no Assertion Issuer could be found, or if multiple Assertion issuers were found
      See Also:

    • getIssuers

      @Deprecated public List<String> getIssuers()
      Deprecated.
      use getResponseIssuer() and/or getAssertionIssuer(); the contract of this method is quite controversial
      Gets the Issuers (from Response and Assertion). If the same issuer appears both in the Response and in the Assertion (as it should), the returned list will contain it just once. Hence, the returned list should always return one element and in particular:
      • it will never contain zero elements (it means an Assertion Issuer could not be found, hence a ValidationException will be thrown instead)
      • if it contains more than one element, it means that the response is invalid and one of the returned issuers won't pass the check performed by isValid(String) (which requires both issuers to be equal to the Identity Provider entity id)

      Warning: as a consequence of the above, if this response status code is not a successful one, this method will throw a ValidationException because it won't find any Assertion Issuer. In this case, if you need to retrieve the Response Issuer any way, you must use getResponseIssuer() instead.

      Returns:
      the issuers of the assertion/response if multiple Response Issuers or multiple Assertion Issuers were found, or if no Assertion Issuer could be found
      See Also:

    • getSessionNotOnOrAfter

      public Instant getSessionNotOnOrAfter()
      Gets the SessionNotOnOrAfter from the AuthnStatement. Could be used to set the local session expiration
      Returns:
      the SessionNotOnOrAfter value

    • getSessionIndex

      public String getSessionIndex()
      Gets the SessionIndex from the AuthnStatement. Could be used to be stored in the local session in order to be used in a future Logout Request that the SP could send to the SP, to set what specific session must be deleted
      Returns:
      the SessionIndex value

    • getId

      public String getId()
      Returns:
      the ID of the Response

    • getAssertionId

      public String getAssertionId()
      Returns:
      the ID of the assertion in the Response

    • getAssertionNotOnOrAfter

      public List<Instant> getAssertionNotOnOrAfter()
      Returns:
      a list of NotOnOrAfter values from SubjectConfirmationData nodes in this Response

    • validateNumAssertions

      public boolean validateNumAssertions()
      Verifies that the document only contains a single Assertion (encrypted or not).
      Returns:
      true if the document passes.

    • processSignedElements

      public ArrayList<String> processSignedElements()
      Verifies the signature nodes: - Checks that are Response or Assertion - Check that IDs and reference URI are unique and consistent.
      Returns:
      array Signed element tags

    • validateSignedElements

      public boolean validateSignedElements(ArrayList<String> signedElements)
      Verifies that the document has the expected signed nodes.
      Parameters:
      signedElements - the elements to be validated
      Returns:
      true if is valid

    • validateTimestamps

      public boolean validateTimestamps()
      Verifies that the document is still valid according Conditions Element.
      Returns:
      true if still valid

    • setDestinationUrl

      public void setDestinationUrl(String url)
      Aux method to set the destination url
      Parameters:
      url - the url to set as currentUrl

    • getError

      public String getError()
      After execute a validation process, if fails this method returns the cause
      Returns:
      the cause of the validation error as a string

    • getValidationException

      public Exception getValidationException()
      After execute a validation process, if fails this method returns the Exception object
      Returns:
      the cause of the validation error

    • setValidationException

      protected void setValidationException(Exception validationException)
      Sets the validation exception that this SamlResponse should return when a validation error occurs.
      Parameters:
      validationException - the validation exception to set

    • queryAssertion

      protected NodeList queryAssertion(String assertionXpath)
      Extracts a node from the DOMDocument (Assertion).
      Parameters:
      assertionXpath - Xpath Expression
      Returns:
      the queried node

    • query

      protected NodeList query(String nameQuery, Node context)
      Extracts nodes that match the query from the DOMDocument (Response Message)
      Parameters:
      nameQuery - Xpath Expression
      context - The context node
      Returns:
      DOMNodeList The queried nodes

    • getSAMLResponseXml

      public String getSAMLResponseXml()
      Returns:
      the SAMLResponse XML, If the Assertion of the SAMLResponse was encrypted, returns the XML with the assertion decrypted

    • getSAMLResponseDocument

      protected Document getSAMLResponseDocument()
      Returns:
      the SAMLResponse Document, If the Assertion of the SAMLResponse was encrypted, returns the Document with the assertion decrypted

    • validateAudiences

      protected void validateAudiences()
      Validates the audiences.

    • validateDestination

      protected void validateDestination(Element element)
      Validate the destination.
      Parameters:
      element - element with the destination attribute

    • validateRecipient

      protected SubjectConfirmationIssue validateRecipient(Node recipient, int index)
      Validate a subject confirmation recipient.
      Parameters:
      recipient - recipient node
      index - index of the subject confirmation node
      Returns:
      a subject confirmation issue or null

    • validateSpNameQualifier

      protected void validateSpNameQualifier(String spNameQualifier)
      Validates a SPNameQualifier.
      Parameters:
      spNameQualifier - the SPNameQualifier

    • getResponseIssueInstant

      public Calendar getResponseIssueInstant()
      Returns the issue instant of this message.
      Returns:
      a new Calendar instance carrying the issue instant of this message if the found IssueInstant attribute is not in the expected UTC form of ISO-8601 format