/** * Fills the request with information about scoping, including IDP in the scope IDP List. * * @param request request to fill * @param serviceURI destination to send the request to * @param options options driving generation of the element, contains list of allowed IDPs */ protected void buildScoping( AuthnRequest request, SingleSignOnService serviceURI, WebSSOProfileOptions options) { if (options.isIncludeScoping() != null && options.isIncludeScoping()) { Set<String> idpEntityNames = options.getAllowedIDPs(); IDPList idpList = buildIDPList(idpEntityNames, serviceURI); SAMLObjectBuilder<Scoping> scopingBuilder = (SAMLObjectBuilder<Scoping>) builderFactory.getBuilder(Scoping.DEFAULT_ELEMENT_NAME); Scoping scoping = scopingBuilder.buildObject(); scoping.setIDPList(idpList); scoping.setProxyCount(options.getProxyCount()); request.setScoping(scoping); } }
/** * Return a list of eligible external idps. If no eligible ones found, return an empty list. * * <p>If scoping is set (proxyCount and IdpList), all registered idps that are in the Idplist are * eligible. If scoping is not set, all registered idps are eligible, meaning no restriction on * the proxy count. * * @return an empty list if no registered external idp or saml request does not want to proxy */ private List<String> getEligibleExternalIdpList(AuthnRequestState t) { Validate.notNull(t); IdmAccessor accessor = t.getIdmAccessor(); Scoping scoping = t.getAuthnRequest().getScoping(); IDPList idpList = null; List<String> validExternalIdpList = new ArrayList<>(); // Get the IDPList and proxycount if (scoping != null) { // validate ProxyCount: only use exteral idp if proxy count is set // and > 0 t.setProxyCount(scoping.getProxyCount()); idpList = scoping.getIDPList(); } // verify against proxy count and idpList if defined int proxyCount = t.getProxyCount() == null ? 0 : t.getProxyCount(); if (proxyCount > 0 && idpList != null && idpList.getIDPEntrys() != null) { List<IDPEntry> list = idpList.getIDPEntrys(); // If the list is provided: we will make sure it // a) if is proxying, the registered External IDP should be in the // list, if not force local authentication. // b) if not proxying && it should contain at least one eligible idp // note: SAML 2.0 processing rule does not require this. Since this // found IDP is not necessary // the one used later, it is unclear why we need this validation t.setIdpList(list); validExternalIdpList.addAll(findValidExternalIdpListWithinScoping(list, accessor)); if (validExternalIdpList.isEmpty()) { log.warn( "No trusted external IDP listed in SAML Request's IDPList. Force local authentication!"); } } else { // IDPList is not provided // set extIDPToUse to the registered external IDP if // isProxying==true log.debug("IDPList not provided. Choose from registered external IDP"); Collection<IDPConfig> extIdps = accessor.getExternalIdps(); if (extIdps != null && extIdps.size() > 0) { for (IDPConfig idpConfig : extIdps) { validExternalIdpList.add(idpConfig.getEntityID()); } } } return validExternalIdpList; }