コード例 #1
0
  /**
   * Fills the request with information about scoping, including IDP in the scope IDP List.
   *
   * @param request request to fill
   * @param serviceURI destination to send the request to
   * @param options options driving generation of the element, contains list of allowed IDPs
   */
  protected void buildScoping(
      AuthnRequest request, SingleSignOnService serviceURI, WebSSOProfileOptions options) {

    if (options.isIncludeScoping() != null && options.isIncludeScoping()) {

      Set<String> idpEntityNames = options.getAllowedIDPs();
      IDPList idpList = buildIDPList(idpEntityNames, serviceURI);
      SAMLObjectBuilder<Scoping> scopingBuilder =
          (SAMLObjectBuilder<Scoping>) builderFactory.getBuilder(Scoping.DEFAULT_ELEMENT_NAME);
      Scoping scoping = scopingBuilder.buildObject();
      scoping.setIDPList(idpList);
      scoping.setProxyCount(options.getProxyCount());
      request.setScoping(scoping);
    }
  }
コード例 #2
0
  /**
   * Return a list of eligible external idps. If no eligible ones found, return an empty list.
   *
   * <p>If scoping is set (proxyCount and IdpList), all registered idps that are in the Idplist are
   * eligible. If scoping is not set, all registered idps are eligible, meaning no restriction on
   * the proxy count.
   *
   * @return an empty list if no registered external idp or saml request does not want to proxy
   */
  private List<String> getEligibleExternalIdpList(AuthnRequestState t) {
    Validate.notNull(t);
    IdmAccessor accessor = t.getIdmAccessor();
    Scoping scoping = t.getAuthnRequest().getScoping();
    IDPList idpList = null;
    List<String> validExternalIdpList = new ArrayList<>();

    // Get the IDPList and proxycount
    if (scoping != null) {
      // validate ProxyCount: only use exteral idp if proxy count is set
      // and > 0
      t.setProxyCount(scoping.getProxyCount());
      idpList = scoping.getIDPList();
    }

    // verify against proxy count and idpList if defined
    int proxyCount = t.getProxyCount() == null ? 0 : t.getProxyCount();
    if (proxyCount > 0 && idpList != null && idpList.getIDPEntrys() != null) {
      List<IDPEntry> list = idpList.getIDPEntrys();
      // If the list is provided: we will make sure it
      // a) if is proxying, the registered External IDP should be in the
      // list, if not force local authentication.
      // b) if not proxying && it should contain at least one eligible idp
      // note: SAML 2.0 processing rule does not require this. Since this
      // found IDP is not necessary
      // the one used later, it is unclear why we need this validation
      t.setIdpList(list);
      validExternalIdpList.addAll(findValidExternalIdpListWithinScoping(list, accessor));
      if (validExternalIdpList.isEmpty()) {
        log.warn(
            "No trusted external IDP listed in SAML Request's IDPList. Force local authentication!");
      }
    } else {
      // IDPList is not provided
      // set extIDPToUse to the registered external IDP if
      // isProxying==true
      log.debug("IDPList not provided.  Choose from registered external IDP");
      Collection<IDPConfig> extIdps = accessor.getExternalIdps();
      if (extIdps != null && extIdps.size() > 0) {
        for (IDPConfig idpConfig : extIdps) {
          validExternalIdpList.add(idpConfig.getEntityID());
        }
      }
    }

    return validExternalIdpList;
  }