/**
* Fills the request with information about scoping, including IDP in the scope IDP List.
*
* @param request request to fill
* @param serviceURI destination to send the request to
* @param options options driving generation of the element, contains list of allowed IDPs
*/
protected void buildScoping(
AuthnRequest request, SingleSignOnService serviceURI, WebSSOProfileOptions options) {
if (options.isIncludeScoping() != null && options.isIncludeScoping()) {
Set<String> idpEntityNames = options.getAllowedIDPs();
IDPList idpList = buildIDPList(idpEntityNames, serviceURI);
SAMLObjectBuilder<Scoping> scopingBuilder =
(SAMLObjectBuilder<Scoping>) builderFactory.getBuilder(Scoping.DEFAULT_ELEMENT_NAME);
Scoping scoping = scopingBuilder.buildObject();
scoping.setIDPList(idpList);
scoping.setProxyCount(options.getProxyCount());
request.setScoping(scoping);
}
}
/**
* Return a list of eligible external idps. If no eligible ones found, return an empty list.
*
* <p>If scoping is set (proxyCount and IdpList), all registered idps that are in the Idplist are
* eligible. If scoping is not set, all registered idps are eligible, meaning no restriction on
* the proxy count.
*
* @return an empty list if no registered external idp or saml request does not want to proxy
*/
private List<String> getEligibleExternalIdpList(AuthnRequestState t) {
Validate.notNull(t);
IdmAccessor accessor = t.getIdmAccessor();
Scoping scoping = t.getAuthnRequest().getScoping();
IDPList idpList = null;
List<String> validExternalIdpList = new ArrayList<>();
// Get the IDPList and proxycount
if (scoping != null) {
// validate ProxyCount: only use exteral idp if proxy count is set
// and > 0
t.setProxyCount(scoping.getProxyCount());
idpList = scoping.getIDPList();
}
// verify against proxy count and idpList if defined
int proxyCount = t.getProxyCount() == null ? 0 : t.getProxyCount();
if (proxyCount > 0 && idpList != null && idpList.getIDPEntrys() != null) {
List<IDPEntry> list = idpList.getIDPEntrys();
// If the list is provided: we will make sure it
// a) if is proxying, the registered External IDP should be in the
// list, if not force local authentication.
// b) if not proxying && it should contain at least one eligible idp
// note: SAML 2.0 processing rule does not require this. Since this
// found IDP is not necessary
// the one used later, it is unclear why we need this validation
t.setIdpList(list);
validExternalIdpList.addAll(findValidExternalIdpListWithinScoping(list, accessor));
if (validExternalIdpList.isEmpty()) {
log.warn(
"No trusted external IDP listed in SAML Request's IDPList. Force local authentication!");
}
} else {
// IDPList is not provided
// set extIDPToUse to the registered external IDP if
// isProxying==true
log.debug("IDPList not provided. Choose from registered external IDP");
Collection<IDPConfig> extIdps = accessor.getExternalIdps();
if (extIdps != null && extIdps.size() > 0) {
for (IDPConfig idpConfig : extIdps) {
validExternalIdpList.add(idpConfig.getEntityID());
}
}
}
return validExternalIdpList;
}
