Package com.onelogin.saml2.authn
Class SamlResponse
java.lang.Object
com.onelogin.saml2.authn.SamlResponse
SamlResponse class of OneLogin's Java Toolkit.
A class that implements SAML 2 Authentication Response parser/validator
-
Field Summary
FieldsModifier and TypeFieldDescriptionprivate StringURL of the current host + current viewprivate DocumentA DOMDocument object loaded from the SAML Response (Decrypted).private BooleanMark if the response contains an encrypted assertion.private static final org.slf4j.LoggerPrivate property to construct a logger for this class.NameID Dataprivate SamlResponseStatusThe respone status code and messagesprivate DocumentA DOMDocument object loaded from the SAML Response.private StringThe decoded, unprocessed XML response provided to the constructor.private final Saml2SettingsSettings data.private ExceptionAfter validation, if it fails this property has the cause of the problem -
Constructor Summary
ConstructorsConstructorDescriptionSamlResponse(Saml2Settings settings, HttpRequest request) Constructor to have a Response object fully built and ready to validate the saml response.SamlResponse(Saml2Settings settings, String currentUrl, String samlResponse) Constructor to have a Response object fully built and ready to validate the saml response. -
Method Summary
Modifier and TypeMethodDescriptionChecks that the samlp:Response/saml:Assertion/saml:AuthnStatement element exists and is unique.Checks that the samlp:Response/saml:Assertion/saml:Conditions element exists and is unique.voidChecks the Statusprivate DocumentdecryptAssertion(Document dom) Decrypt assertion.Gets the Assertion Issuer.Gets the Attributes from the AttributeStatement element.Gets the audiences.getError()After execute a validation process, if fails this method returns the causegetId()Deprecated.Gets the NameID value provided from the SAML Response String.Gets the NameID provided from the SAML Response Document.Gets the NameID Format provided from the SAML Response String.Gets the NameID NameQualifier provided from the SAML Response String.Gets the NameID SP NameQualifier provided from the SAML Response String.Returns the issue instant of this message.Gets the Response Issuer.Returns the ResponseStatus objectprotected DocumentGets the SessionIndex from the AuthnStatement.Gets the SessionNotOnOrAfter from the AuthnStatement.static SamlResponseStatusGet Status from a ResponseAfter execute a validation process, if fails this method returns the Exception objectbooleanisValid()Determines if the SAML Response is valid using the certificate.booleanDetermines if the SAML Response is valid using the certificate.voidloadXmlFromBase64(String responseStr) Load a XML base64encoded SAMLResponseVerifies the signature nodes: - Checks that are Response or Assertion - Check that IDs and reference URI are unique and consistent.protected NodeListExtracts nodes that match the query from the DOMDocument (Response Message)protected NodeListqueryAssertion(String assertionXpath) Extracts a node from the DOMDocument (Assertion).voidsetDestinationUrl(String url) Aux method to set the destination urlprotected voidsetValidationException(Exception validationException) Sets the validation exception that thisSamlResponseshould return when a validation error occurs.protected voidValidates the audiences.protected voidvalidateDestination(Element element) Validate the destination.Verifies that the document only contains a single Assertion (encrypted or not).protected SubjectConfirmationIssuevalidateRecipient(Node recipient, int index) Validate a subject confirmation recipient.booleanvalidateSignedElements(ArrayList<String> signedElements) Verifies that the document has the expected signed nodes.protected voidvalidateSpNameQualifier(String spNameQualifier) Validates a SPNameQualifier.private voidvalidateSubjectConfirmation(String responseInResponseTo) Check SubjectConfirmation, at least one SubjectConfirmation must be validbooleanVerifies that the document is still valid according Conditions Element.
-
Field Details
-
LOGGER
private static final org.slf4j.Logger LOGGERPrivate property to construct a logger for this class. -
settings
Settings data. -
samlResponseString
The decoded, unprocessed XML response provided to the constructor. -
samlResponseDocument
A DOMDocument object loaded from the SAML Response. -
decryptedDocument
A DOMDocument object loaded from the SAML Response (Decrypted). -
nameIdData
NameID Data -
currentUrl
URL of the current host + current view -
encrypted
Mark if the response contains an encrypted assertion. -
validationException
After validation, if it fails this property has the cause of the problem -
responseStatus
The respone status code and messages
-
-
Constructor Details
-
SamlResponse
public SamlResponse(Saml2Settings settings, String currentUrl, String samlResponse) throws XPathExpressionException, ParserConfigurationException, SAXException, IOException, SettingsException, ValidationError Constructor to have a Response object fully built and ready to validate the saml response.- Parameters:
settings- Saml2Settings object. Setting datacurrentUrl- URL of the current host + current viewsamlResponse- A string containting the base64 encoded response from the IdP- Throws:
ValidationErrorSettingsExceptionIOExceptionSAXExceptionParserConfigurationExceptionXPathExpressionException
-
SamlResponse
public SamlResponse(Saml2Settings settings, HttpRequest request) throws XPathExpressionException, ParserConfigurationException, SAXException, IOException, SettingsException, ValidationError Constructor to have a Response object fully built and ready to validate the saml response.- Parameters:
settings- Saml2Settings object. Setting datarequest- the HttpRequest object to be processed (Contains GET and POST parameters, request URL, ...).- Throws:
ValidationErrorSettingsExceptionIOExceptionSAXExceptionParserConfigurationExceptionXPathExpressionExceptionNullPointerException
-
-
Method Details
-
loadXmlFromBase64
public void loadXmlFromBase64(String responseStr) throws ParserConfigurationException, XPathExpressionException, SAXException, IOException, SettingsException, ValidationError Load a XML base64encoded SAMLResponse- Parameters:
responseStr- Saml2Settings object. Setting data- Throws:
ParserConfigurationExceptionSettingsExceptionIOExceptionSAXExceptionXPathExpressionExceptionValidationError
-
isValid
Determines if the SAML Response is valid using the certificate.- Parameters:
requestId- The ID of the AuthNRequest sent by this SP to the IdP- Returns:
- if the response is valid or not
-
validateSubjectConfirmation
private void validateSubjectConfirmation(String responseInResponseTo) throws XPathExpressionException, ValidationError Check SubjectConfirmation, at least one SubjectConfirmation must be valid- Parameters:
responseInResponseTo- The InResponseTo value of the SAML Response- Throws:
XPathExpressionExceptionValidationError
-
isValid
public boolean isValid()Determines if the SAML Response is valid using the certificate.- Returns:
- if the response is valid or not
-
getNameIdData
Gets the NameID provided from the SAML Response Document.- Returns:
- the Name ID Data (Value, Format, NameQualifier, SPNameQualifier)
- Throws:
Exception
-
getNameId
Gets the NameID value provided from the SAML Response String.- Returns:
- string Name ID Value
- Throws:
Exception
-
getNameIdFormat
Gets the NameID Format provided from the SAML Response String.- Returns:
- string NameID Format
- Throws:
Exception
-
getNameIdNameQualifier
Gets the NameID NameQualifier provided from the SAML Response String.- Returns:
- string NameQualifier
- Throws:
Exception
-
getNameIdSPNameQualifier
Gets the NameID SP NameQualifier provided from the SAML Response String.- Returns:
- string SP NameQualifier
- Throws:
Exception
-
getAttributes
public HashMap<String,List<String>> getAttributes() throws XPathExpressionException, ValidationErrorGets the Attributes from the AttributeStatement element.- Returns:
- the attributes of the SAML Assertion
- Throws:
XPathExpressionExceptionValidationError
-
getResponseStatus
Returns the ResponseStatus object- Returns:
-
checkStatus
Checks the Status- Throws:
ValidationError- If status is not success
-
getStatus
Get Status from a Response- Parameters:
dom- The Response as XML- Returns:
- SamlResponseStatus
- Throws:
IllegalArgumentException- if the response not contain status or if Unexpected XPath errorValidationError
-
checkOneCondition
Checks that the samlp:Response/saml:Assertion/saml:Conditions element exists and is unique.- Returns:
- true if the Conditions element exists and is unique
- Throws:
XPathExpressionException
-
checkOneAuthnStatement
Checks that the samlp:Response/saml:Assertion/saml:AuthnStatement element exists and is unique.- Returns:
- true if the AuthnStatement element exists and is unique
- Throws:
XPathExpressionException
-
getAudiences
Gets the audiences.- Returns:
- the audiences of the response
- Throws:
XPathExpressionException
-
getResponseIssuer
Gets the Response Issuer.- Returns:
- the Response Issuer, or
nullif not specified - Throws:
XPathExpressionExceptionValidationError- if multiple Response issuers were found- See Also:
-
getAssertionIssuer
Gets the Assertion Issuer.- Returns:
- the Assertion Issuer
- Throws:
XPathExpressionExceptionValidationError- if no Assertion Issuer could be found, or if multiple Assertion issuers were found- See Also:
-
getIssuers
Deprecated.usegetResponseIssuer()and/orgetAssertionIssuer(); the contract of this method is quite controversialGets the Issuers (from Response and Assertion). If the same issuer appears both in the Response and in the Assertion (as it should), the returned list will contain it just once. Hence, the returned list should always return one element and in particular:- it will never contain zero elements (it means an Assertion Issuer could
not be found, hence a
ValidationErrorwill be thrown instead) - if it contains more than one element, it means that the response is
invalid and one of the returned issuers won't pass the check performed by
isValid(String)(which requires both issuers to be equal to the Identity Provider entity id)
Warning: as a consequence of the above, if this response status code is not a successful one, this method will throw a
ValidationErrorbecause it won't find any Assertion Issuer. In this case, if you need to retrieve the Response Issuer any way, you must usegetResponseIssuer()instead.- Returns:
- the issuers of the assertion/response
- Throws:
XPathExpressionExceptionValidationError- if multiple Response Issuers or multiple Assertion Issuers were found, or if no Assertion Issuer could be found- See Also:
- it will never contain zero elements (it means an Assertion Issuer could
not be found, hence a
-
getSessionNotOnOrAfter
Gets the SessionNotOnOrAfter from the AuthnStatement. Could be used to set the local session expiration- Returns:
- the SessionNotOnOrAfter value
- Throws:
XPathExpressionException
-
getSessionIndex
Gets the SessionIndex from the AuthnStatement. Could be used to be stored in the local session in order to be used in a future Logout Request that the SP could send to the SP, to set what specific session must be deleted- Returns:
- the SessionIndex value
- Throws:
XPathExpressionException
-
getId
- Returns:
- the ID of the Response
-
getAssertionId
- Returns:
- the ID of the assertion in the Response
- Throws:
XPathExpressionException
-
getAssertionNotOnOrAfter
- Returns:
- a list of NotOnOrAfter values from SubjectConfirmationData nodes in this Response
- Throws:
XPathExpressionException
-
validateNumAssertions
Verifies that the document only contains a single Assertion (encrypted or not).- Returns:
- true if the document passes.
- Throws:
IllegalArgumentException
-
processSignedElements
Verifies the signature nodes: - Checks that are Response or Assertion - Check that IDs and reference URI are unique and consistent.- Returns:
- array Signed element tags
- Throws:
XPathExpressionExceptionValidationError
-
validateSignedElements
public boolean validateSignedElements(ArrayList<String> signedElements) throws XPathExpressionException, ValidationError Verifies that the document has the expected signed nodes.- Parameters:
signedElements- the elements to be validated- Returns:
- true if is valid
- Throws:
XPathExpressionExceptionValidationError
-
validateTimestamps
Verifies that the document is still valid according Conditions Element.- Returns:
- true if still valid
- Throws:
ValidationError
-
setDestinationUrl
Aux method to set the destination url- Parameters:
url- the url to set as currentUrl
-
getError
After execute a validation process, if fails this method returns the cause- Returns:
- the cause of the validation error as a string
-
getValidationException
After execute a validation process, if fails this method returns the Exception object- Returns:
- the cause of the validation error
-
setValidationException
Sets the validation exception that thisSamlResponseshould return when a validation error occurs.- Parameters:
validationException- the validation exception to set
-
queryAssertion
Extracts a node from the DOMDocument (Assertion).- Parameters:
assertionXpath- Xpath Expression- Returns:
- the queried node
- Throws:
XPathExpressionException
-
query
Extracts nodes that match the query from the DOMDocument (Response Message)- Parameters:
nameQuery- Xpath Expressioncontext- The context node- Returns:
- DOMNodeList The queried nodes
- Throws:
XPathExpressionException
-
decryptAssertion
private Document decryptAssertion(Document dom) throws XPathExpressionException, ParserConfigurationException, SAXException, IOException, SettingsException, ValidationError Decrypt assertion.- Parameters:
dom- Encrypted assertion- Returns:
- Decrypted Assertion.
- Throws:
XPathExpressionExceptionIOExceptionSAXExceptionParserConfigurationExceptionSettingsExceptionValidationError
-
getSAMLResponseXml
- Returns:
- the SAMLResponse XML, If the Assertion of the SAMLResponse was encrypted, returns the XML with the assertion decrypted
-
getSAMLResponseDocument
- Returns:
- the SAMLResponse Document, If the Assertion of the SAMLResponse was encrypted, returns the Document with the assertion decrypted
-
validateAudiences
Validates the audiences. -
validateDestination
Validate the destination.- Parameters:
element- element with the destination attribute- Throws:
ValidationError
-
validateRecipient
Validate a subject confirmation recipient.- Parameters:
recipient- recipient nodeindex- index of the subject confirmation node- Returns:
- a subject confirmation issue or null
-
validateSpNameQualifier
Validates a SPNameQualifier.- Parameters:
spNameQualifier- the SPNameQualifier- Throws:
ValidationError
-
getResponseIssueInstant
Returns the issue instant of this message.- Returns:
- a new
Calendarinstance carrying the issue instant of this message - Throws:
ValidationError- if the found IssueInstant attribute is not in the expected UTC form of ISO-8601 format
-
getResponseIssuer()and/orgetAssertionIssuer(); the contract of this method is quite controversial