Package se.litsec.opensaml.saml2.authentication.build

Class ExtendedAuthnRequestBuilder

  • All Implemented Interfaces:
    SAMLObjectBuilder<AuthnRequest>
    public class ExtendedAuthnRequestBuilder
extends AbstractAuthnRequestBuilder<ExtendedAuthnRequestBuilder>
    The ExtendedAuthnRequestBuilder builds an AuthnRequest object given the metadata entry for the Service Provider that sends the request and the metadata entry for the Identity Provider that is the recipient of the request.

    The purpose with this builder is that the caller does not have to go through the SP and IdP metadata and create a valid AuthnRequest. By invoking assignDefaults() the AuthnRequest is built using values found in the metadata entries. Any particular settings that are non-default should be assigned using the builder's assigment methods, either before or after invoking assignDefaults(). The builder will assume that the "HTTP-Redirect" binding is used to send the request to the IdP (given that the IdP has an endpoint for this binding). Should the caller want to use another binding (POST), the binding(String) should be invoked before calling assignDefaults().

    Author:
    Martin Lindström (martin.lindstrom@litsec.se)

    • Constructor Detail

      • ExtendedAuthnRequestBuilder

        public ExtendedAuthnRequestBuilder​(EntityDescriptor spMetadata,
                                   EntityDescriptor idpMetadata)
        Constructor initializing the builder with the metadata entry for the Service Provider that is creating the authentication request and the metadata entry for the Identity Provider which is about to receive the request.
        Parameters:
        spMetadata - the SP metadata
        idpMetadata - the IdP metadata

    • Method Detail

      • assignDefaults

        public ExtendedAuthnRequestBuilder assignDefaults()
        Calculates values based on the SP and IdP metadata and assigns them to the AuthnRequest. The following rules are automatically applied by the assignDefaults() method:
        • The version is set to 2.0.
        • An ID attribute is generated and assigned.
        • The ProtocolBinding is assigned to HTTP-POST.
        • The Destination attribute is assigned the value found in the IdP metadata's SingleSignOnService element having a binding matching the binding that was assigned this builder.
        • The Issuer element is assigned the entityID found in the SP metadata.
        • The NameIDPolicy element is assigned by iterating over the declared NameIDFormat elements of the SP metadata and using the first format that is also declared by the IdP. The AllowCreate is set to true.
        Returns:
        the builder

      • id

        public ExtendedAuthnRequestBuilder id​(int idSize)
        Generates an identifier of size idSize and assigns it to the AuthnRequest.
        Parameters:
        idSize - the number of characters to be used in the ID
        Returns:
        the builder

      • binding

        public String binding()
        Returns the binding URI to be used to this request, i.e., should the request be redirected to the IdP or should it be posted?

        The setting controls how the AuthnRequest is put together and which data that is read from the IdP metadata.

        Returns:
        the binding URI

      • binding

        public ExtendedAuthnRequestBuilder binding​(String binding)
                                    throws SAMLObjectBuilderRuntimeException
        Assigns the URI that tells which binding (method) to use when transfering the AuthnRequest to the IdP.

        The setting controls how the AuthnRequest is put together and which data that is read from the IdP metadata. More specifically it assigns the Destination attribute to the address found in the IdP SingleSignOnService element having this binding.

        Parameters:
        binding - the binding URI
        Returns:
        the builder
        Throws:
        SAMLObjectBuilderRuntimeException - is thrown if the IdP metadata does not define a SingleSignOnService element having the given binding, which means that it does not support it, and it it thus meaningless to send this request using this binding

      • authnContextClassRefs

        public ExtendedAuthnRequestBuilder authnContextClassRefs​(boolean onlyMatching,
                                                         boolean failOnNoMatch,
                                                         List<String> uris)
                                                  throws SAMLObjectBuilderRuntimeException
        A utility method that helps adding one or more Authentication context class reference URI(s) to the RequestedAuthnContext element. The method will read the IdP's declared assuranceCertification URIs from its metadata.
        Parameters:
        onlyMatching - only add URIs that are also declared by the IdP in its metadata
        failOnNoMatch - throw if none of our given URIs are declared by the IdP
        uris - the URIs to add
        Returns:
        the builder
        Throws:
        SAMLObjectBuilderRuntimeException - is thrown if failOnNoMatch is set and we don't get a match between given URIs and declared URIs