SelectAuthenticationFlow (Shibboleth IdP :: Authentication Implementation 3.4.1 API)

java.lang.Object
- net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
- - org.opensaml.profile.action.AbstractProfileAction<InboundMessageType,OutboundMessageType>
  - - org.opensaml.profile.action.AbstractConditionalProfileAction<InboundMessageType,OutboundMessageType>
    - - net.shibboleth.idp.profile.AbstractProfileAction<InboundMessageType,OutboundMessageType>
      - net.shibboleth.idp.authn.AbstractAuthenticationAction
        
        net.shibboleth.idp.authn.impl.SelectAuthenticationFlow

All Implemented Interfaces:

Component, DestructableComponent, InitializableComponent, ProfileAction, org.springframework.beans.factory.Aware, org.springframework.context.MessageSource, org.springframework.context.MessageSourceAware, org.springframework.webflow.execution.Action
```
public class SelectAuthenticationFlow
extends AbstractAuthenticationAction
```
An authentication action that selects an authentication flow to invoke, or re-uses an existing result for SSO.
This is the heart of the authentication processing sequence, and runs after the AuthenticationContext has been fully populated. It uses the potential flows, the RequestedPrincipalContext (if any), and the active results, to decide how to proceed.

Normal processing behavior can be circumvented if AuthenticationContext.getSignaledFlowId() is set, which causes an active result from that flow to be reused, or that flow to be invoked, if at all possible, subject to the usual predicates and requested principal constraints noted below.

Otherwise, if there is no RequestedPrincipalContext, then an active result will be reused, unless the request requires forced authentication. If not possible, then a potential flow will be selected and its ID returned as the result of the action.

If there are requested principals, then the results or flows chosen must "match" the request information according to the PrincipalEvalPredicateFactoryRegistry attached to the context. The "favorSSO" option determines whether to select a flow specifically in the order specified by the RequestedPrincipalContext, or to favor an active but matching result over a new flow. Forced authentication trumps the use of any active result.
Event:

EventIds.PROCEED_EVENT_ID (reuse of a result, i.e., SSO), AuthnEventIds.NO_PASSIVE, AuthnEventIds.NO_POTENTIAL_FLOW, AuthnEventIds.REQUEST_UNSUPPORTED, Selected flow ID to execute

Precondition:
```
ProfileRequestContext.getSubcontext(AuthenticationContext.class) != null
```
, The content of AuthenticationContext.getPotentialFlows() are assumed to be acceptable with respect to passive and forced authentication requirements, etc.
Postcondition:

If a result is reused, AuthenticationContext.getAuthenticationResult() will return that result. Otherwise, AuthenticationContext.getAttemptedFlow() will return the flow selected for execution and returned as an event.

Field Summary

Fields
Modifier and Type	Field and Description
`private boolean`	`favorSSO` Whether SSO trumps explicit relying party flow preference.
`private org.slf4j.Logger`	`log` Class logger.
`private PreferredPrincipalContext`	`preferredPrincipalCtx` A subordinate PreferredPrincipalContext, if any.
`private RequestedPrincipalContext`	`requestedPrincipalCtx` A subordinate RequestedPrincipalContext, if any.

Constructor Summary

Constructors
Constructor and Description

SelectAuthenticationFlow()

Constructors
Constructor and Description
`SelectAuthenticationFlow()`

Method Summary

Methods
Modifier and Type	Method and Description
`protected void`	`doExecute(ProfileRequestContext profileRequestContext, AuthenticationContext authenticationContext)`
`protected boolean`	`doPreExecute(ProfileRequestContext profileRequestContext, AuthenticationContext authenticationContext)`
`private void`	`doSelectNoRequestedPrincipals(ProfileRequestContext profileRequestContext, AuthenticationContext authenticationContext)` Executes the selection process in the absence of specific requested principals.
`private void`	`doSelectRequestedPrincipals(ProfileRequestContext profileRequestContext, AuthenticationContext authenticationContext)` Executes the selection process in the presence of specific requested Principals, requiring evaluation of potential flows and results for Principal-compatibility with request.
`private void`	`doSelectSignaledFlow(ProfileRequestContext profileRequestContext, AuthenticationContext authenticationContext)` Executes the selection process in the presence of an explicit flow signal.
`boolean`	`getFavorSSO()` Get whether SSO should trump explicit relying party requirements preference.
`private AuthenticationFlowDescriptor`	`getUnattemptedInactiveFlow(ProfileRequestContext profileRequestContext, AuthenticationContext authenticationContext)` Return the first inactive potential flow not found in the intermediate flows collection that applies to the request.
`private void`	`selectActiveResult(ProfileRequestContext profileRequestContext, AuthenticationContext authenticationContext, AuthenticationResult result)` Selects an active result and completes processing.
`private void`	`selectInactiveFlow(ProfileRequestContext profileRequestContext, AuthenticationContext authenticationContext, AuthenticationFlowDescriptor descriptor)` Selects an inactive flow and completes processing.
`private void`	`selectRequestedFlow(ProfileRequestContext profileRequestContext, AuthenticationContext authenticationContext, Map<String,AuthenticationResult> activeResults)` Selects a flow or an active result in the presence of specific requested Principals and completes processing.
`private void`	`selectRequestedInactiveFlow(ProfileRequestContext profileRequestContext, AuthenticationContext authenticationContext)` Selects an inactive flow in the presence of specific requested Principals, and completes processing.
`void`	`setFavorSSO(boolean flag)` Set whether SSO should trump explicit relying party requirements preference.

Methods inherited from class net.shibboleth.idp.authn.AbstractAuthenticationAction
doExecute, doPreExecute, setLookupStrategy

Methods inherited from class net.shibboleth.idp.profile.AbstractProfileAction
doExecute, execute, getMessage, getMessage, getMessage, getProfileContextLookupStrategy, getRequestContext, getResult, setMessageSource, setProfileContextLookupStrategy

Methods inherited from class org.opensaml.profile.action.AbstractConditionalProfileAction
getActivationCondition, setActivationCondition

Methods inherited from class org.opensaml.profile.action.AbstractProfileAction
doPostExecute, doPostExecute, execute, getHttpServletRequest, getHttpServletResponse, getLogPrefix, setHttpServletRequest, setHttpServletResponse

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
destroy, doDestroy, doInitialize, initialize, isDestroyed, isInitialized

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface net.shibboleth.utilities.java.support.component.InitializableComponent
initialize, isInitialized

Field Detail
- log
```
@Nonnull
private final org.slf4j.Logger log
```
  Class logger.
- favorSSO
```
private boolean favorSSO
```
  Whether SSO trumps explicit relying party flow preference.
- requestedPrincipalCtx
```
@Nullable
private RequestedPrincipalContext requestedPrincipalCtx
```
  A subordinate RequestedPrincipalContext, if any.
- preferredPrincipalCtx
```
@Nullable
private PreferredPrincipalContext preferredPrincipalCtx
```
  A subordinate PreferredPrincipalContext, if any.

Constructor Detail
- SelectAuthenticationFlow
```
public SelectAuthenticationFlow()
```

Method Detail

getFavorSSO
```
public boolean getFavorSSO()
```
Get whether SSO should trump explicit relying party requirements preference.

Returns:
whether SSO should trump explicit relying party requirements preference

setFavorSSO
```
public void setFavorSSO(boolean flag)
```
Set whether SSO should trump explicit relying party requirements preference.

Parameters:
flag - whether SSO should trump explicit relying party requirements preference

doPreExecute

protected boolean doPreExecute(@Nonnull
                   ProfileRequestContext profileRequestContext,
                   @Nonnull
                   AuthenticationContext authenticationContext)

Overrides:: doPreExecute in class AbstractAuthenticationAction

doExecute

protected void doExecute(@Nonnull
             ProfileRequestContext profileRequestContext,
             @Nonnull
             AuthenticationContext authenticationContext)

Overrides:: doExecute in class AbstractAuthenticationAction

doSelectSignaledFlow

private void doSelectSignaledFlow(@Nonnull
                        ProfileRequestContext profileRequestContext,
                        @Nonnull
                        AuthenticationContext authenticationContext)

Executes the selection process in the presence of an explicit flow signal.

Parameters:: profileRequestContext - the current IdP profile request context; authenticationContext - the current authentication context

doSelectNoRequestedPrincipals

private void doSelectNoRequestedPrincipals(@Nonnull
                                 ProfileRequestContext profileRequestContext,
                                 @Nonnull
                                 AuthenticationContext authenticationContext)

Executes the selection process in the absence of specific requested principals.

Parameters:: profileRequestContext - the current IdP profile request context; authenticationContext - the current authentication context

getUnattemptedInactiveFlow

@Nullable
private AuthenticationFlowDescriptor getUnattemptedInactiveFlow(@Nonnull
                                                               ProfileRequestContext profileRequestContext,
                                                               @Nonnull
                                                               AuthenticationContext authenticationContext)

Return the first inactive potential flow not found in the intermediate flows collection that applies to the request.

Parameters:: profileRequestContext - the current profile request context; authenticationContext - the current authentication context
Returns:: an eligible flow, or null

selectInactiveFlow

private void selectInactiveFlow(@Nonnull
                      ProfileRequestContext profileRequestContext,
                      @Nonnull
                      AuthenticationContext authenticationContext,
                      @Nonnull
                      AuthenticationFlowDescriptor descriptor)

Selects an inactive flow and completes processing.

Parameters:: profileRequestContext - the current IdP profile request context; authenticationContext - the current authentication context; descriptor - the flow to select

selectActiveResult

private void selectActiveResult(@Nonnull
                      ProfileRequestContext profileRequestContext,
                      @Nonnull
                      AuthenticationContext authenticationContext,
                      @Nonnull
                      AuthenticationResult result)

Selects an active result and completes processing.

Parameters:: profileRequestContext - the current IdP profile request context; authenticationContext - the current authentication context; result - the result to reuse

doSelectRequestedPrincipals

private void doSelectRequestedPrincipals(@Nonnull
                               ProfileRequestContext profileRequestContext,
                               @Nonnull
                               AuthenticationContext authenticationContext)

Executes the selection process in the presence of specific requested Principals, requiring evaluation of potential flows and results for Principal-compatibility with request.

Parameters:: profileRequestContext - the current IdP profile request context; authenticationContext - the current authentication context

selectRequestedInactiveFlow

private void selectRequestedInactiveFlow(@Nonnull
                               ProfileRequestContext profileRequestContext,
                               @Nonnull
                               AuthenticationContext authenticationContext)

Selects an inactive flow in the presence of specific requested Principals, and completes processing.

Parameters:: profileRequestContext - the current IdP profile request context; authenticationContext - the current authentication context

selectRequestedFlow

private void selectRequestedFlow(@Nonnull
                       ProfileRequestContext profileRequestContext,
                       @Nonnull
                       AuthenticationContext authenticationContext,
                       @Nonnull@NonnullElements
                       Map<String,AuthenticationResult> activeResults)

Selects a flow or an active result in the presence of specific requested Principals and completes processing.

Parameters:: profileRequestContext - the current IdP profile request context; authenticationContext - the current authentication context; activeResults - active results that may be reused

Class SelectAuthenticationFlow

Field Summary

Constructor Summary

Method Summary

Methods inherited from class net.shibboleth.idp.authn.AbstractAuthenticationAction

Methods inherited from class net.shibboleth.idp.profile.AbstractProfileAction

Methods inherited from class org.opensaml.profile.action.AbstractConditionalProfileAction

Methods inherited from class org.opensaml.profile.action.AbstractProfileAction

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

Methods inherited from class java.lang.Object

Methods inherited from interface net.shibboleth.utilities.java.support.component.InitializableComponent

Field Detail

log

favorSSO

requestedPrincipalCtx

preferredPrincipalCtx

Constructor Detail

SelectAuthenticationFlow