Package com.nimbusds.oauth2.sdk.assertions.saml2

Class SAML2AssertionDetailsVerifier

java.lang.Object

com.nimbusds.oauth2.sdk.assertions.saml2.SAML2AssertionDetailsVerifier

All Implemented Interfaces:

com.nimbusds.jwt.proc.ClockSkewAware

@Immutable
public class SAML2AssertionDetailsVerifier
extends Object
implements com.nimbusds.jwt.proc.ClockSkewAware

SAML 2.0 bearer assertion details verifier for OAuth 2.0 client authentication and authorisation grants. Intended for initial validation of SAML 2.0 assertions:

• Audience check
• Expiration time check
• Not-before time check (is set)

Related specifications:

• Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7522).

Field Summary

Fields

Modifier and Type	Field	Description
static final int	DEFAULT_MAX_CLOCK_SKEW_SECONDS	The default maximum acceptable clock skew, in seconds (60).

Constructor Summary

Constructors

Constructor	Description
SAML2AssertionDetailsVerifier(Set<Audience> expectedAudience)	Creates a new SAML 2.0 bearer assertion details verifier.

Method Summary

Modifier and Type	Method	Description
Set<Audience>	getExpectedAudience()	Returns the expected audience values.
int	getMaxClockSkew()
void	setMaxClockSkew(int maxClockSkewSeconds)
void	verify(SAML2AssertionDetails assertionDetails)	Verifies the specified SAML 2.0 bearer assertion details.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

DEFAULT_MAX_CLOCK_SKEW_SECONDS

public static final int DEFAULT_MAX_CLOCK_SKEW_SECONDS

The default maximum acceptable clock skew, in seconds (60).

See Also:

• Constant Field Values

Constructor Details

SAML2AssertionDetailsVerifier

public SAML2AssertionDetailsVerifier(Set<Audience> expectedAudience)

Creates a new SAML 2.0 bearer assertion details verifier.

Parameters:

expectedAudience - The expected audience values. Must not be empty or null. Should typically contain the token endpoint URI and for OpenID provider it may also include the issuer URI.

Method Details

getExpectedAudience

public Set<Audience> getExpectedAudience()

Returns the expected audience values.

Returns:

The expected audience values.

getMaxClockSkew

public int getMaxClockSkew()

Specified by:

getMaxClockSkew in interface com.nimbusds.jwt.proc.ClockSkewAware

setMaxClockSkew

public void setMaxClockSkew(int maxClockSkewSeconds)

Specified by:

setMaxClockSkew in interface com.nimbusds.jwt.proc.ClockSkewAware

verify

public void verify(SAML2AssertionDetails assertionDetails)
            throws BadSAML2AssertionException

Verifies the specified SAML 2.0 bearer assertion details.

Parameters:

assertionDetails - The SAML 2.0 bearer assertion details. Must not be null.

Throws:

BadSAML2AssertionException - If verification didn't pass successfully.