All Classes and Interfaces
Class
Description
Abstract Function which returns
Locale-aware information about an attribute.Base class for attribute release consent actions.
Base class for validation actions that includes new audit logging support.
A base class for authentication related actions.
Base class for transcoders that support CAS attributes.
A function to produce a "canonical" name for a CAS
Attribute for transcoding rules.Base class for CAS protocol actions.
Base class for JCommander command line argument handling for an HTTP-based remote service call,
with an abstract method that adds to a URL based on a derived class' arguments.
Base class for consent actions.
Base class for consent actions which write to a
StorageService.Base class for consent actions which interact with a
StorageService.An abstract
CredentialValidator that handles some common behavior.A base class for authentication actions that extract usernames for subsequent use.
An extension to
AbstractCommandLine that auto-adds our context initializer for idp.home
and property support.An extension to
AbstractCommandLineArguments
that allows idp.home override and includes HTTP client support.Abstract base for implementations of
IdPSession, handles basic management of the
instance data without addressing persistence.Address syntaxes supported for address binding.
Base class for
InterceptorAwareProfileConfiguration implementations.Base class for all actions that build SAML
Response messages for output.Base class for
PrincipalSerializer implementations.Base class for Spring-aware profile actions.
A base class for profile interceptor actions.
Base class for profile interceptor results.
Base class for CAS protocol configuration.
Abstract base class for protocol response messages.
Base class for
Function that returns content from the ProxyRestriction element.Configuration support for artifact-aware profiles.
Base class for IdP SAML 1.x profile configurations that produce assertions.
Configuration support for artifact-aware profiles.
Base class for IdP SAML 2.0 profile configurations that produce assertions.
IdP-specific base class for SAML 2.0 NameID generation that extends the OpenSAML base class with support for
BrowserSSOProfileConfiguration.getSPNameQualifier(org.opensaml.profile.context.ProfileRequestContext).Base class for SAML 2 profile configurations.
Base class for SAML profile configurations.
Base class for
SPSession serializers that handles data common to all such objects.A base class for subject canonicalization actions.
Base class for
Template based search dn resolvers.Escapes LDAP attribute values added to the template context.
Base class for ticket serializers that use a simple field-delimited serialization strategy.
Abstract base class for ticket services that rely on
StorageService for ticket storage.An abstract
CredentialValidator that checks for a UsernamePasswordContext and delegates
to subclasses to produce a result.A base class for authentication related actions that validate credentials and produce an
AuthenticationResult.A component that manages lockout state for accounts.
Helper class for
Action operations.Helper methods for creating/testing objects within profile action tests.
A Test {"link
Action.Extension of OpenSAML handler that incorporates
BrowserSSOProfileConfiguration.getRequestedAttributes(org.opensaml.profile.context.ProfileRequestContext).Action that builds an
AttributeStatement and adds it to an Assertion returned by a lookup
strategy, by default in the InOutOperationContext.getOutboundMessageContext().Action that builds an
AttributeStatement and adds it to an Assertion returned by a lookup
strategy, by default in the InOutOperationContext.getOutboundMessageContext().Action that builds an
AuthenticationStatement and adds it to an Assertion returned by a lookup
strategy, by default in the InOutOperationContext.getOutboundMessageContext().Action that creates an
AuthnRequest and sets it as the message returned by
InOutOperationContext.getOutboundMessageContext().Action that builds an
AuthnStatement and adds it to an Assertion returned by a lookup
strategy, by default in the InOutOperationContext.getOutboundMessageContext().Action that creates a
LogoutRequest based on an SAML2SPSession in a
LogoutPropagationContext and sets it as the message returned by
InOutOperationContext.getOutboundMessageContext().A descriptor for an administrative flow.
Manager of
AdministrativeFlowDescriptor objects.Deprecated, for removal: This API element is subject to removal in a future version.
Configuration support for SAML 1.x artifact resolution requests.
Configuration support for IdP SAML 2.0 artifact resolution profile.
Function that returns the ID attribute from the assertions in a response.Function that returns the IssueInstant attribute from the assertions in a response.Function that returns the latest attempted authentication flow ID.Function that returns the username in a subordinate UsernamePasswordContext or
UsernameContext, if any.Wrapper class for a CAS attribute/values construct in a validate response.
Function which returns the locale-aware display description of an attribute, defaulting to the
attribute ID if the attribute has no display description.
Function which returns the locale-aware display name of an attribute, defaulting to the
attribute ID if the attribute has no display name.
Class to help Attribute Extraction in views.
Predicate to determine whether consent should be obtained for an attribute.
Configuration support for SAML 1 attribute query requests.
Configuration support for SAML 2.0 Attribute Query profile.
Configuration support for IdP SAML 2.0 attribute query profile.
Function that returns a map of consent objects representing consent to attribute release.
Context for attribute release consent.
Descriptor for an attribute release flow.
A condition for login flows that checks for revocation against a resolved
IdPAttribute.Generator for
NameIdentifier objects based on IdPAttribute data.Generator for
NameID objects based on IdPAttribute data.An action that extracts a resolved
IdPAttribute value from an AttributeContext child obtained via
lookup function (by default a child of the SubjectCanonicalizationContext), and uses it as the result
of subject canonicalization.ContextDataLookupFunction to return the value of an attribute from an AttributeContext.Function to calculate the hash of the values of an IdP attribute.
A context representing the state of an authentication attempt, this is the primary
input/output context for the action flow responsible for authentication, and
within that flow, the individual flows that carry out a specific kind of
authentication.
A context that holds information about authentication failures.
Function that returns the authentication flow ID used to satisfy a request.A descriptor for an authentication flow.
Manager of
AuthenticationFlowDescriptor objects.A function that returns
AuthenticationProfileConfiguration.getAuthenticationFlows(org.opensaml.profile.context.ProfileRequestContext)()
if such a profile is available from a RelyingPartyContext obtained via a lookup function,
by default a child of the ProfileRequestContext.Principal based on a SAML 1.x AuthenticationMethod.
Configuration of profiles for authentication.
Describes an act of authentication.
Principal that wraps an
AuthenticationResult.Principal serializer for
AuthenticationResultPrincipal.A context that holds information about authentication warnings.
Constants to use for audit logging fields stored in an
AuditContext.Function that returns the first AuthenticationMethod, AuthnContextCLassRef,
or AuthnContextDeclRef from an assertions in a response.Principal based on a SAML AuthnContextClassRef.
Principal based on a SAML AuthnContextDecl.
Principal based on a SAML AuthnContextDeclRef.
Constants to use for
ProfileAction
EventContext results related to
authentication and subject c14n.Function that returns the first authentication timestamp from an assertions in a response.Base class for actions that encode an
AttributeContext into a SAML attribute statement.Base class for actions that encode authentication information into a SAML 1 or SAML 2 statement.
An abstract action which contains the logic to do crypto transient decoding matching.
A base helper class for predicates that determine if CSRF protection is required per state.
Decodes an incoming Shibboleth Authentication Request message.
Regular expression, etc.
An abstract action which contains the logic to do transient decoding matching (shared between SAML2 and SAML1).
A descriptor for an administrative flow.
A wrapper class to construct logo objects for exposure by
UIInfo interface.Implementation support for a concrete
SPSession implementation.A function to create a
BasicSPSession based on profile execution state.A serializer for
BasicSPSession objects.Deprecated, for removal: This API element is subject to removal in a future version.
A strategy function for establishing an appropriate
BestMatchLocationCriterion
based on the AssertionConsumerService location used to initiate a SAML2SPSession.Profile configuration for IdP SAML Browser SSO profiles.
Configuration for SAML 1 Browser SSO profile requests.
Configuration support for IdP and proxied SAML 2.0 Browser SSO.
Configuration support for IdP and proxied SAML 2.0 Browser SSO.
Builds an authentication context from an incoming
ServiceTicketRequest message.Action that builds the chain of visited proxies for a successful proxy ticket validation event.
Creates the
RelyingPartyContext as a child of the ProfileRequestContext.Builds a
SAMLMetadataContext child of RelyingPartyContext to facilitate relying party selection
by group name.Creates the SAML response message for failed ticket validation at the
/samlValidate URI.Creates the SAML response message for successful ticket validation at the
/samlValidate URI.Code to build the war file during an install or on request.
Function that returns a principal name from one of two places: a
SubjectCanonicalizationContext child
of the root context or a SessionContext.IdPModule implementation.Marker interface for transcoders that support CAS attributes.
Constants to use for audit logging fields stored in an
AuditContext.Describes a CAS protocol-specific service provider session created in response to a successful ticket validation.
JSON serializer for
CASSPSession class.Context that carries a
Certificate to be validated.Function that returns the issuer of a client certificate.Function that returns the subject of a client certificate.Checks the current
ServiceContext to determine whether the service/relying party is authorized to proxy.Entry point for command line attribute utility.
Principal that can be cloned without knowledge of the underlying type.
Serializes a
Collection of strings.IdPModule implementation.Interface for JCommander command line argument handling for an HTTP-based remote service call.
Lookup function for extracting CAS profile configuration from the profile request context.
Represents consent.
IdPModule implementation.Constants to use for audit logging fields stored in an
AuditContext as a
child of an ConsentContext.Context representing the state of a consent flow.
Descriptor for a consent flow.
Context representing signals to consent flows for managing their state.
The result of a consent flow, suitable for storage.
Serializes
Consent.IdPModule implementation.An action that checks for an
ExternalAuthenticationContext for a signaled event via the
ExternalAuthenticationContext.getAuthnError() method, and otherwise enforces the presence
of an inbound SAML Response to process.Copy the distribution to the final location.
IdPModule implementation.Implementation base class for
IdPModule that lives within the core code
and whose documentation URLs will float with the IdP's own.A
Comparator used to order storage keys so that the least used and oldest storage keys are returned first.Function to order storage keys by least-used and oldest first during pruning of storage records.
Consent action to create a consent result representing global consent to be stored in a storage service.
Consent action to create a consent result representing the result of a consent flow.
High-level API for validating credentials and producing a Java Subject as a result.
Interface to use to report errors to the caller.
Interface to use to report warnings to the caller.
Generates transients using a
DataSealer to encrypt the result into a recoverable value,
for use with stateless clustering.Processes a transient
NameID, checks that its NameIDType.getNameQualifier() and
NameIDType.getSPNameQualifier() are correct, and decodes XSString.getValue()
via the base class (reversing the work done by
CryptoTransientIdGenerationStrategy).Processes a transient
NameIdentifier, checks that its NameIdentifier.getNameQualifier() is
correct, and decodes XSString.getValue() via the base class (reversing the work done by
CryptoTransientIdGenerationStrategy).An anti cross-site request forgery token.
A flow execution lifecycle listener that, if enabled:
Sets an anti-CSRF token into the flow-scope map when a flow session starts and a token per-flow is
enabled.
Sets an anti-CSRF token into the view-scope map when rendering a suitable view-state.
A thread-safe helper class for dealing with cross-site request forgery tokens.
A simple default CSRF token validation predicate.
Function that returns the current consent IDs from a ConsentContext.Function that returns whether the current consents are approved from an ConsentContext.Function that returns the current consent values from an ConsentContext.Tells the installers about the current install state.
Arguments for DataSealer CLI.
Operation enum.
Command line utility for
DataSealer.Deprecated, for removal: This API element is subject to removal in a future version.
Handles serialization of results, delegating handling of
Principal objects to one or more
PrincipalSerializer plugins.Default
BiPredicate for determining if CSRF token validation should occur
from a compatible request context and event.Function to filter a set of candidate NameIdentifier/NameID Format values derived from an entity's SAML metadata
against configuration preferences.
Function that returns the first custom
Principal of a particular type found on the
AuthenticationResult returned by
AuthenticationContext.getAuthenticationResult().Default comparator implementation for comparing CAS service URLs.
Default
Predicate for determining if a CSRF token is required for the given
request context.IdPModule implementation.A bean that emits deprecation warnings if a configurable set of properties are set.
Profile action that destroys any
IdPSessions found in a LogoutContext.An authentication action that checks for a mismatch between an existing session's identity and
the result of a newly canonicalized subject (from a
SubjectCanonicalizationContext).A
Function that produces a discovery request URL using the protocol defined in
https://wiki.oasis-open.org/security/IdpDiscoSvcProtonProfile .Action that implements a JSON REST API for the
AccountLockoutManager interface.Action that implements a JSON REST API for the
RevocationCache interface.Action that implements a JSON REST API for accessing
StorageService records.Command line processing for DumpConfig flow.
Object representing a request to mock a profile request to obtain the effective configuration.
Decodes an incoming configuration reporting message.
Deprecated, for removal: This API element is subject to removal in a future version.
Configuration support for IdP SAML 2.0 ECP profile.
Configuration support for IdP SAML 2.0 ECP profile.
IdPModule implementation.Ticket service that uses two different strategies for ticket persistence:
Service tickets, proxy tickets, and root proxy-granting tickets are persisted by serializing
ticket data and encrypting it into the opaque part of the ticket ID using a
DataSealer.
Chained proxy-granting tickets are persisted using a StorageService.
Function that returns the data encryption algorithm used.An action that processes a SAML 2
AuthnRequest and blocks the use of any "simple"
disallowed features.An extension to
AccountLockoutManager that allows for enumeration over
partial matches of a key.CAS protocol flow event identifiers.
PrincipalEvalPredicateFactory that implements exact matching of principals,
and works for any type.IdPModule implementation.Public interface supporting external authentication outside the webflow engine.
A context representing the state of an externalized authentication attempt,
a case where authentication happens outside of a web flow.
Exception indicating a problem with the external authentication process.
Implementation of the
ExternalAuthentication API that handles moving information in and out
of request attributes.Public interface supporting external interceptor flows outside the webflow engine.
A context representing the state of an externalized interceptor flow.
Exception indicating a problem with the external interceptor process.
Implementation of the
ExternalInterceptor API that handles moving information in and out
of request attributes.An authentication action that populates a
AuthenticationContext with the active
AuthenticationResult objects found in a SessionContext that is a direct
child of the ProfileRequestContext.Consent action which extracts user input and updates current consent objects in the consent context accordingly.
An action that extracts a discovery service result and copies it to the
AuthenticationContext.An action that extracts an asserted user identity from the incoming request, creates a
UsernameContext, and attaches it to the AuthenticationContext.Action that extracts a SAML Subject from an inbound message, and prepares a
SubjectCanonicalizationContext to process it into a principal identity.Lookup function that returns the
NameIdentifier or NameID from the request in the inbound
message context.An action that extracts the user-agent's IP address from the incoming request, creates a
UserAgentContext, and attaches it to the AuthenticationContext.An action that extracts the user-agent's identifier from the incoming request, creates a
UserAgentContext, and attaches it to the AuthenticationContext./**
An action that extracts a username and password from the HTTP
HttpHeaders.AUTHORIZATION header,
creates a UsernamePasswordContext, and attaches it to the AuthenticationContext.An action that extracts a username and password from an HTTP form body or query string,
creates a
UsernamePasswordContext, and attaches it to the AuthenticationContext.An authentication stage that extracts a username/password from the WSS Username/Password attached to a SOAP message.
An action that extracts an X.509 certificate from the standard servlet request attribute,
creates a
CertificateContext, and attaches it to the AuthenticationContext.Action that invokes the
AttributeFilter for the current request.Action that filters a set of attributes against the
AttributeDesignator
objects in an AttributeQuery.Action that filters a set of attributes against the
Attribute objects in
an AttributeQuery.An authentication action that filters out potential authentication flows if the request requires
forced authentication or max age behavior and the flows don't support forced authentication.
An authentication action that filters out potential authentication flows if the request requires
non-browser support and the flows require a browser.
A profile interceptor action that filters out available interceptor flows if the request requires non-browser support
and the flows require a browser.
An authentication action that runs after a completed authentication flow (or the reuse
of an active result) and transfers information from other contexts into a
SubjectContext
child of the ProfileRequestContext.Small class to do the post install work on an embedded jetty-base.
An authentication action that completes MFA by producing a final
AuthenticationResult
out of whatever constituent parts and pieces exist, by means of an overridable function,
storing it in the AuthenticationContext and preparing a fresh SubjectCanonicalizationContext
to operate on.Default merging strategy to combine individual
AuthenticationResult objects into a
single result.An action that runs after a completed canonicalization of a SAML Subject and transfers
information into a
SubjectContext child of the ProfileRequestContext.Implementation class for plugins from the project itself to centralize
update handling.
A bean factory for creating
FlowDefinitionRegistry instances, based on the programmatic
builder built into SWF.Copied from SWF, a basic registry implementation.
Derivation of SWF-supplied resource factory for flow definitions.
Marker interface for a descriptor for a webflow allowing managed injection of configuration settings.
Function that returns a profile interceptor flow descriptor from a profile request context using a lookup strategy.
ContextDataLookupFunction that returns the current flow id.This is subclassed in order to customize the Spring
ApplicationContext used for flow configuration.This code is extended from org.springframework.webflow.engine.builder.model.FlowRelativeResourceLoader
with modifications to support proper lookup of resources via both filesystem and classpath along with
custom protocol-specific loaders.
Function that returns the ForceAuthn attribute from an AuthnRequest.A predicate that evaluates a
ProfileRequestContext and determines whether forced
authentication should be set based on the associated AuthenticationProfileConfiguration.Looks up the value of the CAS gateway parameter from the request to the /login URI.
Principal serializer for arbitrary principal types.
PrincipalService for most principal types that just exposes the proper PrincipalSerializer.Predicate to determine whether global consent has been given by user.
Generates and stores a CAS protocol proxy ticket.
Generates and stores a CAS protocol service ticket.
Kerberos login utility for the context acceptor, encapsulates a number of special options
used to create a security context for the GSS acceptor, usually based on a keytab file.
Helper class that manages context establishment for the SPNEGO GSS-API mechanism.
IdPModule implementation.Principal based on an HOTP authentication.
A password validator that authenticates against Apache htpasswd files.
Authenticates a CAS proxy callback endpoint using an
HttpClient instance to establish
the connection and a TrustEngine to verify the TLS certificate presented by the remote peer.Criterion representing a session bound to a servlet request,
which is implicitly the "current" request known to the resolver.Principal that wraps an
IdPAttribute.Principal serializer for
IdPAttributePrincipal.Engine to mine values from
IdPAttributePrincipals.Constants to use for audit logging fields stored in an
AuditContext.Command line arguments for the "build" verb.
Command line for 'build'.
IdP-specific constants to use for
ProfileAction
EventContexts.A set of gauges for core system information.
Implementation of
InstallableComponentInfo for an IdP Version.Object representing a Shibboleth Authentication Request message.
Decodes an incoming Shibboleth Authentication Request message.
Decodes an incoming Shibboleth Authentication Request message.
Command line argumebnts for the "install" verb.
Command line installer.
This interface is exported (via the service API) by every IdP module.
This interface is exported (via the service API) by every IdP plugin.
Specialization of context initializer for IdP use.
An identity provider session belonging to a particular subject and client device.
A predicate that evaluates a
ProfileRequestContext and extracts the effective
setting of BrowserSSOProfileConfiguration.isIgnoreScoping(ProfileRequestContext).IdPModule implementation.A function that returns
InterceptorAwareProfileConfiguration.getInboundInterceptorFlows(org.opensaml.profile.context.ProfileRequestContext)() if such a
profile is available from a RelyingPartyContext obtained via a lookup function, by default a child of the
ProfileRequestContext.A predicate that evaluates a SSO
ProfileRequestContext and determines whether an attribute statement
should be included in the outgoing assertion.PrincipalEvalPredicateFactory that implements inexact matching of principals,
based on an arbitrary set of "matches" configured at runtime.An action that processes settings from a supplied
AdministrativeFlowDescriptor to prepare
the profile context tree for subsequent use by an administrative profile flow.Action that creates an
AttributeReleaseContext and attaches it to the current ProfileRequestContext.An action that creates an
AuthenticationContext and attaches it to the current ProfileRequestContext.Action that creates a
ConsentContext and attaches it to the current ProfileRequestContext.Initializes the CAS protocol interaction at the
/login URI.Action that adds an outbound
MessageContext and related SAML contexts to the ProfileRequestContext
based on the identity of a relying party accessed via a lookup strategy, by default an immediate child of the profile
request context.Action that prepares an outbound
MessageContext and related SAML contexts
in the event that they are not already prepared, to allow error responses to be
generated in the case of synchronous bindings (i.e., SOAP).Action that creates a new
ProfileRequestContext and binds it to the current conversation under the
ProfileRequestContext.BINDING_KEY key, and sets the profile and logging IDs, if provided.Initializes the CAS protocol interaction at the
/proxy URI.Action that creates a new
ProfileRequestContext via a creation strategy,
and sets the profile and logging IDs, if provided.Message handler that adds a
RelyingPartyContext to the current InOutOperationContext tree
via a creation function.Action that adds a
RelyingPartyContext to the current ProfileRequestContext tree
via a creation function.An action that creates an
RequestedPrincipalContext and attaches it to the current
AuthenticationContext, if the profile request context contains a RelyingPartyContext
with an AuthenticationProfileConfiguration containing one or more default authentication
methods.Initializes the CAS protocol interaction at the
/login URI.Function that returns the InResponseTo attribute from a response.Guage set to report the Plugins' and IdP's installation and update statuses.
Tracks information about an installed component.
Parameters to metadata generation.
Class which encapsulated all the properties/UI driven configuration of an install.
General common names and helper functions for the IdP and Plugin Installers.
Predicate to ask the user if they want to install the trust store provided.
A @{link
FileVisitor which detects (and logs) whether a copy would overwrite.Extension of
ProfileConfiguration that adds inteceptor support.Exception indicating a problem validating a CSRF token at runtime.
IdPModule implementation.A
BiPredicate that checks if a pair of addresses are either equal, or share an IPRange.Predicate that determines whether an IdP attribute is required by the requester.
Predicate that returns whether consent is required by comparing the previous and current consents from the consent
context.
Function that returns the IsPassive attribute from an AuthnRequest.A password validator that authenticates against JAAS.
Command line arguments for
JarCheckCLI.Program to check for potential jar clashes.
Function to join the result of two functions with a separator.
A password validator that authenticates against Kerberos natively, with optional service ticket verification.
Kerberos realm settings for the SPNEGO authentication flow.
Kerberos settings for the SPNEGO authentication flow.
Context that carries a
KerberosTicket to be validated.Implementation of
CredentialConfig that loads keystore and truststore data using a Resource.LDAP Authentication configuration.
Enum that defines authenticator configuration.
Enum that defines LDAP connection strategy.
Enum that defines an LDAP pool passivator.
Enum that defines LDAP trust configuration.
A password validator that authenticates against LDAP natively.
Principal serializer for
LdapPrincipal.A context containing data about an LDAP authentication operation.
Function which resolves the
Locale from a ProfileRequestContext.A context that holds information about a management operation on an
AccountLockoutManager.Spring Web Flow utility action for logging on DEBUG a representation of the current
ProfileRequestContext.A @{link
FileVisitor copies directory trees keeping a note of all copied target files.A bean that logs IdP internals when instantiated, and outputs a number of warning conditions.
CAS protocol configuration that applies to the
/login URI.A
BaseContext that holds a multimap of SPSession objects.A function that returns a session from a
LogoutContext
and removes it from that context at the same time.Context holding information needed to perform logout for a single SP session.
Logout propagation result.
A descriptor for a logout propagation flow.
Manager of
LogoutPropagationFlowDescriptor objects.Selection function to retrieve the logout propagation flow descriptor that is suitable for a given
SPSession.A strategy function for determining the status of a logout based on the content of
a
LogoutContext.Dedicated bean used to log flow exceptions, to get around issues with Spring Expressions
referencing class objects under certain conditions that are so far not understood.
Spring Web Flow utility action for logging on DEBUG details about the current hierarchy of
Spring
ApplicationContext and the beans contained within each.Deprecated, for removal: This API element is subject to removal in a future version.
Implements a set of default logic for mapping an
AuthnContext's content into a set of
custom Principals based on a set of static mapping rules.Deprecated, for removal: This API element is subject to removal in a future version.
Action that ensures that the attributes in the ACS (if any) are mapped.
Function that returns a consent object whose id and value are resolved from a lookup function
and
MessageSource.Function that returns the Metadata protocol (as defined by the bean
called shibboleth.MetadataLookup.Protocol).Command line processing for MetadataQuery flow.
Object representing a query for metadata.
Decodes an incoming metadata query request.
CAS service registry implementation that queries SAML metadata for a CAS service given a CAS service URL using
the following strategy.
Predicate defines CAS login endpoints so that the metadata index on endpoints can be scoped to the smallest
set needed to support CAS entities in SAML metadata.
IdPModule implementation.Mock implementation of
AuthenticationProfileConfiguration.Mock implementation of
ProfileConfiguration.Deprecated, for removal: This API element is subject to removal in a future version.
Guage set to report the Modules' statuses.
Arguments for
IdPModule management CLI.Command line for
IdPModule management.A context that holds information about the intermediate state of the multi-factor login flow.
A ruleset for managing the transition out of a step during the multi-factor authn flow.
BaseContext representing multiple relying parties involved in a request, usually a
subcontext of ProfileRequestContext.Error thrown if decoding of a SAML subject identifier fails.
Function that returns the Name Identifier from a request or response.Action to perform subject canonicalization, transforming the input
Subject
into a principal name by searching for one and only one NameIDPrincipal custom principal,
using an injected NameIDDecoder to carry out the process.A predicate that determines if this action can run or not.
A class used to describe flow descriptors for
NameIDPrincipal and
NameIdentifierPrincipal c14n.Interface for converting a
NameID back into a principal name.Action to perform subject canonicalization, transforming the input
Subject
into a principal name by searching for one and only one NameIdentifierPrincipal custom principal,
using an injected NameIdentifierDecoder to carry out the process.A predicate that determines if this action can run or not.
Interface for converting a
NameIdentifier back into a principal name.A service interface for obtaining name identifier generators.
Implementation of
NameIdentifierGenerationService.Principal based on the SAML2
NameIdentifier.Function that returns the Name Identifier Format from a SAML Subject.Function that returns the NameID Format from a NameIDPolicy element.Function that returns the SPNameQualifier from a NameIDPolicy element.Principal based on the SAML2
NameID.Principal serializer for
NameIDPrincipal.Descriptor for an administrative flow that tracks whether it's been run or not to
limit use.
Service OrganizationDisplayName - directly from the metadata if present.
Service OrganizationName - directly from the metadata if present.
Service OrganizationURL - directly from the metadata if present.
A function that returns
InterceptorAwareProfileConfiguration.getOutboundInterceptorFlows(org.opensaml.profile.context.ProfileRequestContext)() if such a
profile is available from a RelyingPartyContext obtained via a lookup function, by default a child of the
ProfileRequestContext.Action that outputs the settings from the effective
ProfileConfiguration and so on.Custom serializer for
Principal objects in config.Custom serializer for
Principal objects in config.Action that outputs one or more
Metric objects.IdPModule implementation.A function that examines the state of a request and produces an appropriate error message for
the Password login flow.
Principal that wraps a password.
Extension of standard SWF URL handler that checks for requests in which a valid flow ID
is a prefix of the PATH_INFO value, allowing the flow to run with the rest of the path
available to it as input.
Service registry that evaluates a candidate service URL against one or more defined services, where each
definition contains a service URL regular expression pattern.
Generator for "persistent" Format
NameID objects that provides a source/seed ID based on IdPAttribute
data.Deprecated.
Implementation base class for
IdPModule that is shipped in a plugin
produced by the Shibboleth Project ourselves and for which the documentation
will be in the wiki in a fixed location.Information about a Plugin.
The class where the heavy lifting of managing a plugin happens.
Arguments for Plugin Installer CLI.
Operation enum.
Command line for Plugin Installation.
A class which will answer questions about a plugin state as of now
(by querying the information Resources for the current published state).
Attribute consent action to populate the attribute consent context with the attributes for which consent should be
obtained.
Action that populates fields in an
AuditContext using injected functions.Parser for the formatting strings that exposes a final set of field labels that are
present in any of the input formatters.
An action that populates an
AuthenticationContext with the AuthenticationFlowDescriptor
objects configured into the IdP, potential flows filtered by flow IDs from a lookup function.Action that populates the outbound
SAMLBindingContext and when appropriate the
SAMLEndpointContext based on the inbound request.Consent action which populates the current consents of a consent context with the output value of a function whose
input value is a profile request context.
Action that resolves and populates
EncryptionParameters on an EncryptionContext
created/accessed via a lookup function, by default on a RelyingPartyContext child of the
profile request context.Action that adds a
SAMLSelfEntityContext to the inbound MessageContextProfile action that creates a
LogoutPropagationContext containing SPSession to be destroyed.An action that creates and populates a
MultiFactorAuthenticationContext with the set of
transition rules to use for coordinating activity, the executing AuthenticationFlowDescriptor
and with any active "factors" found, if an active result from the MFA flow is present in the
AuthenticationContext.Profile action that populates a
MultiRelyingPartyContext with the relying party
information from a LogoutContext, and extends each RelyingPartyContext
created with a SAMLMetadataContext based on metadata lookup.An profile interceptor action that populates a
ProfileInterceptorContext with
ProfileInterceptorFlowDescriptor objects based on flow IDs from a lookup function.Populates error information needed for protocol error messages.
A profile action that populates a
SessionContext with an active, valid
IdPSession.An action that populates a
SubjectCanonicalizationContext with the
SubjectCanonicalizationFlowDescriptor objects configured into the IdP.An action that populates a principal name obtained from a lookup function into a
SubjectContext
child of the ProfileRequestContext.An action that conditionally populates a
UserAgentContext as a child of the ProfileRequestContext.A function that returns
AuthenticationProfileConfiguration.getPostAuthenticationFlows(org.opensaml.profile.context.ProfileRequestContext)()
if such a profile is available from a RelyingPartyContext obtained via a lookup function,
by default a child of the ProfileRequestContext.Comparator which prefers to order strings according to the order in which they appear in a list, and which falls back
to natural ordering for strings not present in the list.
A context that holds information about an authentication request's
preference for a specific custom
Principal.Action that adds an inbound
MessageContext and a SAMLPeerEntityContext to the
ProfileRequestContext based on the identity of a relying party, by default from a
SAML2SPSession found in a LogoutPropagationContext.Prepares
TicketValidationResponse for use in CAS protocol response views.An action to populate a username into a cleared
UsernamePasswordContext, either from a form
submission, a cookie, or an existing session to "prime" the login view.Profile action that performs initial analysis of a
LogoutRequest or LogoutResponse to
dispatch it for subsequent processing.An action that extracts configured parameters from a servlet request and populates
AuthenticationContext.getAuthenticationStateMap() with the data.A function that returns the value of
AuthenticationResult.isPreviousResult()
or null if the input context is null or AuthenticationContext.getAuthenticationResult() is null.A
Predicate to evaluate a Principal that represents a requested form of
authentication against a set of principals supported by a PrincipalSupportingComponent.Generates a
Predicate to evaluate a PrincipalSupportingComponent
against a requested form of authentication expressed in terms of a Principal.Wraps the association of a
PrincipalEvalPredicateFactory against a particular
Principal subtype and a string operator.A registry of mappings between a custom
Principal subtype with a matching operator
and a corresponding PrincipalEvalPredicateFactory that returns predicates enforcing
a particular set of matching rules for that operator and subtype.Interface for the serialization/deserialization of principals.
Interface that provides services for a
Principal of a given type.Manages and exposes instances of the
PrincipalService interface.Helper class for accessing
Principal information.Interface for an authentication component that exposes custom
Principal objects.Perform processing of a SAML 2 Response's Assertions that have been validated by earlier actions
for use in finalization of SAML-based authentication by later actions.
Profile action that resolves an active session from the profile request, and records it,
populating the associated
SPSession objects into a LogoutContext.Profile action that processes a
LogoutRequest by resolving matching sessions, and destroys them,
populating the associated SPSession objects (excepting the one initiating the logout) into a
LogoutContext.An authentication action that processes the
RequestedAuthnContext in a SAML 2 AuthnRequest,
and populates a RequestedPrincipalContext with the corresponding information.Processes the ticket validation request message from decoded SAML 1.1 message and request parameters.
Post-processes bean configuration metadata to ensure that stateful beans are scoped properly.
Post-processes
ProfileAction beans by wrapping them in a Spring Web Flow adaptor.A
BaseContext which holds flows that are available to be executed, the last flow attempted, and any flow
result.A descriptor for a profile interceptor flow.
Manager of
ProfileInterceptorFlowDescriptor objects.Represents the result of a profile interceptor flow intended for storage by a
StorageService.Exposes the
ProfileRequestContext in a request attribute to make it
accessible outside the Webflow execution pipeline.A version of
BufferedOutputStream which provides some idea of progress.A package which is similar to Properties, but allows comments to be preserved.
A POJO which looks like a property.
Implementation of
IdPModule relying on Java Properties.Implementation of
IdPPlugin relying on Java Properties.Context container for CAS protocol request and response messages.
CAS protocol errors.
Protocol parameter name enumeration.
Function that returns ProxyRestriction.getAudiences().A function that returns the first value stored in a
ProxyAuthenticationPrincipal
contained in a Subject.Principal that wraps a set of proxied authentication authorities and any restrictions
on subsequent re-use.
Principal serializer for
ProxyAuthenticationPrincipal.Implements a set of default logic for determining the
RequestedAuthnContext
operator to use.Implements a set of default logic for determining the custom principals to derive the
RequestedAuthnContext from.Implements a set of default logic for determining whether ForceAuthn should be applied.
CAS protocol configuration that applies to the
/proxy URI.Function that returns ProxyRestriction.getProxyCount().CAS proxy-granting ticket.
Looks up the PGT from a proxy ticket request.
Serializes proxy-granting tickets in simple field-delimited form.
Container for identifiers used in authenticating a proxy callback endpoint.
A function that returns the allowable proxy count and audiences to include in assertions,
based on the results of lookup functions for local configuration merged with upstream
proxy restrictions to compute a final result in accordance with the standard.
A compound implementation of the
SAML1NameIdentifierGenerator interface that wraps a sequence of
candidate generators along with a default to try if no format-specific options are available.A compound implementation of the
SAML2NameIDGenerator interface that wraps a sequence of
candidate generators along with a default to try if no format-specific options are available.CAS proxy ticket.
Container for proxy ticket request parameters provided to
/proxy URI.Container for proxy ticket response parameters returned from
/proxy URI.Proxy ticket storage serializer.
Strategy pattern component for proxy callback endpoint validation.
Action to publish the CAS protocol request or response messages, i.e.
A predicate that evaluates a
ProfileRequestContext and extracts the effective
setting of BrowserSSOProfileConfiguration.isRandomizeFriendlyName(ProfileRequestContext)
or AttributeQueryProfileConfiguration.isRandomizeFriendlyName(ProfileRequestContext).Consent action which reads consent records from storage and adds the serialized consent records to the consent
context as previous consents.
Action that records the "Response Complete" status on the external context if not done so already.
Deprecated, for removal: This API element is subject to removal in a future version.
A
ServletContainerInitializer implementation that registers a filter chain embedded in
our Spring configuration.Attribute consent action which constrains the attributes released to those consented to.
Service registry wrapper around a
ReloadableService.Action that refreshes or clears a
MetadataResolver manually.Command line processing for reload-metadata flow.
Command line processing for reload-service flow.
Action that refreshes a
ReloadableService manually.A function that returns
MultiRelyingPartyContext.getCurrentRelyingPartyContext().A
BiFunction that returns a RelyingPartyContext based on ID.A function that returns a collection of
RelyingPartyContexts based on a label.An implementation of the
loginConfigStrategy for JAASCredentialValidator
which uses a supplied map to resolve the JAAS config to use.The context which carries the user interface information.
Extracts authentication information from the request and returns it via the IdP's external authentication
interface.
Looks up the value of the CAS renew parameter from the request to the /login URI.
A class to reach out and find out whether we are up to date.
Builder used to construct
RequestContext used in Action
executions.A context that holds information about an authentication request's
requirement for a specific custom
Principal.A function that returns
RequestedPrincipalContext.getOperator().A function that returns
RequestedPrincipalContext.getRequestedPrincipals() but
transforms the values into strings.Action that invokes the
AttributeResolver for the current request.Command line processing for ResolverTest flow.
Returns the principal name from a
ResolverTestRequest message in the inbound message context.Object representing a request to run the attribute resolution and filtering components.
Decodes an incoming resolver test message.
Restores specific portions of the context tree used during logout processing to enable
reuse of logout propagation subflows during back channel logout.
This handler can be attached to view or end states that are used to respond to errors,
including RuntimeExceptions, so that if they themselves raise another RuntimeException,
it won't trigger the state again, but just fail the flow.
Extension of SWF's built-in
FlowHandlerAdapter implementation that overrides its
poor assumption that a missing flow exception should result in the flow being restarted.A condition for login flows that checks for revocation against a
RevocationCache.Consent action which deletes a consent record from storage.
An object which does installation rollback in its
AutoCloseable.close() method.Marker subtype for a SAML 1 session, adds no actual information other than its identity as
a SAML 1 session.
A function to create a
SAML1SPSession based on profile execution state.A serializer for
SAML1SPSession objects.Message handler implementation that enforces the AuthnRequestsSigned flag of
SAML 2 metadata element @{link
SPSSODescriptor and/or a local profile
configuration option.Extends a
BasicSPSession with SAML 2.0 information required for
reverse lookup in the case of a logout.A function to create a
SAML2SPSession based on profile execution state.A serializer for
SAML2SPSession objects.Constants to use for audit logging fields stored in an
AuditContext.Manages state during proxied SAML authentication.
MVC controller that handles outbound and inbound message I/O for
proxied SAML authentication.
SAML 1.1 protocol params needed to support
/samlValidate endpoint.Common interface for IdP SAML profile configurations.
A lookup strategy that returns a SAML entityID if the
RelyingPartyContext contains a reference
to a SAMLPeerEntityContext or SAMLSelfEntityContext.A lookup strategy that returns true iff the
RelyingPartyContext contains a reference
to a SAMLPeerEntityContext or SAMLSelfEntityContext that contains a
SAMLMetadataContext such that SAMLMetadataContext.getEntityDescriptor() is non-null.Stores the
LogoutContext in the servlet session to facilitate lookup by logout propagation flows.Saves off specific portions of the context tree in use during logout processing to enable
reuse of logout propagation subflows during back channel logout.
An action which calls out to a supplied script.
Deprecated, for removal: This API element is subject to removal in a future version.
Principal serializer that encrypts/decrypts the data when serializing.
An authentication action that selects an authentication flow to invoke, or re-uses an
existing result for SSO.
A profile action that selects a logout propagation flow to invoke.
Action that selects the
ProfileConfiguration for the given request and sets it in the looked-up
RelyingPartyContext.Action that selects the
ProfileConfiguration for the given message context and sets it in the looked-up
RelyingPartyContext.A profile interceptor action that selects flows to invoke.
This action attempts to resolve a
RelyingPartyConfiguration and adds it to the RelyingPartyContext
that was looked up.This message handler attempts to resolve a
RelyingPartyConfiguration and adds it to the
RelyingPartyContext that was looked up.A canonicalization action that selects a canonicalization flow to invoke.
Container for metadata about a CAS service (i.e.
return the contactInfo for the SP or null.
IdP context container for CAS service (i.e.
Defines a registered CAS service (i.e.
Display the description from the <mdui:UIInfo>.
Adapts CAS protocol service metadata onto SAML metadata.
Service InformationURL - directly from the metadata if present.
Logo for the SP.
Looks up the service URL from the CAS protocol request.
Display the serviceName.
Service PrivacyURL - directly from the metadata if present.
Registry for explicitly verified CAS services (relying parties).
Display the serviceName.
CAS service ticket.
Describes a request for a ticket to access a service.
CAS protocol response message for a successfully granted service ticket.
Serializes service tickets in simple field-delimited form.
A
ServletContainerInitializer implementation that registers the servlets used by the IdP.A
BaseContext that holds an IdPSession.A function that returns the session ID from the session inside a
SessionContext.A function that returns the principal name from the session inside a
SessionContext.Exception indicating a problem with the session layer.
Criterion representing a session ID.Function that returns SessionIndex values from assertions in a response or a logout request.A function that returns
BrowserSSOProfileConfiguration.getMaximumSPSessionLifetime(ProfileRequestContext)
if such a profile is available from a RelyingPartyContext obtained via a lookup function,
by default a child of the ProfileRequestContext.Component that manages sessions between the IdP and client devices.
A resolver that is capable of finding
IdPSession objects that meet certain criteria.Action to populate the
ProfileRequestContext with a RelyingPartyUIContext.Deprecated, for removal: This API element is subject to removal in a future version.
A default, immutable, implementation of a
CSRFToken.Principal serializer for string-based principals that serialize to a simple JSON structure.
An action that operates on a
SubjectCanonicalizationContext child of the current
ProfileRequestContext, and transforms the input Subject
into a principal name by searching for one and only one UsernamePrincipal custom principal.A predicate that determines if this action can run or not.
Simple CAS ticket management service that delegates storage to
StorageService.Configuration support for IdP SAML 2 Single Logout.
Servlet filter that sets some interesting MDC attributes as the request comes in and clears the MDC as the response
is returned.
Deprecated, for removal: This API element is subject to removal in a future version.
Predicate that decides whether to handle an error by returning a SOAP fault to a requester
or fail locally.
Profile action that propagates a prepared
LogoutRequest message to an SP via the SOAP
binding, encapsulating SOAP pipeline construction and execution.Function that returns the SPNameQualifier from a SAML Subject.IdPModule implementation.MVC controller for managing the SPNEGO exchanges implemented as an
ExternalAuthentication mechanism.Component managing the auto-login state via cookie.
Context, usually attached to
AuthenticationContext,
that carries configuration data and request state for SPNEGO authentication.A function that returns the correct
MessageDecoder to use based on a simple map of
strings to bean IDs.A function that returns the correct
MessageEncoder to use based on an underlying BindingDescriptor.A
ServletContainerInitializer implementation that sets core parameters used to
install Spring support into the context.A function that returns a view name to render based on a Spring Web Flow
Event.Deprecated, for removal: This API element is subject to removal in a future version.
A lookup function that fetches a SWF flow scope parameters.
A
BaseContext which holds the Spring WebFlow RequestContext in which the
overall parent context is operating.A function that returns a status message to include, if any, in a SAML response based on the current
profile request context state, using Spring's
MessageSource functionality.Describes a session with a service in turn associated with an
IdPSession.Criterion representing a service ID and an implementation-specific service session key.A registry of mappings between a
SPSession class and a corresponding StorageSerializer
for that type.Wrapper type for auto-wiring serializers.
Deprecated, for removal: This API element is subject to removal in a future version.
Command line processing for status flow.
Function that returns the StatusCode from a response.Looks up the protocol message status code from a CAS protocol message response.
Looks up the protocol message status detail from a CAS protocol message response.
Function that returns the StatusMessage from a response.An extended
CookieManager that allows use of a StorageService.Implementation of
EnumeratableAccountLockoutManager interface that relies on a StorageService
to track lockout state.A function to generate a key for lockout storage.
Implementation of
IdPSession for use with StorageBackedSessionManager.A serializer for instances of
StorageBackedIdPSession designed in conjunction with the
StorageService-backed SessionManager implementation.Implementation of
SessionManager and SessionResolver interfaces that relies on a
StorageService for persistence and lifecycle management of data.Simplifies Spring wiring of a true/false condition for the consistentAddress feature.
An abstract decoder which contains the logic to decode SAML persistent IDs that are managed with a
DurablePairwiseIdStore.Generates transients using a
StorageService to manage the reverse mappings.A context that holds an input
Subject to canonicalize into a principal name, and
the collection of c14n flows to attempt.A function that returns the
Subject from a SubjectCanonicalizationContext.Exception indicating a problem translating a subject between forms.
A descriptor for a subject canonicalization flow.
A context that holds information about the subject of a request.
A function that returns the impersonating principal name from a
SubjectContext.A function that returns the principal name from a
SubjectContext.A Function which returns
IdPAttributes derived from the Principals
associated with the request.A Function which returns
IdPAttributeValues derived from the Principals
associated with the request.An extender that supplements an IdP
ScriptContext with Subject information.Function that returns the lower-level StatusCode(s) from a response.A predicate that evaluates a
ProfileRequestContext and extracts the effective
setting of BrowserSSOProfileConfiguration.isSuppressAuthenticatingAuthority(ProfileRequestContext).Template-based search dn resolver.Test Principal for testing requested authentication behavior.
Basic data sources for testing the attribute generators.
A static
AttributeDefinition for testing.A static
DataConnector.Generic CAS ticket that has a natural identifier and expiration.
IdP context that stores a granted CAS ticket.
Generates CAS protocol ticket identifiers of the form:
Strategy for ticket generation.
Looks up the service (proxy) ticket provided in a CAS protocol request or produced in a CAS protocol response.
Looks up a principal name stored in a CAS ticket:
ProfileRequestContext -> ProtocolContext -> TicketContext ->
Ticket.getTicketState() -> TicketState.getPrincipalName().CAS ticket management service.
Supplemental state data to be stored with a ticket.
Ticket validation request message.
Service ticket validation response protocol message.
Principal based on a TOTP authentication.
Function that returns the transformed username in a subordinate UsernamePasswordContext,
if any.Transform from a
NameID.Transform from a
NameIdentifier.Generates and manages transient identifiers according to specific strategies.
The Parameters we need to store in, and get out of a transient ID, namely the attribute recipient (aka the SP) and
the principal.
Decodes
XSString.getValue() via the base class (reversing the work done by
TransientSAML2NameIDGenerator).Decodes
XSString.getValue() via the base class (reversing the work done by
TransientSAML1NameIdentifierGenerator).Generator for transient
NameIdentifier objects.Generator for transient
NameID objects.An authentication action that acts as the driver regulating execution of transitions
between MFA stages.
Code to handle (load, update, check) the trust store for an individual plugin.
An opaque handle around a
PGPSignature.Action that sets keystore and key passwords for one or more DataSealer KeyStrategy
objects based on query parameters.
IdPModule implementation.Action that creates private key objects and injects them into existing
MutableCredential objects.Consent action which maintains a storage record whose value is the current time in milliseconds.
Arguments for IdP "Updater" CLI.
Operation enum.
Command line update cheker.
Conditionally updates the
IdPSession with a CASSPSession to support SLO.Action that updates inbound and/or outbound instances of
SAMLSelfEntityContext
based on the identity of a relying party accessed via a lookup strategy,
by default an immediate child of the profile request context.An authentication action that establishes a record of the
AuthenticationResult
in an IdPSession for the client, either by updating an existing session or creating a new one.An action that establishes a record of an
SPSession in an existing IdPSession for the client.A context containing data about the user agent.
Context that carries a username (without a password) to be validated.
Context that carries a username/password pair to be validated.
Principal based on a username.
IdPModule implementation.Code to do most of the V4 Install.
CAS protocol configuration.
An action that processes a list of
CredentialValidator objects to produce an AuthenticationResult.A default cleanup hook that removes the
UsernamePasswordContext from the tree.Consent action which validates extracted user input when per-attribute consent is not enabled.
An action that checks for an
ExternalAuthenticationContext and directly produces an
AuthenticationResult or records error state based on the
contents.A default cleanup hook that removes a
CertificateContext from the tree.An action that executes a deployer-supplied function and produces an
AuthenticationResult based on the function result.Validates the proxy callback URL provided in the service ticket validation request and creates a PGT when
the proxy callback is successfully authenticated.
An action that checks for a
UsernameContext and directly produces an
AuthenticationResult based on that identity.Ensures that a service ticket validation request that specifies renew=true matches the renew flag on the ticket
that is presented for validation.
An action that produces an
AuthenticationResult based on an inbound
SAML 2.0 SSO response.CAS protocol service ticket validation action.
An action that ensures that a user-agent address found within a
UserAgentContext
is within a given range and generates an AuthenticationResult.Class for getting and printing the version of the IdP.
IdPModule implementation.A
Function that checks for cases in which the webflow's current event is not reflected by
an attached EventContext and compensates, along with returning a suitably populated context.An
AbstractProfileAction subclass that adapts an OpenSAML MessageHandler for execution
in a Spring WebFlow environment.Used to indicate the target message context for invocation of the adapted message handler.
Adaptor that wraps a
ProfileAction with a Spring Web Flow compatible action implementation
so that it can be executed as part of a flow.A
Function that extracts the ProfileRequestContext from the current Webflow conversation.Action that produces audit log entries based on an
AuditContext and one or more formatting strings.Action that produces F-TICKS log entries for successful SAML SSO responses.
A profile interceptor action that writes a
ProfileInterceptorResult to a StorageService.CAS 1.0 protocol response handler.
Principal serializer for
X500Principal.An action that operates on a
SubjectCanonicalizationContext child of the current
ProfileRequestContext, and transforms the input Subject
into a principal name by searching for one and only one X509Certificate public credential,
or in its absence one and only one X500Principal.A predicate that determines if this action can run or not.
IdPModule implementation.Servlet compatible with the
ExternalAuthentication interface that extracts and validates
an X.509 client certificate for user authentication.A credential validator that validates an X.509 certificate.
Servlet filter to translate Apache mod_ssl certificate variables into Java servlet attributes.
Implementation of
CredentialConfig that loads trust and key material using a Resource.