Package net.shibboleth.idp.authn.impl

Class SelectAuthenticationFlow

java.lang.Object
net.shibboleth.shared.component.AbstractInitializableComponent
org.opensaml.profile.action.AbstractProfileAction
org.opensaml.profile.action.AbstractConditionalProfileAction
net.shibboleth.idp.profile.AbstractProfileAction
net.shibboleth.idp.authn.AbstractAuthenticationAction
net.shibboleth.idp.authn.impl.SelectAuthenticationFlow
All Implemented Interfaces:
Component, DestructableComponent, InitializableComponent, ProfileAction, Aware, MessageSource, MessageSourceAware, Action
public class SelectAuthenticationFlow extends AbstractAuthenticationAction
An authentication action that selects an authentication flow to invoke, or re-uses an existing result for SSO.

This is the heart of the authentication processing sequence, and runs after the AuthenticationContext has been fully populated. It uses the potential flows, the RequestedPrincipalContext (if any), and the active results, to decide how to proceed.

Normal processing behavior can be circumvented if AuthenticationContext.getSignaledFlowId() is set, which causes an active result from that flow to be reused, or that flow to be invoked, if at all possible, subject to the usual predicates and requested principal constraints noted below.

Otherwise, if there is no RequestedPrincipalContext, then an active result will be reused, unless the request requires forced authentication. If not possible, then a potential flow will be selected and its ID returned as the result of the action.

If there are requested principals, then the results or flows chosen must "match" the request information according to the PrincipalEvalPredicateFactoryRegistry attached to the context. The "favorSSO" option determines whether to select a flow specifically in the order specified by the RequestedPrincipalContext, or to favor an active but matching result over a new flow. Forced authentication trumps the use of any active result.

Event:
EventIds.PROCEED_EVENT_ID (reuse of a result, i.e., SSO), AuthnEventIds.NO_PASSIVE, AuthnEventIds.NO_POTENTIAL_FLOW, AuthnEventIds.REQUEST_UNSUPPORTED, Selected flow ID to execute
Precondition:
ProfileRequestContext.getSubcontext(AuthenticationContext.class) != null
, The content of AuthenticationContext.getPotentialFlows() are assumed to be acceptable with respect to passive and forced authentication requirements, etc.
Postcondition:
If a result is reused, AuthenticationContext.getAuthenticationResult() will return that result. Otherwise, AuthenticationContext.getAttemptedFlow() will return the flow selected for execution and returned as an event.

  • Field Details

    • log

      @Nonnull private final org.slf4j.Logger log
      Class logger.

    • favorSSO

      private boolean favorSSO
      Whether SSO trumps explicit relying party flow preference.

    • requestedPrincipalCtx

      @Nullable private RequestedPrincipalContext requestedPrincipalCtx
      A subordinate RequestedPrincipalContext, if any.

    • preferredPrincipalCtx

      @Nullable private PreferredPrincipalContext preferredPrincipalCtx
      A subordinate PreferredPrincipalContext, if any.

    • noProxying

      private boolean noProxying
      Tracks a proxy count of zero for the request.

  • Constructor Details

    • SelectAuthenticationFlow

      public SelectAuthenticationFlow()

  • Method Details

    • getFavorSSO

      public boolean getFavorSSO()
      Get whether SSO should trump explicit relying party requirements preference.
      Returns:
      whether SSO should trump explicit relying party requirements preference

    • setFavorSSO

      public void setFavorSSO(boolean flag)
      Set whether SSO should trump explicit relying party requirements preference.
      Parameters:
      flag - whether SSO should trump explicit relying party requirements preference

    • doPreExecute

      protected boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext)
      Performs this authentication action's pre-execute step. Default implementation just returns true.
      Overrides:
      doPreExecute in class AbstractAuthenticationAction
      Parameters:
      profileRequestContext - the current IdP profile request context
      authenticationContext - the current authentication context
      Returns:
      true iff execution should continue

    • doExecute

      protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext)
      Performs this authentication action. Default implementation throws an exception.
      Overrides:
      doExecute in class AbstractAuthenticationAction
      Parameters:
      profileRequestContext - the current IdP profile request context
      authenticationContext - the current authentication context

    • doSelectSignaledFlow

      private void doSelectSignaledFlow(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext)
      Executes the selection process in the presence of an explicit flow signal.
      Parameters:
      profileRequestContext - the current IdP profile request context
      authenticationContext - the current authentication context

    • doSelectNoRequestedPrincipals

      private void doSelectNoRequestedPrincipals(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext)
      Executes the selection process in the absence of specific requested principals.
      Parameters:
      profileRequestContext - the current IdP profile request context
      authenticationContext - the current authentication context

    • getUnattemptedInactiveFlow

      @Nullable private AuthenticationFlowDescriptor getUnattemptedInactiveFlow(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext)
      Return the first inactive potential flow not found in the intermediate flows collection that applies to the request.
      Parameters:
      profileRequestContext - the current profile request context
      authenticationContext - the current authentication context
      Returns:
      an eligible flow, or null

    • selectInactiveFlow

      private void selectInactiveFlow(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext, @Nonnull AuthenticationFlowDescriptor descriptor)
      Selects an inactive flow and completes processing.
      Parameters:
      profileRequestContext - the current IdP profile request context
      authenticationContext - the current authentication context
      descriptor - the flow to select

    • selectActiveResult

      private void selectActiveResult(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext, @Nonnull AuthenticationResult result)
      Selects an active result and completes processing.
      Parameters:
      profileRequestContext - the current IdP profile request context
      authenticationContext - the current authentication context
      result - the result to reuse

    • doSelectRequestedPrincipals

      private void doSelectRequestedPrincipals(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext)
      Executes the selection process in the presence of specific requested Principals, requiring evaluation of potential flows and results for Principal-compatibility with request.
      Parameters:
      profileRequestContext - the current IdP profile request context
      authenticationContext - the current authentication context

    • selectRequestedInactiveFlow

      private void selectRequestedInactiveFlow(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext)
      Selects an inactive flow in the presence of specific requested Principals, and completes processing.
      Parameters:
      profileRequestContext - the current IdP profile request context
      authenticationContext - the current authentication context

    • selectRequestedFlow

      private void selectRequestedFlow(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext, @Nonnull Map<String,AuthenticationResult> activeResults)
      Selects a flow or an active result in the presence of specific requested Principals and completes processing.
      Parameters:
      profileRequestContext - the current IdP profile request context
      authenticationContext - the current authentication context
      activeResults - active results that may be reused