Package net.shibboleth.idp.saml.saml2.profile.config.impl

Class BrowserSSOProfileConfiguration

java.lang.Object
net.shibboleth.shared.component.AbstractInitializableComponent
net.shibboleth.shared.component.AbstractIdentifiedInitializableComponent
net.shibboleth.shared.component.AbstractIdentifiableInitializableComponent
net.shibboleth.profile.config.AbstractProfileConfiguration
net.shibboleth.profile.config.AbstractConditionalProfileConfiguration
net.shibboleth.idp.profile.config.AbstractInterceptorAwareProfileConfiguration
net.shibboleth.idp.saml.profile.config.impl.AbstractSAMLProfileConfiguration
net.shibboleth.idp.saml.saml2.profile.config.impl.AbstractSAML2ProfileConfiguration
net.shibboleth.idp.saml.saml2.profile.config.impl.AbstractSAML2ArtifactAwareProfileConfiguration
net.shibboleth.idp.saml.saml2.profile.config.impl.AbstractSAML2AssertionProducingProfileConfiguration
net.shibboleth.idp.saml.saml2.profile.config.impl.BrowserSSOProfileConfiguration
All Implemented Interfaces:
AuthenticationProfileConfiguration, InterceptorAwareProfileConfiguration, BrowserSSOProfileConfiguration, SAMLProfileConfiguration, BrowserSSOProfileConfiguration, AttributeResolvingProfileConfiguration, ConditionalProfileConfiguration, ProfileConfiguration, SAMLArtifactAwareProfileConfiguration, SAMLArtifactConsumerProfileConfiguration, SAMLAssertionConsumingProfileConfiguration, SAMLAssertionProducingProfileConfiguration, SAMLProfileConfiguration, BrowserSSOProfileConfiguration, SAML2AssertionProducingProfileConfiguration, SAML2ProfileConfiguration, Component, DestructableComponent, IdentifiableComponent, IdentifiedComponent, InitializableComponent
Direct Known Subclasses:
ECPProfileConfiguration, SSOSProfileConfiguration
public class BrowserSSOProfileConfiguration extends AbstractSAML2AssertionProducingProfileConfiguration implements AuthenticationProfileConfiguration, AttributeResolvingProfileConfiguration, BrowserSSOProfileConfiguration
Configuration support for IdP and proxied SAML 2.0 Browser SSO.

  • Field Details

  • Constructor Details

    • BrowserSSOProfileConfiguration

      public BrowserSSOProfileConfiguration()
      Constructor.

    • BrowserSSOProfileConfiguration

      protected BrowserSSOProfileConfiguration(@Nonnull @NotEmpty String profileId)
      Constructor.
      Parameters:
      profileId - unique ID for this profile

  • Method Details

    • isResolveAttributes

      public boolean isResolveAttributes(@Nullable ProfileRequestContext profileRequestContext)
      Specified by:
      isResolveAttributes in interface AttributeResolvingProfileConfiguration

    • setResolveAttributes

      public void setResolveAttributes(boolean flag)
      Set whether attributes should be resolved during the profile.
      Parameters:
      flag - flag to set

    • setResolveAttributesPredicate

      public void setResolveAttributesPredicate(@Nonnull Predicate<ProfileRequestContext> condition)
      Set a condition to determine whether attributes should be resolved during the profile.
      Parameters:
      condition - condition to set

    • isIncludeAttributeStatement

      public boolean isIncludeAttributeStatement(@Nullable ProfileRequestContext profileRequestContext)
      Get whether responses to the authentication request should include an attribute statement.

      Default is true

      Specified by:
      isIncludeAttributeStatement in interface BrowserSSOProfileConfiguration
      Parameters:
      profileRequestContext - current profile request context
      Returns:
      whether responses to the authentication request should include an attribute statement

    • setIncludeAttributeStatement

      public void setIncludeAttributeStatement(boolean flag)
      Set whether responses to the authentication request should include an attribute statement.
      Parameters:
      flag - flag to set

    • setIncludeAttributeStatementPredicate

      public void setIncludeAttributeStatementPredicate(@Nonnull Predicate<ProfileRequestContext> condition)
      Set a condition to determine whether responses to the authentication request should include an attribute statement.
      Parameters:
      condition - condition to set

    • isIgnoreScoping

      public boolean isIgnoreScoping(@Nullable ProfileRequestContext profileRequestContext)
      Gets whether Scoping elements in requests should be ignored/omitted.
      Specified by:
      isIgnoreScoping in interface BrowserSSOProfileConfiguration
      Parameters:
      profileRequestContext - current profile request context
      Returns:
      whether Scoping elements in requests should be ignored/omitted

    • setIgnoreScoping

      public void setIgnoreScoping(boolean flag)
      Sets whether Scoping elements in requests should be ignored/omitted.

      Defaults to false.

      Parameters:
      flag - flag to set
      Since:
      4.0.0

    • setIgnoreScopingPredicate

      public void setIgnoreScopingPredicate(@Nonnull Predicate<ProfileRequestContext> condition)
      Sets a condition to determine whether Scoping elements in requests should be ignored/omitted.
      Parameters:
      condition - condition to set
      Since:
      4.0.0

    • isForceAuthn

      public boolean isForceAuthn(@Nullable ProfileRequestContext profileRequestContext)
      Get whether the authentication process should include a proof of user presence.
      Specified by:
      isForceAuthn in interface AuthenticationProfileConfiguration
      Specified by:
      isForceAuthn in interface BrowserSSOProfileConfiguration
      Parameters:
      profileRequestContext - current profile request context
      Returns:
      true iff authentication should require user presence

    • setForceAuthn

      public void setForceAuthn(boolean flag)
      Set whether a fresh user presence proof should be required for this request.
      Parameters:
      flag - flag to set

    • setForceAuthnPredicate

      public void setForceAuthnPredicate(@Nonnull Predicate<ProfileRequestContext> condition)
      Set a condition to determine whether a fresh user presence proof should be required for this request.
      Parameters:
      condition - condition to set

    • isCheckAddress

      public boolean isCheckAddress(@Nullable ProfileRequestContext profileRequestContext)
      Specified by:
      isCheckAddress in interface BrowserSSOProfileConfiguration

    • setCheckAddress

      public void setCheckAddress(boolean flag)
      Set whether the client's address must match the address in an inbound SubjectLocality element during inbound SSO.
      Parameters:
      flag - flag to set
      Since:
      4.0.0

    • setCheckAddressPredicate

      public void setCheckAddressPredicate(@Nonnull Predicate<ProfileRequestContext> condition)
      Set a condition to determine whether the client's address must match the address in an inbound SubjectLocality element during inbound SSO.
      Parameters:
      condition - condition to set
      Since:
      4.0.0

    • isSkipEndpointValidationWhenSigned

      public boolean isSkipEndpointValidationWhenSigned(@Nullable ProfileRequestContext profileRequestContext)
      Get condition to determine whether the response endpoint should be validated if the request is signed.
      Specified by:
      isSkipEndpointValidationWhenSigned in interface BrowserSSOProfileConfiguration
      Parameters:
      profileRequestContext - current profile request context
      Returns:
      condition

    • setSkipEndpointValidationWhenSigned

      public void setSkipEndpointValidationWhenSigned(boolean flag)
      Set whether the response endpoint should be validated if the request is signed.
      Parameters:
      flag - flag to set
      Since:
      3.4.0

    • setSkipEndpointValidationWhenSignedPredicate

      public void setSkipEndpointValidationWhenSignedPredicate(@Nonnull Predicate<ProfileRequestContext> condition)
      Set condition to determine whether the response endpoint should be validated if the request is signed.
      Parameters:
      condition - condition to set
      Since:
      3.4.0

    • isRandomizeFriendlyName

      public boolean isRandomizeFriendlyName(@Nullable ProfileRequestContext profileRequestContext)
      Gets whether to randomize/perturb the FriendlyName attribute when encoding SAML 2.0 Attributes to enable probing of invalid behavior by relying parties.
      Specified by:
      isRandomizeFriendlyName in interface BrowserSSOProfileConfiguration
      Parameters:
      profileRequestContext - current profile request context
      Returns:
      true iff the FriendlyName should be randomized

    • setRandomizeFriendlyName

      public void setRandomizeFriendlyName(boolean flag)
      Set whether to randomize/perturb the FriendlyName attribute when encoding SAML 2.0 Attributes to enable probing of invalid behavior by relying parties.
      Parameters:
      flag - flag to set
      Since:
      5.1.0

    • setRandomizeFriendlyNamePredicate

      public void setRandomizeFriendlyNamePredicate(@Nonnull Predicate<ProfileRequestContext> condition)
      Set condition to determine whether to randomize/perturb the FriendlyName attribute when encoding SAML 2.0 Attributes to enable probing of invalid behavior by relying parties.
      Parameters:
      condition - condition to set
      Since:
      5.1.0

    • getProxyCount

      @Nullable public Integer getProxyCount(@Nullable ProfileRequestContext profileRequestContext)
      Gets the maximum number of times an assertion may be proxied outbound and/or the maximum number of hops between the relying party and a proxied authentication authority inbound.
      Specified by:
      getProxyCount in interface AuthenticationProfileConfiguration
      Specified by:
      getProxyCount in interface BrowserSSOProfileConfiguration
      Parameters:
      profileRequestContext - current profile request context
      Returns:
      maximum number of times an assertion or authentication may be proxied

    • setProxyCount

      public void setProxyCount(@Nullable @NonNegative Integer count)
      Set the maximum number of times an assertion may be proxied.
      Parameters:
      count - maximum number of times an assertion may be proxied

    • setProxyCountLookupStrategy

      public void setProxyCountLookupStrategy(@Nonnull Function<ProfileRequestContext,Integer> strategy)
      Set a lookup strategy for the maximum number of times an assertion may be proxied.
      Parameters:
      strategy - lookup strategy

    • getProxyAudiences

      @Nonnull @NotLive @Unmodifiable public Set<String> getProxyAudiences(@Nullable ProfileRequestContext profileRequestContext)
      Gets the unmodifiable collection of audiences for a proxied assertion.
      Specified by:
      getProxyAudiences in interface BrowserSSOProfileConfiguration
      Parameters:
      profileRequestContext - current profile request context
      Returns:
      audiences for a proxied assertion

    • setProxyAudiences

      public void setProxyAudiences(@Nullable Collection<String> audiences)
      Set the proxy audiences to be added to responses.
      Parameters:
      audiences - proxy audiences to be added to responses

    • setProxyAudiencesLookupStrategy

      public void setProxyAudiencesLookupStrategy(@Nonnull Function<ProfileRequestContext,Collection<String>> strategy)
      Set a lookup strategy for the proxy audiences to be added to responses.
      Parameters:
      strategy - lookup strategy

    • isSuppressAuthenticatingAuthority

      public boolean isSuppressAuthenticatingAuthority(@Nullable ProfileRequestContext profileRequestContext)
      Gets whether to suppress inclusion of AuthenticatingAuthority element.

      Defaults to false.

      Specified by:
      isSuppressAuthenticatingAuthority in interface BrowserSSOProfileConfiguration
      Parameters:
      profileRequestContext - current profile request context
      Returns:
      true iff the element should be suppressed when possible

    • setSuppressAuthenticatingAuthority

      public void setSuppressAuthenticatingAuthority(boolean flag)
      Sets whether to suppress inclusion of AuthenticatingAuthority element.

      Defaults to false.

      Parameters:
      flag - flag to set
      Since:
      4.2.0

    • setSuppressAuthenticatingAuthorityPredicate

      public void setSuppressAuthenticatingAuthorityPredicate(@Nonnull Predicate<ProfileRequestContext> condition)
      Sets condition to determine whether to suppress inclusion of AuthenticatingAuthority element.
      Parameters:
      condition - condition to set
      Since:
      4.2.0

    • isProxiedAuthnInstant

      public boolean isProxiedAuthnInstant(@Nullable ProfileRequestContext profileRequestContext)
      Gets whether authentication results produced by use of this profile should carry the proxied assertion's AuthnInstant, rather than the current time.

      Defaults to true.

      Specified by:
      isProxiedAuthnInstant in interface BrowserSSOProfileConfiguration
      Parameters:
      profileRequestContext - current profile request context
      Returns:
      whether to proxy across the inbound AuthnInstant

    • setProxiedAuthnInstant

      public void setProxiedAuthnInstant(boolean flag)
      Sets whether authentication results produced by use of this profile should carry the proxied assertion's AuthnInstant, rather than the current time.
      Parameters:
      flag - flag to set
      Since:
      4.0.0

    • setProxiedAuthnInstantPredicate

      public void setProxiedAuthnInstantPredicate(@Nonnull Predicate<ProfileRequestContext> condition)
      Sets condition to determine whether authentication results produced by use of this profile should carry the proxied assertion's AuthnInstant, rather than the current time.
      Parameters:
      condition - condition to set
      Since:
      4.0.0

    • isRequireSignedRequests

      public boolean isRequireSignedRequests(@Nullable ProfileRequestContext profileRequestContext)
      Get whether to require signed requests.
      Specified by:
      isRequireSignedRequests in interface BrowserSSOProfileConfiguration
      Parameters:
      profileRequestContext - current profile request context
      Returns:
      whether to require signed requests

    • setRequireSignedRequests

      public void setRequireSignedRequests(boolean flag)
      Set whether to require signed requests.
      Parameters:
      flag - flag to set
      Since:
      4.3.0

    • setRequireSignedRequestsPredicate

      public void setRequireSignedRequestsPredicate(@Nonnull Predicate<ProfileRequestContext> condition)
      Set a condition to determine whether to require signed requests.
      Parameters:
      condition - condition to set
      Since:
      4.3.0

    • isRequireSignedAssertions

      public boolean isRequireSignedAssertions(@Nullable ProfileRequestContext profileRequestContext)
      Specified by:
      isRequireSignedAssertions in interface SAMLAssertionConsumingProfileConfiguration

    • setRequireSignedAssertions

      public void setRequireSignedAssertions(boolean flag)
      Set whether to require signed assertions.
      Parameters:
      flag - flag to set
      Since:
      5.0.0

    • setRequireSignedAssertionsPredicate

      public void setRequireSignedAssertionsPredicate(@Nonnull Predicate<ProfileRequestContext> condition)
      Set a condition to determine whether to require signed assertions.
      Parameters:
      condition - condition to set
      Since:
      5.0.0

    • getMaximumSPSessionLifetime

      @Nullable public Duration getMaximumSPSessionLifetime(@Nullable ProfileRequestContext profileRequestContext)
      Get the maximum amount of time the service provider should maintain a session for the user based on the authentication assertion. A null or 0 is interpreted as an unlimited lifetime.
      Specified by:
      getMaximumSPSessionLifetime in interface BrowserSSOProfileConfiguration
      Parameters:
      profileRequestContext - current profile request context
      Returns:
      max lifetime of service provider should maintain a session

    • setMaximumSPSessionLifetime

      public void setMaximumSPSessionLifetime(@Nullable Duration lifetime)
      Set the maximum amount of time the service provider should maintain a session for the user based on the authentication assertion. A null or 0 is interpreted as an unlimited lifetime.
      Parameters:
      lifetime - max lifetime of service provider should maintain a session

    • setMaximumSPSessionLifetimeLookupStrategy

      public void setMaximumSPSessionLifetimeLookupStrategy(@Nonnull Function<ProfileRequestContext,Duration> strategy)
      Set a lookup strategy for the maximum amount of time the service provider should maintain a session for the user.
      Parameters:
      strategy - lookup strategy
      Since:
      3.4.0

    • getMaximumTimeSinceAuthn

      @NonNegative @Nullable public Duration getMaximumTimeSinceAuthn(@Nullable ProfileRequestContext profileRequestContext)
      Specified by:
      getMaximumTimeSinceAuthn in interface BrowserSSOProfileConfiguration

    • setMaximumTimeSinceAuthn

      public void setMaximumTimeSinceAuthn(@Nullable Duration amount)
      Set the maximum amount of time allowed to have elapsed since an incoming AuthnInstant.

      A null or 0 is interpreted as an unlimited amount.

      Parameters:
      amount - max time to allow
      Since:
      4.0.0

    • setMaximumTimeSinceAuthnLookupStrategy

      public void setMaximumTimeSinceAuthnLookupStrategy(@Nonnull Function<ProfileRequestContext,Duration> strategy)
      Set a lookup strategy for the maximum amount of time allowed to have elapsed since an incoming AuthnInstant.
      Parameters:
      strategy - lookup strategy
      Since:
      4.0.0

    • isAllowDelegation

      @Deprecated(since="5.0.0", forRemoval=true) public boolean isAllowDelegation(@Nullable ProfileRequestContext profileRequestContext)
      Deprecated, for removal: This API element is subject to removal in a future version.
      Get the predicate used to determine if produced assertions may be delegated.
      Specified by:
      isAllowDelegation in interface BrowserSSOProfileConfiguration
      Parameters:
      profileRequestContext - current profile request context
      Returns:
      predicate used to determine if produced assertions may be delegated

    • setAllowDelegation

      @Deprecated(since="5.0.0", forRemoval=true) public void setAllowDelegation(boolean flag)
      Deprecated, for removal: This API element is subject to removal in a future version.
      Set whether produced assertions may be delegated.
      Parameters:
      flag - flag to set

    • setAllowDelegationPredicate

      @Deprecated(since="5.0.0", forRemoval=true) public void setAllowDelegationPredicate(@Nonnull Predicate<ProfileRequestContext> predicate)
      Deprecated, for removal: This API element is subject to removal in a future version.
      Set the predicate used to determine if produced assertions may be delegated.
      Parameters:
      predicate - used to determine if produced assertions may be delegated

    • getMaximumTokenDelegationChainLength

      @Deprecated(since="5.0.0", forRemoval=true) @NonNegative public long getMaximumTokenDelegationChainLength(@Nullable ProfileRequestContext profileRequestContext)
      Deprecated, for removal: This API element is subject to removal in a future version.
      Get the limits on the total number of delegates that may be derived from the initial SAML token.
      Specified by:
      getMaximumTokenDelegationChainLength in interface BrowserSSOProfileConfiguration
      Parameters:
      profileRequestContext - current profile request context
      Returns:
      the limit on the total number of delegates that may be derived from the initial SAML token

    • setMaximumTokenDelegationChainLength

      @Deprecated(since="5.0.0", forRemoval=true) public void setMaximumTokenDelegationChainLength(@NonNegative long length)
      Deprecated, for removal: This API element is subject to removal in a future version.
      Set the limits on the total number of delegates that may be derived from the initial SAML token.
      Parameters:
      length - the limit on the total number of delegates that may be derived from the initial SAML token

    • setMaximumTokenDelegationChainLengthLookupStrategy

      @Deprecated(since="5.0.0", forRemoval=true) public void setMaximumTokenDelegationChainLengthLookupStrategy(@Nonnull Function<ProfileRequestContext,Long> strategy)
      Deprecated, for removal: This API element is subject to removal in a future version.
      Set a lookup strategy for the limits on the total number of delegates that may be derived from the initial SAML token.
      Parameters:
      strategy - lookup strategy
      Since:
      3.4.0

    • getAuthnContextTranslationStrategy

      @Nullable public Function<AuthnContext,Collection<Principal>> getAuthnContextTranslationStrategy(@Nullable ProfileRequestContext profileRequestContext)
      Get the function to use to translate an inbound proxied SAML 2.0 AuthnContext into the appropriate set of custom Principal objects to populate into the subject.
      Specified by:
      getAuthnContextTranslationStrategy in interface BrowserSSOProfileConfiguration
      Parameters:
      profileRequestContext - current profile request context
      Returns:
      translation function

    • setAuthnContextTranslationStrategy

      public void setAuthnContextTranslationStrategy(@Nullable Function<AuthnContext,Collection<Principal>> strategy)
      Set the function to use to translate an inbound proxied SAML 2.0 AuthnContext into the appropriate set of custom Principal objects to populate into the subject.
      Parameters:
      strategy - translation function
      Since:
      4.0.0

    • setAuthnContextTranslationStrategyLookupStrategy

      public void setAuthnContextTranslationStrategyLookupStrategy(@Nonnull Function<ProfileRequestContext,Function<AuthnContext,Collection<Principal>>> strategy)
      Set a lookup strategy for the function to use to translate an inbound proxied SAML 2.0 AuthnContext into the appropriate set of custom Principal objects to populate into the subject.
      Parameters:
      strategy - lookup strategy
      Since:
      4.0.0

    • getAuthnContextTranslationStrategyEx

      @Nullable public Function<ProfileRequestContext,Collection<Principal>> getAuthnContextTranslationStrategyEx(@Nullable ProfileRequestContext profileRequestContext)
      Get the function to use to translate an inbound proxied response into the appropriate set of custom Principal objects to populate into the subject.

      This differs from the original in that the input is the entire ProfileRequestContext of the proxied authentication state rather than the SAML AuthnContext directly.

      Specified by:
      getAuthnContextTranslationStrategyEx in interface BrowserSSOProfileConfiguration
      Parameters:
      profileRequestContext - current profile request context
      Returns:
      translation function

    • setAuthnContextTranslationStrategyEx

      public void setAuthnContextTranslationStrategyEx(@Nullable Function<ProfileRequestContext,Collection<Principal>> strategy)
      Set the function to use to translate an inbound proxied response into the appropriate set of custom Principal objects to populate into the subject.

      This differs from the original in that the input is the entire ProfileRequestContext of the proxied authentication state rather than the SAML AuthnContext directly.

      Parameters:
      strategy - translation function
      Since:
      4.1.0

    • setAuthnContextTranslationStrategyExLookupStrategy

      public void setAuthnContextTranslationStrategyExLookupStrategy(@Nonnull Function<ProfileRequestContext,Function<ProfileRequestContext,Collection<Principal>>> strategy)
      Set a lookup strategy for the function to use to translate an inbound proxied response into the appropriate set of custom Principal objects to populate into the subject.

      This differs from the original in that the input is the entire ProfileRequestContext of the proxied authentication state rather than the SAML AuthnContext directly.

      Parameters:
      strategy - lookup strategy
      Since:
      4.1.0

    • getAuthnContextComparison

      @Nullable public AuthnContextComparisonTypeEnumeration getAuthnContextComparison(@Nullable ProfileRequestContext profileRequestContext)
      Specified by:
      getAuthnContextComparison in interface BrowserSSOProfileConfiguration

    • setAuthnContextComparison

      public void setAuthnContextComparison(@Nullable AuthnContextComparisonTypeEnumeration comparison)
      Set the comparison operator to use when issuing SAML requests containing requested context classes.
      Parameters:
      comparison - comparison value or null
      Since:
      4.0.0

    • setAuthnContextComparisonLookupStrategy

      public void setAuthnContextComparisonLookupStrategy(@Nonnull Function<ProfileRequestContext,String> strategy)
      Set a lookup strategy for the comparison operator to use when issuing SAML requests containing requested context classes.
      Parameters:
      strategy - lookup strategy
      Since:
      4.0.0

    • getDefaultAuthenticationMethods

      @Nonnull @NotLive @Unmodifiable public List<Principal> getDefaultAuthenticationMethods(@Nullable ProfileRequestContext profileRequestContext)
      Get the default authentication methods to use, expressed as custom principals.
      Specified by:
      getDefaultAuthenticationMethods in interface AuthenticationProfileConfiguration
      Parameters:
      profileRequestContext - current profile request context
      Returns:
      default authentication methods to use

    • setDefaultAuthenticationMethods

      public void setDefaultAuthenticationMethods(@Nullable Collection<Principal> contexts)
      Set the default authentication contexts to use, expressed as custom principals.
      Parameters:
      contexts - default authentication contexts to use

    • setDefaultAuthenticationMethodsLookupStrategy

      public void setDefaultAuthenticationMethodsLookupStrategy(@Nonnull Function<ProfileRequestContext,Collection<Principal>> strategy)
      Set a lookup strategy for the authentication contexts to use, expressed as custom principals.
      Parameters:
      strategy - lookup strategy
      Since:
      3.3.0

    • getAuthenticationFlows

      @Nonnull @NotLive @Unmodifiable public Set<String> getAuthenticationFlows(@Nullable ProfileRequestContext profileRequestContext)
      Get the allowable authentication flows for this profile.

      The flow IDs returned MUST NOT contain the AuthenticationFlowDescriptor.FLOW_ID_PREFIX prefix common to all interceptor flows.

      Specified by:
      getAuthenticationFlows in interface AuthenticationProfileConfiguration
      Parameters:
      profileRequestContext - current profile request context
      Returns:
      a set of authentication flow IDs to allow

    • setAuthenticationFlows

      public void setAuthenticationFlows(@Nullable Collection<String> flows)
      Set the authentication flows to use.
      Parameters:
      flows - flow identifiers to use

    • setAuthenticationFlowsLookupStrategy

      public void setAuthenticationFlowsLookupStrategy(@Nonnull Function<ProfileRequestContext,Set<String>> strategy)
      Set a lookup strategy for the authentication flows to use.
      Parameters:
      strategy - lookup strategy
      Since:
      3.3.0

    • getPostAuthenticationFlows

      @Nonnull @NotLive @Unmodifiable public List<String> getPostAuthenticationFlows(@Nullable ProfileRequestContext profileRequestContext)
      Get an ordered list of post-authentication interceptor flows to run for this profile.

      The flow IDs returned MUST NOT contain the ProfileInterceptorFlowDescriptor.FLOW_ID_PREFIX prefix common to all interceptor flows.

      Specified by:
      getPostAuthenticationFlows in interface AuthenticationProfileConfiguration
      Parameters:
      profileRequestContext - current profile request context
      Returns:
      a set of interceptor flow IDs to enable

    • setPostAuthenticationFlows

      public void setPostAuthenticationFlows(@Nullable Collection<String> flows)
      Set the ordered collection of post-authentication interceptor flows to enable.
      Parameters:
      flows - flow identifiers to enable

    • setPostAuthenticationFlowsLookupStrategy

      public void setPostAuthenticationFlowsLookupStrategy(@Nonnull Function<ProfileRequestContext,Collection<String>> strategy)
      Set a lookup strategy for the post-authentication interceptor flows to enable.
      Parameters:
      strategy - lookup strategy
      Since:
      3.3.0

    • getNameIDFormatPrecedence

      @Nonnull @NotLive @Unmodifiable public List<String> getNameIDFormatPrecedence(@Nullable ProfileRequestContext profileRequestContext)
      Get the name identifier formats to use.
      Specified by:
      getNameIDFormatPrecedence in interface BrowserSSOProfileConfiguration
      Parameters:
      profileRequestContext - profile request context
      Returns:
      the formats to use

    • setNameIDFormatPrecedence

      public void setNameIDFormatPrecedence(@Nullable Collection<String> formats)
      Set the name identifier formats to use.
      Parameters:
      formats - name identifier formats to use

    • setNameIDFormatPrecedenceLookupStrategy

      public void setNameIDFormatPrecedenceLookupStrategy(@Nonnull Function<ProfileRequestContext,Collection<String>> strategy)
      Set a lookup strategy for the name identifier formats to use.
      Parameters:
      strategy - lookup strategy
      Since:
      3.3.0

    • getSPNameQualifier

      @Nullable public String getSPNameQualifier(@Nullable ProfileRequestContext profileRequestContext)
      Specified by:
      getSPNameQualifier in interface BrowserSSOProfileConfiguration

    • setSPNameQualifier

      public void setSPNameQualifier(@Nullable String qualifier)
      Sets the SPNameQualifier to include in requests.
      Parameters:
      qualifier - the SPNameQualifier to include
      Since:
      5.0.0

    • setSPNameQualifierLookupStrategy

      public void setSPNameQualifierLookupStrategy(@Nonnull Function<ProfileRequestContext,String> strategy)
      Sets a lookup strategy for the SPNameQualifier to include in requests.
      Parameters:
      strategy - lookup strategy
      Since:
      5.0.0

    • getAttributeIndex

      @Nullable public Integer getAttributeIndex(@Nullable ProfileRequestContext profileRequestContext)
      Specified by:
      getAttributeIndex in interface BrowserSSOProfileConfiguration

    • setAttributeIndex

      public void setAttributeIndex(@Nullable Integer index)
      Sets the AttributeConsumingServiceIndex to include in requests.
      Parameters:
      index - the index to include
      Since:
      5.0.0

    • setAttributeIndexLookupStrategy

      public void setAttributeIndexLookupStrategy(@Nonnull Function<ProfileRequestContext,Integer> strategy)
      Sets a lookup strategy for the AttributeConsumingServiceIndex to include in requests.
      Parameters:
      strategy - lookup strategy
      Since:
      5.0.0

    • getRequestedAttributes

      @Nonnull @NotLive @Unmodifiable public Collection<RequestedAttribute> getRequestedAttributes(@Nullable ProfileRequestContext profileRequestContext)
      Specified by:
      getRequestedAttributes in interface BrowserSSOProfileConfiguration

    • setRequestedAttributes

      public void setRequestedAttributes(@Nullable Collection<RequestedAttribute> attrs)
      Set the RequestedAttribute objects to include in request.
      Parameters:
      attrs - requested attributes to include
      Since:
      5.0.0

    • setRequestedAttributesLookupStrategy

      public void setRequestedAttributesLookupStrategy(@Nonnull Function<ProfileRequestContext,Collection<RequestedAttribute>> strategy)
      Set a lookup strategy for the name identifier formats to use.
      Parameters:
      strategy - lookup strategy
      Since:
      5.0.0