com.onelogin.saml2.authn

Class SamlResponse

java.lang.Object

com.onelogin.saml2.authn.SamlResponse

public class SamlResponse
extends Object

SamlResponse class of OneLogin's Java Toolkit. A class that implements SAML 2 Authentication Response parser/validator

Constructor Summary

Constructors

Constructor and Description
SamlResponse(Saml2Settings settings, HttpRequest request) Constructor to have a Response object fully built and ready to validate the saml response.
SamlResponse(Saml2Settings settings, String currentUrl, String samlResponse) Constructor to have a Response object fully built and ready to validate the saml response.

Method Summary

Modifier and Type	Method and Description
Boolean	checkOneAuthnStatement() Checks that the samlp:Response/saml:Assertion/saml:AuthnStatement element exists and is unique.
Boolean	checkOneCondition() Checks that the samlp:Response/saml:Assertion/saml:Conditions element exists and is unique.
void	checkStatus() Checks the Status
String	getAssertionId()
String	getAssertionIssuer() Gets the Assertion Issuer.
List<org.joda.time.Instant>	getAssertionNotOnOrAfter()
HashMap<String,List<String>>	getAttributes() Gets the Attributes from the AttributeStatement element.
List<String>	getAudiences() Gets the audiences.
String	getError() After execute a validation process, if fails this method returns the cause
String	getId()
List<String>	getIssuers() Deprecated. use getResponseIssuer() and/or getAssertionIssuer(); the contract of this method is quite controversial
String	getNameId() Gets the NameID value provided from the SAML Response String.
Map<String,String>	getNameIdData() Gets the NameID provided from the SAML Response Document.
String	getNameIdFormat() Gets the NameID Format provided from the SAML Response String.
String	getNameIdNameQualifier() Gets the NameID NameQualifier provided from the SAML Response String.
String	getNameIdSPNameQualifier() Gets the NameID SP NameQualifier provided from the SAML Response String.
Calendar	getResponseIssueInstant() Returns the issue instant of this message.
String	getResponseIssuer() Gets the Response Issuer.
SamlResponseStatus	getResponseStatus() Returns the ResponseStatus object
protected Document	getSAMLResponseDocument()
String	getSAMLResponseXml()
String	getSessionIndex() Gets the SessionIndex from the AuthnStatement.
org.joda.time.DateTime	getSessionNotOnOrAfter() Gets the SessionNotOnOrAfter from the AuthnStatement.
static SamlResponseStatus	getStatus(Document dom) Get Status from a Response
Exception	getValidationException() After execute a validation process, if fails this method returns the Exception object
boolean	isValid() Determines if the SAML Response is valid using the certificate.
boolean	isValid(String requestId) Determines if the SAML Response is valid using the certificate.
void	loadXmlFromBase64(String responseStr) Load a XML base64encoded SAMLResponse
ArrayList<String>	processSignedElements() Verifies the signature nodes: - Checks that are Response or Assertion - Check that IDs and reference URI are unique and consistent.
protected NodeList	query(String nameQuery, Node context) Extracts nodes that match the query from the DOMDocument (Response Message)
protected NodeList	queryAssertion(String assertionXpath) Extracts a node from the DOMDocument (Assertion).
void	setDestinationUrl(String url) Aux method to set the destination url
protected void	setValidationException(Exception validationException) Sets the validation exception that this SamlResponse should return when a validation error occurs.
protected void	validateAudiences() Validates the audiences.
protected void	validateDestination(Element element) Validate the destination.
Boolean	validateNumAssertions() Verifies that the document only contains a single Assertion (encrypted or not).
protected SubjectConfirmationIssue	validateRecipient(Node recipient, int index) Validate a subject confirmation recipient.
boolean	validateSignedElements(ArrayList<String> signedElements) Verifies that the document has the expected signed nodes.
protected void	validateSpNameQualifier(String spNameQualifier) Validates a SPNameQualifier.
boolean	validateTimestamps() Verifies that the document is still valid according Conditions Element.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

SamlResponse

public SamlResponse(Saml2Settings settings,
                    String currentUrl,
                    String samlResponse)
             throws XPathExpressionException,
                    ParserConfigurationException,
                    SAXException,
                    IOException,
                    SettingsException,
                    ValidationError

Constructor to have a Response object fully built and ready to validate the saml response.

Parameters:

settings - Saml2Settings object. Setting data

currentUrl - URL of the current host + current view

samlResponse - A string containting the base64 encoded response from the IdP

Throws:

ValidationError

SettingsException

IOException

SAXException

ParserConfigurationException

XPathExpressionException

SamlResponse

public SamlResponse(Saml2Settings settings,
                    HttpRequest request)
             throws XPathExpressionException,
                    ParserConfigurationException,
                    SAXException,
                    IOException,
                    SettingsException,
                    ValidationError

Constructor to have a Response object fully built and ready to validate the saml response.

Parameters:

settings - Saml2Settings object. Setting data

request - the HttpRequest object to be processed (Contains GET and POST parameters, request URL, ...).

Throws:

ValidationError

SettingsException

IOException

SAXException

ParserConfigurationException

XPathExpressionException

NullPointerException

Method Detail

loadXmlFromBase64

public void loadXmlFromBase64(String responseStr)
                       throws ParserConfigurationException,
                              XPathExpressionException,
                              SAXException,
                              IOException,
                              SettingsException,
                              ValidationError

Load a XML base64encoded SAMLResponse

Parameters:

responseStr - Saml2Settings object. Setting data

Throws:

ParserConfigurationException

SettingsException

IOException

SAXException

XPathExpressionException

ValidationError

isValid

public boolean isValid(String requestId)

Determines if the SAML Response is valid using the certificate.

Parameters:

requestId - The ID of the AuthNRequest sent by this SP to the IdP

Returns:

if the response is valid or not

isValid

public boolean isValid()

Determines if the SAML Response is valid using the certificate.

Returns:

if the response is valid or not

getNameIdData

public Map<String,String> getNameIdData()
                                 throws Exception

Gets the NameID provided from the SAML Response Document.

Returns:

the Name ID Data (Value, Format, NameQualifier, SPNameQualifier)

Throws:

Exception

getNameId

public String getNameId()
                 throws Exception

Gets the NameID value provided from the SAML Response String.

Returns:

string Name ID Value

Throws:

Exception

getNameIdFormat

public String getNameIdFormat()
                       throws Exception

Gets the NameID Format provided from the SAML Response String.

Returns:

string NameID Format

Throws:

Exception

getNameIdNameQualifier

public String getNameIdNameQualifier()
                              throws Exception

Gets the NameID NameQualifier provided from the SAML Response String.

Returns:

string NameQualifier

Throws:

Exception

getNameIdSPNameQualifier

public String getNameIdSPNameQualifier()
                                throws Exception

Gets the NameID SP NameQualifier provided from the SAML Response String.

Returns:

string SP NameQualifier

Throws:

Exception

getAttributes

public HashMap<String,List<String>> getAttributes()
                                           throws XPathExpressionException,
                                                  ValidationError

Gets the Attributes from the AttributeStatement element.

Returns:

the attributes of the SAML Assertion

Throws:

XPathExpressionException

ValidationError

getResponseStatus

public SamlResponseStatus getResponseStatus()

Returns the ResponseStatus object

Returns:

checkStatus

public void checkStatus()
                 throws ValidationError

Checks the Status

Throws:

ValidationError - If status is not success

getStatus

public static SamlResponseStatus getStatus(Document dom)
                                    throws ValidationError

Get Status from a Response

Parameters:

dom - The Response as XML

Returns:

SamlResponseStatus

Throws:

IllegalArgumentException - if the response not contain status or if Unexpected XPath error

ValidationError

checkOneCondition

public Boolean checkOneCondition()
                          throws XPathExpressionException

Checks that the samlp:Response/saml:Assertion/saml:Conditions element exists and is unique.

Returns:

true if the Conditions element exists and is unique

Throws:

XPathExpressionException

checkOneAuthnStatement

public Boolean checkOneAuthnStatement()
                               throws XPathExpressionException

Checks that the samlp:Response/saml:Assertion/saml:AuthnStatement element exists and is unique.

Returns:

true if the AuthnStatement element exists and is unique

Throws:

XPathExpressionException

getAudiences

public List<String> getAudiences()
                          throws XPathExpressionException

Gets the audiences.

Returns:

the audiences of the response

Throws:

XPathExpressionException

getResponseIssuer

public String getResponseIssuer()
                         throws XPathExpressionException,
                                ValidationError

Gets the Response Issuer.

Returns:

the Response Issuer, or null if not specified

Throws:

XPathExpressionException

ValidationError - if multiple Response issuers were found

See Also:

getAssertionIssuer(), getIssuers()

getAssertionIssuer

public String getAssertionIssuer()
                          throws XPathExpressionException,
                                 ValidationError

Gets the Assertion Issuer.

Returns:

the Assertion Issuer

Throws:

XPathExpressionException

ValidationError - if no Assertion Issuer could be found, or if multiple Assertion issuers were found

See Also:

getResponseIssuer(), getIssuers()

getIssuers

@Deprecated
public List<String> getIssuers()
                                    throws XPathExpressionException,
                                           ValidationError

Deprecated. use getResponseIssuer() and/or getAssertionIssuer(); the contract of this method is quite controversial

Gets the Issuers (from Response and Assertion). If the same issuer appears both in the Response and in the Assertion (as it should), the returned list will contain it just once. Hence, the returned list should always return one element and in particular:

• it will never contain zero elements (it means an Assertion Issuer could not be found, hence a ValidationError will be thrown instead)
• if it contains more than one element, it means that the response is invalid and one of the returned issuers won't pass the check performed by isValid(String) (which requires both issuers to be equal to the Identity Provider entity id)

Warning: as a consequence of the above, if this response status code is not a successful one, this method will throw a ValidationError because it won't find any Assertion Issuer. In this case, if you need to retrieve the Response Issuer any way, you must use getResponseIssuer() instead.

Returns:

the issuers of the assertion/response

Throws:

XPathExpressionException

ValidationError - if multiple Response Issuers or multiple Assertion Issuers were found, or if no Assertion Issuer could be found

See Also:

getResponseIssuer(), getAssertionIssuer()

getSessionNotOnOrAfter

public org.joda.time.DateTime getSessionNotOnOrAfter()
                                              throws XPathExpressionException

Gets the SessionNotOnOrAfter from the AuthnStatement. Could be used to set the local session expiration

Returns:

the SessionNotOnOrAfter value

Throws:

XPathExpressionException

getSessionIndex

public String getSessionIndex()
                       throws XPathExpressionException

Gets the SessionIndex from the AuthnStatement. Could be used to be stored in the local session in order to be used in a future Logout Request that the SP could send to the SP, to set what specific session must be deleted

Returns:

the SessionIndex value

Throws:

XPathExpressionException

getId

public String getId()

Returns:

the ID of the Response

getAssertionId

public String getAssertionId()
                      throws XPathExpressionException

Returns:

the ID of the assertion in the Response

Throws:

XPathExpressionException

getAssertionNotOnOrAfter

public List<org.joda.time.Instant> getAssertionNotOnOrAfter()
                                                     throws XPathExpressionException

Returns:

a list of NotOnOrAfter values from SubjectConfirmationData nodes in this Response

Throws:

XPathExpressionException

validateNumAssertions

public Boolean validateNumAssertions()
                              throws IllegalArgumentException

Verifies that the document only contains a single Assertion (encrypted or not).

Returns:

true if the document passes.

Throws:

IllegalArgumentException

processSignedElements

public ArrayList<String> processSignedElements()
                                        throws XPathExpressionException,
                                               ValidationError

Verifies the signature nodes: - Checks that are Response or Assertion - Check that IDs and reference URI are unique and consistent.

Returns:

array Signed element tags

Throws:

XPathExpressionException

ValidationError

validateSignedElements

public boolean validateSignedElements(ArrayList<String> signedElements)
                               throws XPathExpressionException,
                                      ValidationError

Verifies that the document has the expected signed nodes.

Parameters:

signedElements - the elements to be validated

Returns:

true if is valid

Throws:

XPathExpressionException

ValidationError

validateTimestamps

public boolean validateTimestamps()
                           throws ValidationError

Verifies that the document is still valid according Conditions Element.

Returns:

true if still valid

Throws:

ValidationError

setDestinationUrl

public void setDestinationUrl(String url)

Aux method to set the destination url

Parameters:

url - the url to set as currentUrl

getError

public String getError()

After execute a validation process, if fails this method returns the cause

Returns:

the cause of the validation error as a string

getValidationException

public Exception getValidationException()

After execute a validation process, if fails this method returns the Exception object

Returns:

the cause of the validation error

setValidationException

protected void setValidationException(Exception validationException)

Sets the validation exception that this SamlResponse should return when a validation error occurs.

Parameters:

validationException - the validation exception to set

queryAssertion

protected NodeList queryAssertion(String assertionXpath)
                           throws XPathExpressionException

Extracts a node from the DOMDocument (Assertion).

Parameters:

assertionXpath - Xpath Expression

Returns:

the queried node

Throws:

XPathExpressionException

query

protected NodeList query(String nameQuery,
                         Node context)
                  throws XPathExpressionException

Extracts nodes that match the query from the DOMDocument (Response Message)

Parameters:

nameQuery - Xpath Expression

context - The context node

Returns:

DOMNodeList The queried nodes

Throws:

XPathExpressionException

getSAMLResponseXml

public String getSAMLResponseXml()

Returns:

the SAMLResponse XML, If the Assertion of the SAMLResponse was encrypted, returns the XML with the assertion decrypted

getSAMLResponseDocument

protected Document getSAMLResponseDocument()

Returns:

the SAMLResponse Document, If the Assertion of the SAMLResponse was encrypted, returns the Document with the assertion decrypted

validateAudiences

protected void validateAudiences()
                          throws XPathExpressionException,
                                 ValidationError

Validates the audiences.

Throws:

XPathExpressionException

ValidationError

validateDestination

protected void validateDestination(Element element)
                            throws ValidationError

Validate the destination.

Parameters:

element - element with the destination attribute

Throws:

ValidationError

validateRecipient

protected SubjectConfirmationIssue validateRecipient(Node recipient,
                                                     int index)

Validate a subject confirmation recipient.

Parameters:

recipient - recipient node

index - index of the subject confirmation node

Returns:

a subject confirmation issue or null

validateSpNameQualifier

protected void validateSpNameQualifier(String spNameQualifier)
                                throws ValidationError

Validates a SPNameQualifier.

Parameters:

spNameQualifier - the SPNameQualifier

Throws:

ValidationError

getResponseIssueInstant

public Calendar getResponseIssueInstant()
                                 throws ValidationError

Returns the issue instant of this message.

Returns:

a new Calendar instance carrying the issue instant of this message

Throws:

ValidationError - if the found IssueInstant attribute is not in the expected UTC form of ISO-8601 format