View Javadoc
1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   *   http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied.  See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  package org.apache.syncope.common.lib.auth;
20  
21  import java.util.ArrayList;
22  import java.util.List;
23  import java.util.Map;
24  import org.apache.syncope.common.lib.to.AuthModuleTO;
25  import org.apache.syncope.common.lib.types.SAML2BindingType;
26  
27  public class SAML2IdPAuthModuleConf extends Pac4jAuthModuleConf implements AuthModuleConf {
28  
29      private static final long serialVersionUID = -471527731042579422L;
30  
31      /**
32       * The attribute value that should be used
33       * for the authenticated username, upon a successful authentication
34       * attempt.
35       */
36      protected String userIdAttribute;
37  
38      /**
39       * The destination binding to use
40       * when creating authentication requests.
41       */
42      protected SAML2BindingType destinationBinding = SAML2BindingType.REDIRECT;
43  
44      /**
45       * The password to use when generating the SP keystore.
46       */
47      protected String keystorePassword;
48  
49      /**
50       * The password to use when generating the private key for the SP keystore.
51       */
52      protected String protectedKeyPassword;
53  
54      /**
55       * The metadata location of the identity provider that is to handle authentications.
56       */
57      protected String identityProviderMetadataPath;
58  
59      /**
60       * Flag to indicate whether the allow-create flags
61       * for nameid policies should be set to true, false or ignored/defined.
62       * Accepted values are true, false or undefined.
63       */
64      protected String nameIdPolicyAllowCreate = "undefined";
65  
66      /**
67       * Once you have an authenticated session on the identity provider, usually it won't prompt you again to enter your
68       * credentials and it will automatically generate a new assertion for you. By default, the SAML client
69       * will accept assertions based on a previous authentication for one hour.
70       * You can adjust this behavior by modifying this setting. The unit of time here is seconds.
71       */
72      protected String maximumAuthenticationLifetime = "PT3600S";
73  
74      /**
75       * Maximum skew in seconds between SP and IDP clocks.
76       * This skew is added onto the {@code NotOnOrAfter} field in seconds
77       * for the SAML response validation.
78       */
79      protected String acceptedSkew = "PT300S";
80  
81      /**
82       * The entity id of the SP that is used in the SP metadata generation process.
83       */
84      protected String serviceProviderEntityId;
85  
86      /**
87       * Whether authentication requests should be tagged as forced auth.
88       */
89      protected boolean forceAuth;
90  
91      /**
92       * Whether authentication requests should be tagged as passive.
93       */
94      protected boolean passive;
95  
96      /**
97       * Requested authentication context class in authn requests.
98       */
99      protected final List<String> authnContextClassRefs = new ArrayList<>(0);
100 
101     /**
102      * Specifies the comparison rule that should be used to evaluate the specified authentication methods.
103      * For example, if exact is specified, the authentication method used must match one of the authentication
104      * methods specified by the AuthnContextClassRef elements.
105      * AuthContextClassRef element require comparison rule to be used to evaluate the specified
106      * authentication methods. If not explicitly specified "exact" rule will be used by default.
107      * Other acceptable values are minimum, maximum, better.
108      */
109     protected String authnContextComparisonType = "exact";
110 
111     /**
112      * The key alias used in the keystore.
113      */
114     protected String keystoreAlias;
115 
116     /**
117      * NameID policy to request in the authentication requests.
118      */
119     protected String nameIdPolicyFormat;
120 
121     /**
122      * Whether metadata should be marked to request sign assertions.
123      */
124     protected boolean wantsAssertionsSigned;
125 
126     /**
127      * AttributeConsumingServiceIndex attribute of AuthnRequest element.
128      * The given index points out a specific AttributeConsumingService structure, declared into the
129      * Service Provider (SP)'s metadata, to be used to specify all the attributes that the Service Provider
130      * is asking to be released within the authentication assertion returned by the Identity Provider (IdP).
131      * This attribute won't be sent with the request unless a positive value (including 0) is defined.
132      */
133     protected int attributeConsumingServiceIndex;
134 
135     /**
136      * Allows the SAML client to select a specific ACS url from the metadata, if defined.
137      * A negative value de-activates the selection process and is the default.
138      */
139     protected int assertionConsumerServiceIndex = -1;
140 
141     /**
142      * Whether name qualifiers should be produced
143      * in the final saml response.
144      */
145     protected boolean useNameQualifier = true;
146 
147     /**
148      * Whether or not SAML SP metadata should be signed when generated.
149      */
150     protected boolean signServiceProviderMetadata;
151 
152     /**
153      * Whether or not the authnRequest should be signed.
154      */
155     protected boolean signAuthnRequest;
156 
157     /**
158      * Whether or not the Logout Request sent from the SP should be signed.
159      */
160     protected boolean signServiceProviderLogoutRequest;
161 
162     /**
163      * Collection of signing signature blacklisted algorithms, if any, to override the global defaults.
164      */
165     protected final List<String> blockedSignatureSigningAlgorithms = new ArrayList<>(0);
166 
167     /**
168      * Collection of signing signature algorithms, if any, to override the global defaults.
169      */
170     protected final List<String> signatureAlgorithms = new ArrayList<>(0);
171 
172     /**
173      * Collection of signing signature reference digest methods, if any, to override the global defaults.
174      */
175     protected final List<String> signatureReferenceDigestMethods = new ArrayList<>(0);
176 
177     /**
178      * The signing signature canonicalization algorithm, if any, to override the global defaults.
179      */
180     protected String signatureCanonicalizationAlgorithm;
181 
182     /**
183      * Provider name set for the saml authentication request.
184      * Sets the human-readable name of the requester for use by
185      * the presenter's user agent or the identity provider.
186      */
187     protected String providerName;
188 
189     public String getUserIdAttribute() {
190         return userIdAttribute;
191     }
192 
193     public void setUserIdAttribute(final String userIdAttribute) {
194         this.userIdAttribute = userIdAttribute;
195     }
196 
197     public SAML2BindingType getDestinationBinding() {
198         return destinationBinding;
199     }
200 
201     public void setDestinationBinding(final SAML2BindingType destinationBinding) {
202         this.destinationBinding = destinationBinding;
203     }
204 
205     public String getKeystorePassword() {
206         return keystorePassword;
207     }
208 
209     public void setKeystorePassword(final String keystorePassword) {
210         this.keystorePassword = keystorePassword;
211     }
212 
213     public String getPrivateKeyPassword() {
214         return protectedKeyPassword;
215     }
216 
217     public void setPrivateKeyPassword(final String protectedKeyPassword) {
218         this.protectedKeyPassword = protectedKeyPassword;
219     }
220 
221     public String getIdentityProviderMetadataPath() {
222         return identityProviderMetadataPath;
223     }
224 
225     public void setIdentityProviderMetadataPath(final String identityProviderMetadataPath) {
226         this.identityProviderMetadataPath = identityProviderMetadataPath;
227     }
228 
229     public String getMaximumAuthenticationLifetime() {
230         return maximumAuthenticationLifetime;
231     }
232 
233     public void setMaximumAuthenticationLifetime(final String maximumAuthenticationLifetime) {
234         this.maximumAuthenticationLifetime = maximumAuthenticationLifetime;
235     }
236 
237     public String getAcceptedSkew() {
238         return acceptedSkew;
239     }
240 
241     public void setAcceptedSkew(final String acceptedSkew) {
242         this.acceptedSkew = acceptedSkew;
243     }
244 
245     public String getServiceProviderEntityId() {
246         return serviceProviderEntityId;
247     }
248 
249     public void setServiceProviderEntityId(final String serviceProviderEntityId) {
250         this.serviceProviderEntityId = serviceProviderEntityId;
251     }
252 
253     public boolean isForceAuth() {
254         return forceAuth;
255     }
256 
257     public void setForceAuth(final boolean forceAuth) {
258         this.forceAuth = forceAuth;
259     }
260 
261     public boolean isPassive() {
262         return passive;
263     }
264 
265     public void setPassive(final boolean passive) {
266         this.passive = passive;
267     }
268 
269     public String getNameIdPolicyAllowCreate() {
270         return nameIdPolicyAllowCreate;
271     }
272 
273     public void setNameIdPolicyAllowCreate(final String nameIdPolicyAllowCreate) {
274         this.nameIdPolicyAllowCreate = nameIdPolicyAllowCreate;
275     }
276 
277     public List<String> getAuthnContextClassRefs() {
278         return authnContextClassRefs;
279     }
280 
281     public String getAuthnContextComparisonType() {
282         return authnContextComparisonType;
283     }
284 
285     public void setAuthnContextComparisonType(final String authnContextComparisonType) {
286         this.authnContextComparisonType = authnContextComparisonType;
287     }
288 
289     public String getKeystoreAlias() {
290         return keystoreAlias;
291     }
292 
293     public void setKeystoreAlias(final String keystoreAlias) {
294         this.keystoreAlias = keystoreAlias;
295     }
296 
297     public String getNameIdPolicyFormat() {
298         return nameIdPolicyFormat;
299     }
300 
301     public void setNameIdPolicyFormat(final String nameIdPolicyFormat) {
302         this.nameIdPolicyFormat = nameIdPolicyFormat;
303     }
304 
305     public boolean isWantsAssertionsSigned() {
306         return wantsAssertionsSigned;
307     }
308 
309     public void setWantsAssertionsSigned(final boolean wantsAssertionsSigned) {
310         this.wantsAssertionsSigned = wantsAssertionsSigned;
311     }
312 
313     public int getAttributeConsumingServiceIndex() {
314         return attributeConsumingServiceIndex;
315     }
316 
317     public void setAttributeConsumingServiceIndex(final int attributeConsumingServiceIndex) {
318         this.attributeConsumingServiceIndex = attributeConsumingServiceIndex;
319     }
320 
321     public int getAssertionConsumerServiceIndex() {
322         return assertionConsumerServiceIndex;
323     }
324 
325     public void setAssertionConsumerServiceIndex(final int assertionConsumerServiceIndex) {
326         this.assertionConsumerServiceIndex = assertionConsumerServiceIndex;
327     }
328 
329     public boolean isUseNameQualifier() {
330         return useNameQualifier;
331     }
332 
333     public void setUseNameQualifier(final boolean useNameQualifier) {
334         this.useNameQualifier = useNameQualifier;
335     }
336 
337     public boolean isSignServiceProviderMetadata() {
338         return signServiceProviderMetadata;
339     }
340 
341     public void setSignServiceProviderMetadata(final boolean signServiceProviderMetadata) {
342         this.signServiceProviderMetadata = signServiceProviderMetadata;
343     }
344 
345     public boolean isSignAuthnRequest() {
346         return signAuthnRequest;
347     }
348 
349     public void setSignAuthnRequest(final boolean signAuthnRequest) {
350         this.signAuthnRequest = signAuthnRequest;
351     }
352 
353     public boolean isSignServiceProviderLogoutRequest() {
354         return signServiceProviderLogoutRequest;
355     }
356 
357     public void setSignServiceProviderLogoutRequest(final boolean signServiceProviderLogoutRequest) {
358         this.signServiceProviderLogoutRequest = signServiceProviderLogoutRequest;
359     }
360 
361     public List<String> getBlockedSignatureSigningAlgorithms() {
362         return blockedSignatureSigningAlgorithms;
363     }
364 
365     public List<String> getSignatureAlgorithms() {
366         return signatureAlgorithms;
367     }
368 
369     public List<String> getSignatureReferenceDigestMethods() {
370         return signatureReferenceDigestMethods;
371     }
372 
373     public String getSignatureCanonicalizationAlgorithm() {
374         return signatureCanonicalizationAlgorithm;
375     }
376 
377     public void setSignatureCanonicalizationAlgorithm(final String signatureCanonicalizationAlgorithm) {
378         this.signatureCanonicalizationAlgorithm = signatureCanonicalizationAlgorithm;
379     }
380 
381     public String getProviderName() {
382         return providerName;
383     }
384 
385     public void setProviderName(final String providerName) {
386         this.providerName = providerName;
387     }
388 
389     @Override
390     public Map<String, Object> map(final AuthModuleTO authModule, final Mapper mapper) {
391         return mapper.map(authModule, this);
392     }
393 }