Package org.forgerock.openam.saml2.plugins

Interface SPAdapter

  • All Superinterfaces:
    InitializablePlugin, SAMLPlugin
    All Known Implementing Classes:
    SAML2ServiceProviderAdapter
    @EvolvingAll
public interface SPAdapter
extends InitializablePlugin
    The SPAdapterPlugin provides contracts to perform user specific logics during SAMLv2 protocol processing on the Service Provider side. The implementation class could be configured on a per-service provider basis in the extended metadata configuration.

    A singleton instance of the class implementing SPAdapterPlugin contracts will be used per Service Provider during runtime, so make sure implementation of the methods are thread safe.

    • Field Detail

      • SUCCESS

        static final int SUCCESS
        Status code for Single Sign-on success.
        See Also:
        Constant Field Values

      • INVALID_RESPONSE

        static final int INVALID_RESPONSE
        Status code for invalid response from IDP.
        See Also:
        Constant Field Values

      • FEDERATION_FAILED_WRITING_ACCOUNT_INFO

        static final int FEDERATION_FAILED_WRITING_ACCOUNT_INFO
        Status code for federation failure due to unable to write account federation info.
        See Also:
        Constant Field Values

      • SSO_FAILED_SESSION_ERROR

        static final int SSO_FAILED_SESSION_ERROR
        Status code for Single Sign-On failure due to internal session error.
        See Also:
        Constant Field Values

      • SSO_FAILED_ATTRIBUTE_MAPPING

        static final int SSO_FAILED_ATTRIBUTE_MAPPING
        Status code for Single Sign-On failure due attribute mapping error.
        See Also:
        Constant Field Values

      • SSO_FAILED_NO_USER_MAPPING

        static final int SSO_FAILED_NO_USER_MAPPING
        Status code for Single Sign-On failure due to no user mapping.
        See Also:
        Constant Field Values

      • SSO_FAILED_AUTH_USER_INACTIVE

        static final int SSO_FAILED_AUTH_USER_INACTIVE
        Status code for Single Sign-On failure due to inactive user account.
        See Also:
        Constant Field Values

      • SSO_FAILED_AUTH_USER_LOCKED

        static final int SSO_FAILED_AUTH_USER_LOCKED
        Status code for Single Sign-On failure due to locked user account.
        See Also:
        Constant Field Values

      • SSO_FAILED_AUTH_ACCOUNT_EXPIRED

        static final int SSO_FAILED_AUTH_ACCOUNT_EXPIRED
        Status code for Single Sign-On failure due to expired user account.
        See Also:
        Constant Field Values

      • SSO_FAILED_SESSION_GENERATION

        static final int SSO_FAILED_SESSION_GENERATION
        Status code for Single Sign-On failure due to unable to generate user session.
        See Also:
        Constant Field Values

      • SSO_FAILED_META_DATA_ERROR

        static final int SSO_FAILED_META_DATA_ERROR
        Status code for Single Sign-On failure due to unable to retrieve meta data.
        See Also:
        Constant Field Values

    • Method Detail

      • preSingleSignOnRequest

        default void preSingleSignOnRequest​(String hostedEntityID,
                                    String idpEntityID,
                                    String realm,
                                    javax.servlet.http.HttpServletRequest request,
                                    javax.servlet.http.HttpServletResponse response,
                                    AuthnRequest authnRequest)
                             throws SAML2Exception
        Invoked before AM sends the Single-Sign-On request to IDP.
        Parameters:
        hostedEntityID - entity ID for the hosted SP
        idpEntityID - entity id for the IDP to which the request will be sent. This will be null in ECP case
        realm - Realm of the hosted SP
        request - servlet request
        response - servlet response
        authnRequest - the authentication request to be sent to the IDP
        Throws:
        SAML2Exception - if user want to fail the process.

      • preSingleSignOnProcess

        default void preSingleSignOnProcess​(String hostedEntityID,
                                    String realm,
                                    javax.servlet.http.HttpServletRequest request,
                                    javax.servlet.http.HttpServletResponse response,
                                    AuthnRequest authnRequest,
                                    Response ssoResponse,
                                    String profile)
                             throws SAML2Exception
        Invokes when the FAM received the Single-Sign-On response from the IDP, this is called before any processing started on SP side.
        Parameters:
        hostedEntityID - entity ID for the hosted SP
        realm - Realm of the hosted SP
        request - servlet request
        response - servlet response
        authnRequest - the original authentication request sent from SP, null if this is IDP initiated SSO
        ssoResponse - response from IDP
        profile - protocol profile used, one of the following values: SAML2Constants.HTTP_POST, SAML2Constants.HTTP_ARTIFACT, SAML2Constants.PAOS
        Throws:
        SAML2Exception - if user want to fail the process

      • postSingleSignOnSuccess

        default boolean postSingleSignOnSuccess​(String hostedEntityID,
                                        String realm,
                                        javax.servlet.http.HttpServletRequest request,
                                        javax.servlet.http.HttpServletResponse response,
                                        PrintWriter out,
                                        Object session,
                                        AuthnRequest authnRequest,
                                        Response ssoResponse,
                                        String profile,
                                        boolean isFederation)
                                 throws SAML2Exception
        Invokes after Single-Sign-On processing succeeded.
        Parameters:
        hostedEntityID - Entity ID for the hosted SP
        realm - Realm of the hosted SP
        request - servlet request
        response - servlet response
        out - the print writer for writing out presentation
        session - user's session
        authnRequest - the original authentication request sent from SP, null if this is IDP initiated SSO
        ssoResponse - response from IDP
        profile - protocol profile used, one of the following values: SAML2Constants.HTTP_POST, SAML2Constants.HTTP_ARTIFACT, SAML2Constants.PAOS
        isFederation - true if this is federation case, false otherwise
        Returns:
        true if browser redirection happened after processing,false otherwise. Default to false
        Throws:
        SAML2Exception - if user want to fail the process

      • postSingleSignOnFailure

        default boolean postSingleSignOnFailure​(String hostedEntityID,
                                        String realm,
                                        javax.servlet.http.HttpServletRequest request,
                                        javax.servlet.http.HttpServletResponse response,
                                        AuthnRequest authnRequest,
                                        Response ssoResponse,
                                        String profile,
                                        int failureCode)
        Invokes after Single Sign-On processing failed.
        Parameters:
        hostedEntityID - Entity ID for the hosted SP
        realm - Realm of the hosted SP
        request - servlet request
        response - servlet response
        authnRequest - the original authentication request sent from SP, null if this is IDP initiated SSO
        ssoResponse - response from IDP
        profile - protocol profile used, one of the following values: SAML2Constants.HTTP_POST, SAML2Constants.HTTP_ARTIFACT, SAML2Constants.PAOS
        failureCode - an integer specifies the failure code. Possible failure codes are defined in this interface
        Returns:
        true if browser redirection happened, false otherwise. Default to false

      • postNewNameIDSuccess

        default void postNewNameIDSuccess​(String hostedEntityID,
                                  String realm,
                                  javax.servlet.http.HttpServletRequest request,
                                  javax.servlet.http.HttpServletResponse response,
                                  String userID,
                                  ManageNameIDRequest idRequest,
                                  ManageNameIDResponse idResponse,
                                  String binding)
        Invokes after new Name Identifier processing succeeded.
        Parameters:
        hostedEntityID - Entity ID for the hosted SP
        realm - Realm of the hosted SP
        request - servlet request
        response - servlet response
        userID - Universal ID of the user with whom the new name identifier request performed
        idRequest - New name identifier request, value will be null if the request object is not available
        idResponse - New name identifier response, value will be null if the response object is not available
        binding - Binding used for new name identifier request, one of following values: SAML2Constants.SOAP, SAML2Constants.HTTP_REDIRECT

      • postTerminateNameIDSuccess

        default void postTerminateNameIDSuccess​(String hostedEntityID,
                                        String realm,
                                        javax.servlet.http.HttpServletRequest request,
                                        javax.servlet.http.HttpServletResponse response,
                                        String userID,
                                        ManageNameIDRequest idRequest,
                                        ManageNameIDResponse idResponse,
                                        String binding)
        Invokes after Terminate Name Identifier processing succeeded.
        Parameters:
        hostedEntityID - Entity ID for the hosted SP
        realm - Realm of the hosted SP
        request - servlet request
        response - servlet response
        userID - Universal ID of the user with whom name id termination performed
        idRequest - Terminate name identifier request
        idResponse - Terminate name identifier response, value will be null if the response object is not available
        binding - binding used for Terminate Name Identifier request, one of following values: SAML2Constants.SOAP, SAML2Constants.HTTP_REDIRECT

      • preSingleLogoutProcess

        default void preSingleLogoutProcess​(String hostedEntityID,
                                    String realm,
                                    javax.servlet.http.HttpServletRequest request,
                                    javax.servlet.http.HttpServletResponse response,
                                    String userID,
                                    LogoutRequest logoutRequest,
                                    LogoutResponse logoutResponse,
                                    String binding)
                             throws SAML2Exception
        Invokes before single logout process started on SP side. This method is called before the user session is invalidated on the service provider side.
        Parameters:
        hostedEntityID - Entity ID for the hosted SP
        realm - Realm of the hosted SP
        request - servlet request
        response - servlet response
        userID - universal ID of the user
        logoutRequest - single logout request object
        logoutResponse - single logout response, value will be null if the response object is not available
        binding - binding used for Single Logout request, one of following values: SAML2Constants.SOAP, SAML2Constants.HTTP_REDIRECT
        Throws:
        SAML2Exception - if user want to fail the process

      • postSingleLogoutSuccess

        default void postSingleLogoutSuccess​(String hostedEntityID,
                                     String realm,
                                     javax.servlet.http.HttpServletRequest request,
                                     javax.servlet.http.HttpServletResponse response,
                                     String userID,
                                     LogoutRequest logoutRequest,
                                     LogoutResponse logoutResponse,
                                     String binding)
        Invokes after single logout process succeeded, i.e. user session has been invalidated.
        Parameters:
        hostedEntityID - Entity ID for the hosted SP
        realm - Realm of the hosted SP
        request - servlet request
        response - servlet response
        userID - universal ID of the user
        logoutRequest - single logout request, value will be null if the request object is not available
        logoutResponse - single logout response, value will be null if the response object is not available
        binding - binding used for Single Logout request, one of following values: SAML2Constants.SOAP, SAML2Constants.HTTP_REDIRECT