Package org.forgerock.openam.saml2.plugins

Interface SPAdapter

All Superinterfaces:
InitializablePlugin, SAMLPlugin
All Known Implementing Classes:
SAML2ServiceProviderAdapter
@EvolvingAll public interface SPAdapter extends InitializablePlugin
The SPAdapterPlugin provides contracts to perform user specific logics during SAMLv2 protocol processing on the Service Provider side. The implementation class could be configured on a per-service provider basis in the extended metadata configuration.

A singleton instance of the class implementing SPAdapterPlugin contracts will be used per Service Provider during runtime, so make sure implementation of the methods are thread safe.

  • Field Details

    • SUCCESS

      static final int SUCCESS
      Status code for Single Sign-on success.
      See Also:

    • INVALID_RESPONSE

      static final int INVALID_RESPONSE
      Status code for invalid response from IDP.
      See Also:

    • FEDERATION_FAILED_WRITING_ACCOUNT_INFO

      static final int FEDERATION_FAILED_WRITING_ACCOUNT_INFO
      Status code for federation failure due to unable to write account federation info.
      See Also:

    • SSO_FAILED_SESSION_ERROR

      static final int SSO_FAILED_SESSION_ERROR
      Status code for Single Sign-On failure due to internal session error.
      See Also:

    • SSO_FAILED_ATTRIBUTE_MAPPING

      static final int SSO_FAILED_ATTRIBUTE_MAPPING
      Status code for Single Sign-On failure due attribute mapping error.
      See Also:

    • SSO_FAILED_NO_USER_MAPPING

      static final int SSO_FAILED_NO_USER_MAPPING
      Status code for Single Sign-On failure due to no user mapping.
      See Also:

    • SSO_FAILED_AUTH_USER_INACTIVE

      static final int SSO_FAILED_AUTH_USER_INACTIVE
      Status code for Single Sign-On failure due to inactive user account.
      See Also:

    • SSO_FAILED_AUTH_USER_LOCKED

      static final int SSO_FAILED_AUTH_USER_LOCKED
      Status code for Single Sign-On failure due to locked user account.
      See Also:

    • SSO_FAILED_AUTH_ACCOUNT_EXPIRED

      static final int SSO_FAILED_AUTH_ACCOUNT_EXPIRED
      Status code for Single Sign-On failure due to expired user account.
      See Also:

    • SSO_FAILED_SESSION_GENERATION

      static final int SSO_FAILED_SESSION_GENERATION
      Status code for Single Sign-On failure due to unable to generate user session.
      See Also:

    • SSO_FAILED_META_DATA_ERROR

      static final int SSO_FAILED_META_DATA_ERROR
      Status code for Single Sign-On failure due to unable to retrieve meta data.
      See Also:

  • Method Details

    • preSingleSignOnRequest

      default void preSingleSignOnRequest(String hostedEntityID, String idpEntityID, String realm, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, AuthnRequest authnRequest) throws com.sun.identity.saml2.common.SAML2Exception
      Invoked before AM sends the Single-Sign-On request to IDP.
      Parameters:
      hostedEntityID - entity ID for the hosted SP
      idpEntityID - entity id for the IDP to which the request will be sent. This will be null in ECP case
      realm - Realm of the hosted SP
      request - servlet request
      response - servlet response
      authnRequest - the authentication request to be sent to the IDP
      Throws:
      com.sun.identity.saml2.common.SAML2Exception - if user want to fail the process.

    • preSingleSignOnProcess

      default void preSingleSignOnProcess(String hostedEntityID, String realm, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, AuthnRequest authnRequest, Response ssoResponse, String profile) throws com.sun.identity.saml2.common.SAML2Exception
      Invokes when the FAM received the Single-Sign-On response from the IDP, this is called before any processing started on SP side.
      Parameters:
      hostedEntityID - entity ID for the hosted SP
      realm - Realm of the hosted SP
      request - servlet request
      response - servlet response
      authnRequest - the original authentication request sent from SP, null if this is IDP initiated SSO
      ssoResponse - response from IDP
      profile - protocol profile used, one of the following values: SAML2Constants.HTTP_POST, SAML2Constants.HTTP_ARTIFACT, SAML2Constants.PAOS
      Throws:
      com.sun.identity.saml2.common.SAML2Exception - if user want to fail the process

    • postSingleSignOnSuccess

      default boolean postSingleSignOnSuccess(String hostedEntityID, String realm, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, PrintWriter out, Object session, AuthnRequest authnRequest, Response ssoResponse, String profile, boolean isFederation) throws com.sun.identity.saml2.common.SAML2Exception
      Invokes after Single-Sign-On processing succeeded.
      Parameters:
      hostedEntityID - Entity ID for the hosted SP
      realm - Realm of the hosted SP
      request - servlet request
      response - servlet response
      out - the print writer for writing out presentation
      session - user's session
      authnRequest - the original authentication request sent from SP, null if this is IDP initiated SSO
      ssoResponse - response from IDP
      profile - protocol profile used, one of the following values: SAML2Constants.HTTP_POST, SAML2Constants.HTTP_ARTIFACT, SAML2Constants.PAOS
      isFederation - true if this is federation case, false otherwise
      Returns:
      true if browser redirection happened after processing,false otherwise. Default to false
      Throws:
      com.sun.identity.saml2.common.SAML2Exception - if user want to fail the process

    • postSingleSignOnFailure

      default boolean postSingleSignOnFailure(String hostedEntityID, String realm, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, AuthnRequest authnRequest, Response ssoResponse, String profile, int failureCode)
      Invokes after Single Sign-On processing failed.
      Parameters:
      hostedEntityID - Entity ID for the hosted SP
      realm - Realm of the hosted SP
      request - servlet request
      response - servlet response
      authnRequest - the original authentication request sent from SP, null if this is IDP initiated SSO
      ssoResponse - response from IDP
      profile - protocol profile used, one of the following values: SAML2Constants.HTTP_POST, SAML2Constants.HTTP_ARTIFACT, SAML2Constants.PAOS
      failureCode - an integer specifies the failure code. Possible failure codes are defined in this interface
      Returns:
      true if browser redirection happened, false otherwise. Default to false

    • postNewNameIDSuccess

      default void postNewNameIDSuccess(String hostedEntityID, String realm, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, String userID, ManageNameIDRequest idRequest, ManageNameIDResponse idResponse, String binding)
      Invokes after new Name Identifier processing succeeded.
      Parameters:
      hostedEntityID - Entity ID for the hosted SP
      realm - Realm of the hosted SP
      request - servlet request
      response - servlet response
      userID - Universal ID of the user with whom the new name identifier request performed
      idRequest - New name identifier request, value will be null if the request object is not available
      idResponse - New name identifier response, value will be null if the response object is not available
      binding - Binding used for new name identifier request, one of following values: SAML2Constants.SOAP, SAML2Constants.HTTP_REDIRECT

    • postTerminateNameIDSuccess

      default void postTerminateNameIDSuccess(String hostedEntityID, String realm, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, String userID, ManageNameIDRequest idRequest, ManageNameIDResponse idResponse, String binding)
      Invokes after Terminate Name Identifier processing succeeded.
      Parameters:
      hostedEntityID - Entity ID for the hosted SP
      realm - Realm of the hosted SP
      request - servlet request
      response - servlet response
      userID - Universal ID of the user with whom name id termination performed
      idRequest - Terminate name identifier request
      idResponse - Terminate name identifier response, value will be null if the response object is not available
      binding - binding used for Terminate Name Identifier request, one of following values: SAML2Constants.SOAP, SAML2Constants.HTTP_REDIRECT

    • preSingleLogoutProcess

      default void preSingleLogoutProcess(String hostedEntityID, String realm, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, String userID, LogoutRequest logoutRequest, LogoutResponse logoutResponse, String binding) throws com.sun.identity.saml2.common.SAML2Exception
      Invokes before single logout process started on SP side. This method is called before the user session is invalidated on the service provider side.
      Parameters:
      hostedEntityID - Entity ID for the hosted SP
      realm - Realm of the hosted SP
      request - servlet request
      response - servlet response
      userID - universal ID of the user
      logoutRequest - single logout request object
      logoutResponse - single logout response, value will be null if the response object is not available
      binding - binding used for Single Logout request, one of following values: SAML2Constants.SOAP, SAML2Constants.HTTP_REDIRECT
      Throws:
      com.sun.identity.saml2.common.SAML2Exception - if user want to fail the process

    • postSingleLogoutSuccess

      default void postSingleLogoutSuccess(String hostedEntityID, String realm, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, String userID, LogoutRequest logoutRequest, LogoutResponse logoutResponse, String binding)
      Invokes after single logout process succeeded, i.e. user session has been invalidated.
      Parameters:
      hostedEntityID - Entity ID for the hosted SP
      realm - Realm of the hosted SP
      request - servlet request
      response - servlet response
      userID - universal ID of the user
      logoutRequest - single logout request, value will be null if the request object is not available
      logoutResponse - single logout response, value will be null if the response object is not available
      binding - binding used for Single Logout request, one of following values: SAML2Constants.SOAP, SAML2Constants.HTTP_REDIRECT