Package org.forgerock.openig.handler.saml

Class SecretsSaml2CredentialResolver

java.lang.Object

org.forgerock.openig.handler.saml.SecretsSaml2CredentialResolver

All Implemented Interfaces:

org.forgerock.openam.saml2.plugins.Saml2CredentialResolver

public class SecretsSaml2CredentialResolver
extends Object
implements org.forgerock.openam.saml2.plugins.Saml2CredentialResolver

An implementation of Saml2CredentialResolver that provides support for resolving secrets configured in an IG route/heap. This class is enabled via the org.forgerock.openam.saml2.credential.resolver.class property via an entry in the FederationConfig.properties file or by passing it as a Java VM -D flag set to:

 org.forgerock.openam.saml2.credential.resolver.class=org.forgerock.openig.handler.saml.SecretsSaml2CredentialResolver
 

 {
     "condition": "${find(request.uri.path, '^/sp')}",
     "handler": {
         "type": "SamlFederationHandler",
         "config": {
             "assertionMapping": {
                 "cn": "cn",
                 "sn": "sn"
             },
             "redirectURI": "/",
             "secretsProvider": {
                 "type": "KeyStoreSecretStore",
                 "config": {
                     "file": "${openig.baseDirectory.path.concat('/SAML/sp-keystore.jceks')}",
                     "storeType": "jceks",
                     "storePassword": "store.id",
                     "keyEntryPassword": "key.id",
                     "secretsProvider": {
                         "type": "SystemAndEnvSecretStore"
                     },
                     "mappings": [{
                             "secretId": "sp.signing.SP",
                             "aliases": ["signing"]
                         },
                         {
                             "secretId": "sp.decryption.SP",
                             "aliases": ["decryption"]
                         }
                     ]
                 }
             }
        }
     }
 }
 

Where the "secretId" item used in the keystore mappings is made up of a prefix of the entity's role (always sp for IG) and either .signing. or .decryption. depending on the purpose of the secret. The final part of the "secretId" item is based on the entityId of the Service Provider, which is IG-SP in the example above.

The AM SAML federation library will fallback to using direct keystore look-ups based on entries in the SP extended metadata when no Saml2CredentialResolver implementation has been specified.

Constructor Summary

Constructors

Constructor	Description
SecretsSaml2CredentialResolver()	Default constructor to allow for some logging to show when it is created.

Method Summary

Modifier and Type	Method	Description
org.forgerock.openam.saml2.crypto.signing.Saml2SigningCredentials	resolveActiveSigningCredential(String realm, String entityId, org.forgerock.openam.saml2.Saml2EntityRole role)
Set<PrivateKey>	resolveValidDecryptionCredentials(String realm, String entityId, org.forgerock.openam.saml2.Saml2EntityRole role)
Set<X509Certificate>	resolveValidEncryptionCredentials(String realm, String entityId, org.forgerock.openam.saml2.Saml2EntityRole role)
Set<X509Certificate>	resolveValidSigningCredentials(String realm, String entityId, org.forgerock.openam.saml2.Saml2EntityRole role)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

SecretsSaml2CredentialResolver

public SecretsSaml2CredentialResolver()

Default constructor to allow for some logging to show when it is created.

Method Detail

resolveActiveSigningCredential

public org.forgerock.openam.saml2.crypto.signing.Saml2SigningCredentials resolveActiveSigningCredential(String realm,
                                                                                                        String entityId,
                                                                                                        org.forgerock.openam.saml2.Saml2EntityRole role)
                                                                                                 throws com.sun.identity.saml2.common.SAML2Exception

Specified by:

resolveActiveSigningCredential in interface org.forgerock.openam.saml2.plugins.Saml2CredentialResolver

Throws:

com.sun.identity.saml2.common.SAML2Exception

resolveValidSigningCredentials

public Set<X509Certificate> resolveValidSigningCredentials(String realm,
                                                           String entityId,
                                                           org.forgerock.openam.saml2.Saml2EntityRole role)
                                                    throws com.sun.identity.saml2.common.SAML2Exception

Specified by:

resolveValidSigningCredentials in interface org.forgerock.openam.saml2.plugins.Saml2CredentialResolver

Throws:

com.sun.identity.saml2.common.SAML2Exception

resolveValidDecryptionCredentials

public Set<PrivateKey> resolveValidDecryptionCredentials(String realm,
                                                         String entityId,
                                                         org.forgerock.openam.saml2.Saml2EntityRole role)
                                                  throws com.sun.identity.saml2.common.SAML2Exception

Specified by:

resolveValidDecryptionCredentials in interface org.forgerock.openam.saml2.plugins.Saml2CredentialResolver

Throws:

com.sun.identity.saml2.common.SAML2Exception

resolveValidEncryptionCredentials

public Set<X509Certificate> resolveValidEncryptionCredentials(String realm,
                                                              String entityId,
                                                              org.forgerock.openam.saml2.Saml2EntityRole role)
                                                       throws com.sun.identity.saml2.common.SAML2Exception

Specified by:

resolveValidEncryptionCredentials in interface org.forgerock.openam.saml2.plugins.Saml2CredentialResolver

Throws:

com.sun.identity.saml2.common.SAML2Exception