org.forgerock.openig.handler.saml.SecretsSaml2CredentialResolver

All Implemented Interfaces:: org.forgerock.openam.saml2.plugins.Saml2CredentialResolver

public class SecretsSaml2CredentialResolver extends Object implements org.forgerock.openam.saml2.plugins.Saml2CredentialResolver

An implementation of Saml2CredentialResolver that provides support for resolving secrets configured in an IG route/heap. This class is enabled via the org.forgerock.openam.saml2.credential.resolver.class property via an entry in the FederationConfig.properties file or by passing it as a Java VM -D flag set to:


 org.forgerock.openam.saml2.credential.resolver.class=org.forgerock.openig.handler.saml.SecretsSaml2CredentialResolver


 {
     "condition": "${find(request.uri.path, '^/sp')}",
     "handler": {
         "type": "SamlFederationHandler",
         "config": {
             "assertionMapping": {
                 "cn": "cn",
                 "sn": "sn"
             },
             "redirectURI": "/",
             "secretsProvider": {
                 "type": "KeyStoreSecretStore",
                 "config": {
                     "file": "${openig.instanceDirectory.path.concat('/SAML/sp-keystore.jceks')}",
                     "storeType": "jceks",
                     "storePassword": "store.id",
                     "keyEntryPassword": "key.id",
                     "secretsProvider": {
                         "type": "SystemAndEnvSecretStore"
                     },
                     "mappings": [{
                             "secretId": "sp.signing.SP",
                             "aliases": ["signing"]
                         },
                         {
                             "secretId": "sp.decryption.SP",
                             "aliases": ["decryption"]
                         }
                     ]
                 }
             }
        }
     }
 }

Where the "secretId" item used in the keystore mappings is made up of a prefix of the entity's role (always sp for IG) and either .signing. or .decryption. depending on the purpose of the secret. The final part of the "secretId" item is based on the entityId of the Service Provider, which is IG-SP in the example above.

The AM SAML federation library will fallback to using direct keystore look-ups based on entries in the SP extended metadata when no Saml2CredentialResolver implementation has been specified.

Constructor Summary

Constructors

Constructor

Description

SecretsSaml2CredentialResolver()

Default constructor to allow for some logging to show when it is created.
Method Summary

Modifier and Type

Method

Description

org.forgerock.openam.saml2.crypto.signing.Saml2SigningCredentials

resolveActiveSigningCredential(String realm, String entityId, org.forgerock.openam.saml2.Saml2EntityRole role)

Set<PrivateKey>

resolveValidDecryptionCredentials(String realm, String entityId, org.forgerock.openam.saml2.Saml2EntityRole role)

Set<X509Certificate>

resolveValidEncryptionCredentials(String realm, String entityId, org.forgerock.openam.saml2.Saml2EntityRole role)

Set<X509Certificate>

resolveValidSigningCredentials(String realm, String entityId, org.forgerock.openam.saml2.Saml2EntityRole role)

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details
- SecretsSaml2CredentialResolver
  
  public SecretsSaml2CredentialResolver()
  
  Default constructor to allow for some logging to show when it is created.
Method Details
- resolveActiveSigningCredential
  
  public org.forgerock.openam.saml2.crypto.signing.Saml2SigningCredentials resolveActiveSigningCredential(String realm, String entityId, org.forgerock.openam.saml2.Saml2EntityRole role) throws com.sun.identity.saml2.common.SAML2Exception
  
  Specified by:
  
  resolveActiveSigningCredential in interface org.forgerock.openam.saml2.plugins.Saml2CredentialResolver
  
  Throws:
  
  com.sun.identity.saml2.common.SAML2Exception
- resolveValidSigningCredentials
  
  public Set<X509Certificate> resolveValidSigningCredentials(String realm, String entityId, org.forgerock.openam.saml2.Saml2EntityRole role) throws com.sun.identity.saml2.common.SAML2Exception
  
  Specified by:
  
  resolveValidSigningCredentials in interface org.forgerock.openam.saml2.plugins.Saml2CredentialResolver
  
  Throws:
  
  com.sun.identity.saml2.common.SAML2Exception
- resolveValidDecryptionCredentials
  
  public Set<PrivateKey> resolveValidDecryptionCredentials(String realm, String entityId, org.forgerock.openam.saml2.Saml2EntityRole role) throws com.sun.identity.saml2.common.SAML2Exception
  
  Specified by:
  
  resolveValidDecryptionCredentials in interface org.forgerock.openam.saml2.plugins.Saml2CredentialResolver
  
  Throws:
  
  com.sun.identity.saml2.common.SAML2Exception
- resolveValidEncryptionCredentials
  
  public Set<X509Certificate> resolveValidEncryptionCredentials(String realm, String entityId, org.forgerock.openam.saml2.Saml2EntityRole role) throws com.sun.identity.saml2.common.SAML2Exception
  
  Specified by:
  
  resolveValidEncryptionCredentials in interface org.forgerock.openam.saml2.plugins.Saml2CredentialResolver
  
  Throws:
  
  com.sun.identity.saml2.common.SAML2Exception

Class SecretsSaml2CredentialResolver

Constructor Summary

Method Summary

Methods inherited from class java.lang.Object

Constructor Details

SecretsSaml2CredentialResolver

Method Details

resolveActiveSigningCredential

resolveValidSigningCredentials

resolveValidDecryptionCredentials

resolveValidEncryptionCredentials