Overwrite existing code
authorlajoie <lajoie@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Tue, 24 Apr 2007 02:11:06 +0000 (02:11 +0000)
committerlajoie <lajoie@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Tue, 24 Apr 2007 02:11:06 +0000 (02:11 +0000)
git-svn-id: https://subversion.switch.ch/svn/shibboleth/java-idp/trunk@2186 ab3bd59b-922f-494d-bb5f-6f0a3c29deca

src/edu/internet2/middleware/shibboleth/idp/profile/saml2/AbstractSAML2ProfileHandler.java

index 3a51587..cf942a0 100644 (file)
 
 package edu.internet2.middleware.shibboleth.idp.profile.saml2;
 
 
 package edu.internet2.middleware.shibboleth.idp.profile.saml2;
 
-import java.util.List;
+import java.util.Collection;
 
 
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-
-import org.apache.log4j.Logger;
 import org.joda.time.DateTime;
 import org.joda.time.DateTime;
-import org.opensaml.Configuration;
-import org.opensaml.common.IdentifierGenerator;
 import org.opensaml.common.SAMLObjectBuilder;
 import org.opensaml.common.SAMLVersion;
 import org.opensaml.common.SAMLObjectBuilder;
 import org.opensaml.common.SAMLVersion;
-import org.opensaml.common.impl.SecureRandomIdentifierGenerator;
-import org.opensaml.saml2.core.AuthnContext;
-import org.opensaml.saml2.core.AuthnContextClassRef;
-import org.opensaml.saml2.core.AuthnContextDeclRef;
-import org.opensaml.saml2.core.AuthnStatement;
+import org.opensaml.common.impl.SAMLObjectContentReference;
+import org.opensaml.saml2.core.Advice;
 import org.opensaml.saml2.core.Assertion;
 import org.opensaml.saml2.core.Audience;
 import org.opensaml.saml2.core.AudienceRestriction;
 import org.opensaml.saml2.core.Assertion;
 import org.opensaml.saml2.core.Audience;
 import org.opensaml.saml2.core.AudienceRestriction;
-import org.opensaml.saml2.core.AuthnStatement;
 import org.opensaml.saml2.core.Conditions;
 import org.opensaml.saml2.core.Issuer;
 import org.opensaml.saml2.core.Conditions;
 import org.opensaml.saml2.core.Issuer;
+import org.opensaml.saml2.core.ProxyRestriction;
+import org.opensaml.saml2.core.RequestAbstractType;
 import org.opensaml.saml2.core.Response;
 import org.opensaml.saml2.core.Status;
 import org.opensaml.saml2.core.StatusCode;
 import org.opensaml.saml2.core.StatusMessage;
 import org.opensaml.saml2.core.Response;
 import org.opensaml.saml2.core.Status;
 import org.opensaml.saml2.core.StatusCode;
 import org.opensaml.saml2.core.StatusMessage;
+import org.opensaml.saml2.core.StatusResponseType;
 import org.opensaml.saml2.core.Subject;
 import org.opensaml.saml2.core.Subject;
-import org.opensaml.xml.XMLObjectBuilderFactory;
-
+import org.opensaml.xml.XMLObjectBuilder;
+import org.opensaml.xml.encryption.EncryptionException;
+import org.opensaml.xml.security.credential.Credential;
+import org.opensaml.xml.signature.Signature;
+import org.opensaml.xml.signature.Signer;
+import org.opensaml.xml.util.DatatypeHelper;
+
+import edu.internet2.middleware.shibboleth.common.relyingparty.RelyingPartyConfiguration;
+import edu.internet2.middleware.shibboleth.common.relyingparty.saml2.AbstractSAML2ProfileConfiguration;
 import edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler;
 
 /**
  * Common implementation details for profile handlers.
  */
 import edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler;
 
 /**
  * Common implementation details for profile handlers.
  */
-public abstract class AbstractSAML2ProfileHandler extends
-               AbstractSAMLProfileHandler {
-
-       /** SAML Version for this profile handler. */
-       public static final SAMLVersion SAML_VERSION = SAMLVersion.VERSION_20;
-
-       /** URI for the SAML 2 protocol. */
-       public static final String SAML20_PROTOCOL_URI = "urn:oasis:names:tc:SAML:2.0:protocol";
-
-       /** Class logger. */
-       private static Logger log = Logger
-                       .getLogger(AbstractSAML2ProfileHandler.class);
-
-       /** For building XML. */
-       private XMLObjectBuilderFactory builderFactory;
-
-       /** For generating random ids. */
-       private IdentifierGenerator idGenerator;
-
-       /** Builder for Response elements. */
-       protected SAMLObjectBuilder<Response> responseBuilder;
-
-       /** Builder for Status elements. */
-       protected SAMLObjectBuilder<Status> statusBuilder;
-
-       /** Builder for StatusCode elements. */
-       protected SAMLObjectBuilder<StatusCode> statusCodeBuilder;
-
-       /** Builder for StatusMessage elements. */
-       protected SAMLObjectBuilder<StatusMessage> statusMessageBuilder;
-
-       /** Builder for Issuer elements. */
-       protected SAMLObjectBuilder<Issuer> issuerBuilder;
-
-       /** Builder for Assertion elements. */
-       protected SAMLObjectBuilder<Assertion> assertionBuilder;
-
-       /** Builder for Condition elements. */
-       protected SAMLObjectBuilder<Conditions> conditionsBuilder;
-
-       /** Builder for AuthnStatement elements. */
-       protected SAMLObjectBuilder<AuthnStatement> authnStatementBuilder;
-
-       /** Builder for AuthnContext elements. */
-       protected SAMLObjectBuilder<AuthnContext> authnContextBuilder;
-
-       /** Builder for AuthnContextClassRef elements. */
-       protected SAMLObjectBuilder<AuthnContextClassRef> authnContextClassRefBuilder;
-
-       /** Builder for AuthnContextDeclRef elements. */
-       protected SAMLObjectBuilder<AuthnContextDeclRef> authnContextDeclRefBuilder;
-
-       /** Builder for AudienceRestriction conditions. */
-       protected SAMLObjectBuilder<AudienceRestriction> audienceRestrictionBuilder;
-
-       /** Builder for Audience elemenets. */
-       protected SAMLObjectBuilder<Audience> audienceBuilder;
-
-       /**
-        * Default constructor.
-        */
-       public AbstractSAML2ProfileHandler() {
-               builderFactory = Configuration.getBuilderFactory();
-               idGenerator = new SecureRandomIdentifierGenerator();
-
-               assertionBuilder = (SAMLObjectBuilder<Assertion>) getBuilderFactory()
-                               .getBuilder(Assertion.DEFAULT_ELEMENT_NAME);
-               authnStatementBuilder = (SAMLObjectBuilder<AuthnStatement>) getBuilderFactory()
-                               .getBuilder(AuthnStatement.DEFAULT_ELEMENT_NAME);
-               authnContextBuilder = (SAMLObjectBuilder<AuthnContext>) getBuilderFactory()
-                               .getBuilder(AuthnContext.DEFAULT_ELEMENT_NAME);
-               authnContextClassRefBuilder = (SAMLObjectBuilder<AuthnContextClassRef>) getBuilderFactory()
-                               .getBuilder(AuthnContextClassRef.DEFAULT_ELEMENT_NAME);
-               authnContextDeclRefBuilder = (SAMLObjectBuilder<AuthnContextDeclRef>) getBuilderFactory()
-                               .getBuilder(AuthnContextDeclRef.DEFAULT_ELEMENT_NAME);
-               audienceRestrictionBuilder = (SAMLObjectBuilder<AudienceRestriction>) getBuilderFactory()
-                               .getBuilder(AudienceRestriction.DEFAULT_ELEMENT_NAME);
-               audienceBuilder = (SAMLObjectBuilder<Audience>) getBuilderFactory()
-                               .getBuilder(Audience.DEFAULT_ELEMENT_NAME);
-               conditionsBuilder = (SAMLObjectBuilder<Conditions>) getBuilderFactory()
-                               .getBuilder(Conditions.DEFAULT_ELEMENT_NAME);
-               responseBuilder = (SAMLObjectBuilder<Response>) builderFactory
-                               .getBuilder(Response.DEFAULT_ELEMENT_NAME);
-               statusBuilder = (SAMLObjectBuilder<Status>) builderFactory
-                               .getBuilder(Status.DEFAULT_ELEMENT_NAME);
-               statusCodeBuilder = (SAMLObjectBuilder<StatusCode>) builderFactory
-                               .getBuilder(StatusCode.DEFAULT_ELEMENT_NAME);
-               statusMessageBuilder = (SAMLObjectBuilder<StatusMessage>) builderFactory
-                               .getBuilder(StatusMessage.DEFAULT_ELEMENT_NAME);
-               issuerBuilder = (SAMLObjectBuilder<Issuer>) builderFactory
-                               .getBuilder(Issuer.DEFAULT_ELEMENT_NAME);
-       }
-
-       /**
-        * Returns the XML builder factory.
-        * 
-        * @return Returns the builderFactory.
-        */
-       public XMLObjectBuilderFactory getBuilderFactory() {
-               return builderFactory;
-       }
-
-       /**
-        * Returns the id generator.
-        * 
-        * @return Returns the idGenerator.
-        */
-       public IdentifierGenerator getIdGenerator() {
-               return idGenerator;
-       }
-
-       /**
-        * Build a status message, with an optional second-level failure message.
-        * 
-        * @param topLevelCode
-        *            The top-level status code. Should be from saml-core-2.0-os,
-        *            sec. 3.2.2.2
-        * @param secondLevelCode
-        *            An optional second-level failure code. Should be from
-        *            saml-core-2.0-is, sec 3.2.2.2. If null, no second-level Status
-        *            element will be set.
-        * @param secondLevelFailureMessage
-        *            An optional second-level failure message.
-        * 
-        * @return a Status object.
-        */
-       protected Status buildStatus(String topLevelCode, String secondLevelCode,
-                       String secondLevelFailureMessage) {
-
-               Status status = statusBuilder.buildObject();
-               StatusCode statusCode = statusCodeBuilder.buildObject();
-
-               statusCode.setValue(topLevelCode);
-               if (secondLevelCode != null) {
-                       StatusCode secondLevelStatusCode = statusCodeBuilder.buildObject();
-                       secondLevelStatusCode.setValue(secondLevelCode);
-                       statusCode.setStatusCode(secondLevelStatusCode);
-               }
-
-               if (secondLevelFailureMessage != null) {
-                       StatusMessage msg = statusMessageBuilder.buildObject();
-                       msg.setMessage(secondLevelFailureMessage);
-                       status.setStatusMessage(msg);
-               }
-
-               return status;
-       }
-
-       /**
-        * Build a status message, with an optional second-level failure message.
-        * 
-        * @param topLevelCode
-        *            The top-level status code. Should be from saml-core-2.0-os,
-        *            sec. 3.2.2.2
-        * @param secondLevelCode
-        *            An optional second-level failure code. Should be from
-        *            saml-core-2.0-is, sec 3.2.2.2. If null, no second-level Status
-        *            element will be set.
-        * 
-        * @return a Status object.
-        */
-       protected Status buildStatus(String topLevelCode,
-                       final StatusCode secondLevelCode) {
-
-               Status status = statusBuilder.buildObject();
-               StatusCode statusCode = statusCodeBuilder.buildObject();
-
-               statusCode.setValue(topLevelCode);
-               if (secondLevelCode != null) {
-                       statusCode.setStatusCode(secondLevelCode);
-               }
-
-               return status;
-       }
-
-       /**
-        * Build a StatusCode.
-        * 
-        * @param statusCode
-        *            The URI status code.
-        * @param message
-        *            The message; may be <code>null</code.
-        *
-        * @return a StatusCode object.
-        */
-       protected StatusCode buildStatusCode(String statusCode) {
-               return null;
-       }
-
-       /**
-        * Build a SAML 2 Response element with basic fields populated.
-        * 
-        * Failure handlers can send the returned response element to the RP.
-        * Success handlers should add the assertions before sending it.
-        * 
-        * @param inResponseTo
-        *            The ID of the request this is in response to.
-        * @param issueInstant
-        *            The timestamp of this response.
-        * @param issuer
-        *            The URI of the RP issuing the response.
-        * @param status
-        *            The response's status code.
-        * 
-        * @return The populated Response object.
-        */
-       protected Response buildResponse(String inResponseTo,
-                       final DateTime issueInstant, String issuer, final Status status) {
-
-               Response response = responseBuilder.buildObject();
-
-               Issuer i = issuerBuilder.buildObject();
-               i.setValue(issuer);
-
-               response.setVersion(SAML_VERSION);
-               response.setID(getIdGenerator().generateIdentifier());
-               response.setInResponseTo(inResponseTo);
-               response.setIssueInstant(issueInstant);
-               response.setIssuer(i);
-               response.setStatus(status);
-
-               return response;
-       }
-
-       /**
-        * Build a skeletal SAML 2 assertion.
-        * 
-        * Note, the caller may either set the audiences in the conditions argument,
-        * or pass a list of URIs to this method. If the latter option is chosen,
-        * this method will create the appropriate AudienceRestriction element.
-        * 
-        * @param subject
-        *            The Subject of the assertion.
-        * @param conditions
-        *            The conditions object.
-        * @param issuer
-        *            The URI of the RP issuing the assertion.
-        * @param audiences
-        *            A possibly null array of audience URIs for the assertion.
-        * 
-        * @return The assertion object.
-        */
-       protected Assertion buildAssertion(final Subject subject,
-                       final Conditions conditions, final Issuer issuer,
-                       final String[] audiences) {
-
-               Assertion assertion = assertionBuilder.buildObject();
-               assertion.setID(getIdGenerator().generateIdentifier());
-               assertion.setVersion(SAML_VERSION);
-               assertion.setIssueInstant(new DateTime());
-               assertion.setConditions(conditions);
-               assertion.setSubject(subject);
-
-               Issuer i = issuerBuilder.buildObject();
-               i.setValue(issuer.getValue());
-               assertion.setIssuer(i);
-
-               // if audiences were specified, set an AudienceRestriction condition
-               if (audiences != null && audiences.length > 0) {
-
-                       List<AudienceRestriction> audienceRestrictionConditions = assertion
-                                       .getConditions().getAudienceRestrictions();
-
-                       AudienceRestriction audienceRestriction = audienceRestrictionBuilder
-                                       .buildObject();
-                       audienceRestrictionConditions.add(audienceRestriction);
-
-                       List<Audience> audienceList = audienceRestriction.getAudiences();
-
-                       for (String audienceURI : audiences) {
-                               Audience audience = audienceBuilder.buildObject();
-                               audience.setAudienceURI(audienceURI);
-                               audienceList.add(audience);
-                       }
-               }
-
-               return assertion;
-       }
-}
+public abstract class AbstractSAML2ProfileHandler extends AbstractSAMLProfileHandler {
+
+    /** For building response. */
+    private SAMLObjectBuilder<Response> responseBuilder;
+
+    /** For building status. */
+    private SAMLObjectBuilder<Status> statusBuilder;
+
+    /** For building statuscode. */
+    private SAMLObjectBuilder<StatusCode> statusCodeBuilder;
+
+    /** For building StatusMessages. */
+    private SAMLObjectBuilder<StatusMessage> statusMessageBuilder;
+
+    /** For building assertion. */
+    private SAMLObjectBuilder<Assertion> assertionBuilder;
+
+    /** For building issuer. */
+    private SAMLObjectBuilder<Issuer> issuerBuilder;
+
+    /** For building subject. */
+    private SAMLObjectBuilder<Subject> subjectBuilder;
+
+    /** For building conditions. */
+    private SAMLObjectBuilder<Conditions> conditionsBuilder;
+
+    /** For building audience restriction. */
+    private SAMLObjectBuilder<AudienceRestriction> audienceRestrictionBuilder;
+
+    /** For building proxy retrictions. */
+    private SAMLObjectBuilder<ProxyRestriction> proxyRestrictionBuilder;
+
+    /** For building audience. */
+    private SAMLObjectBuilder<Audience> audienceBuilder;
+
+    /** For building advice. */
+    private SAMLObjectBuilder<Advice> adviceBuilder;
+
+    /** For building signature. */
+    private XMLObjectBuilder<Signature> signatureBuilder;
+
+    /** Constructor. */
+    @SuppressWarnings("unchecked")
+    protected AbstractSAML2ProfileHandler() {
+        super();
+
+        responseBuilder = (SAMLObjectBuilder<Response>) getBuilderFactory().getBuilder(Response.DEFAULT_ELEMENT_NAME);
+        statusBuilder = (SAMLObjectBuilder<Status>) getBuilderFactory().getBuilder(Status.DEFAULT_ELEMENT_NAME);
+        statusCodeBuilder = (SAMLObjectBuilder<StatusCode>) getBuilderFactory().getBuilder(
+                StatusCode.DEFAULT_ELEMENT_NAME);
+        statusMessageBuilder = (SAMLObjectBuilder<StatusMessage>) getBuilderFactory().getBuilder(
+                StatusMessage.DEFAULT_ELEMENT_NAME);
+        issuerBuilder = (SAMLObjectBuilder<Issuer>) getBuilderFactory().getBuilder(Issuer.DEFAULT_ELEMENT_NAME);
+        assertionBuilder = (SAMLObjectBuilder<Assertion>) getBuilderFactory()
+                .getBuilder(Assertion.DEFAULT_ELEMENT_NAME);
+        subjectBuilder = (SAMLObjectBuilder<Subject>) getBuilderFactory().getBuilder(Subject.DEFAULT_ELEMENT_NAME);
+        conditionsBuilder = (SAMLObjectBuilder<Conditions>) getBuilderFactory().getBuilder(
+                Conditions.DEFAULT_ELEMENT_NAME);
+        audienceRestrictionBuilder = (SAMLObjectBuilder<AudienceRestriction>) getBuilderFactory().getBuilder(
+                AudienceRestriction.DEFAULT_ELEMENT_NAME);
+        proxyRestrictionBuilder = (SAMLObjectBuilder<ProxyRestriction>) getBuilderFactory().getBuilder(
+                ProxyRestriction.DEFAULT_ELEMENT_NAME);
+        audienceBuilder = (SAMLObjectBuilder<Audience>) getBuilderFactory().getBuilder(Audience.DEFAULT_ELEMENT_NAME);
+        adviceBuilder = (SAMLObjectBuilder<Advice>) getBuilderFactory().getBuilder(Advice.DEFAULT_ELEMENT_NAME);
+        signatureBuilder = (XMLObjectBuilder<Signature>) getBuilderFactory().getBuilder(Signature.DEFAULT_ELEMENT_NAME);
+    }
+
+    /**
+     * Convenience method for getting the SAML 2 advice builder.
+     * 
+     * @return SAML 2 advice builder
+     */
+    public SAMLObjectBuilder<Advice> getAdviceBuilder() {
+        return adviceBuilder;
+    }
+
+    /**
+     * Convenience method for getting the SAML 2 assertion builder.
+     * 
+     * @return SAML 2 assertion builder
+     */
+    public SAMLObjectBuilder<Assertion> getAssertionBuilder() {
+        return assertionBuilder;
+    }
+
+    /**
+     * Convenience method for getting the SAML 2 audience builder.
+     * 
+     * @return SAML 2 audience builder
+     */
+    public SAMLObjectBuilder<Audience> getAudienceBuilder() {
+        return audienceBuilder;
+    }
+
+    /**
+     * Convenience method for getting the SAML 2 audience restriction builder.
+     * 
+     * @return SAML 2 audience restriction builder
+     */
+    public SAMLObjectBuilder<AudienceRestriction> getAudienceRestrictionBuilder() {
+        return audienceRestrictionBuilder;
+    }
+
+    /**
+     * Convenience method for getting the SAML 2 conditions builder.
+     * 
+     * @return SAML 2 conditions builder
+     */
+    public SAMLObjectBuilder<Conditions> getConditionsBuilder() {
+        return conditionsBuilder;
+    }
+
+    /**
+     * Convenience method for getting the SAML 2 Issuer builder.
+     * 
+     * @return SAML 2 Issuer builder
+     */
+    public SAMLObjectBuilder<Issuer> getIssuerBuilder() {
+        return issuerBuilder;
+    }
+
+    /**
+     * Convenience method for getting the SAML 2 proxy restriction builder.
+     * 
+     * @return SAML 2 proxy restriction builder
+     */
+    public SAMLObjectBuilder<ProxyRestriction> getProxyRestrictionBuilder() {
+        return proxyRestrictionBuilder;
+    }
+
+    /**
+     * Convenience method for getting the SAML 2 response builder.
+     * 
+     * @return SAML 2 response builder
+     */
+    public SAMLObjectBuilder<Response> getResponseBuilder() {
+        return responseBuilder;
+    }
+
+    /**
+     * Convenience method for getting the Signature builder.
+     * 
+     * @return signature builder
+     */
+    public XMLObjectBuilder<Signature> getSignatureBuilder() {
+        return signatureBuilder;
+    }
+
+    /**
+     * Convenience method for getting the SAML 2 status builder.
+     * 
+     * @return SAML 2 status builder
+     */
+    public SAMLObjectBuilder<Status> getStatusBuilder() {
+        return statusBuilder;
+    }
+
+    /**
+     * Convenience method for getting the SAML 2 status code builder.
+     * 
+     * @return SAML 2 status code builder
+     */
+    public SAMLObjectBuilder<StatusCode> getStatusCodeBuilder() {
+        return statusCodeBuilder;
+    }
+
+    /**
+     * Convenience method for getting the SAML 2 status message builder.
+     * 
+     * @return SAML 2 status message builder
+     */
+    public SAMLObjectBuilder<StatusMessage> getStatusMessageBuilder() {
+        return statusMessageBuilder;
+    }
+
+    /**
+     * Convenience method for getting the SAML 2 subject builder.
+     * 
+     * @return SAML 2 subject builder
+     */
+    public SAMLObjectBuilder<Subject> getSubjectBuilder() {
+        return subjectBuilder;
+    }
+
+    /**
+     * Populates the response's id, in response to, issue instant, version, and issuer properties.
+     * 
+     * @param response the response to populate
+     * @param issueInstant timestamp to use as the issue instant for the response
+     * @param request the request that the response is for
+     * @param rpConfig the relying party configuration for the request
+     */
+    protected void populateStatusResponse(StatusResponseType response, DateTime issueInstant,
+            RequestAbstractType request, RelyingPartyConfiguration rpConfig) {
+        response.setID(getIdGenerator().generateIdentifier());
+        response.setInResponseTo(request.getID());
+        response.setIssueInstant(issueInstant);
+        response.setVersion(SAMLVersion.VERSION_20);
+        response.setIssuer(buildEntityIssuer(rpConfig));
+    }
+
+    /**
+     * Builds a {@link Status} object populated with the given code and message.
+     * 
+     * @param statusCode status code or null
+     * @param statusMessage status message or null
+     * 
+     * @return built status object
+     */
+    protected Status buildStatus(String statusCode, String statusMessage) {
+        Status status = getStatusBuilder().buildObject();
+
+        String trimmedCode = DatatypeHelper.safeTrimOrNullString(statusCode);
+        if (trimmedCode != null) {
+            StatusCode code = getStatusCodeBuilder().buildObject();
+            code.setValue(trimmedCode);
+            status.setStatusCode(code);
+        }
+
+        String trimmedMessage = DatatypeHelper.safeTrimOrNullString(statusMessage);
+        if (trimmedMessage != null) {
+            StatusMessage message = getStatusMessageBuilder().buildObject();
+            message.setMessage(trimmedMessage);
+            status.setStatusMessage(message);
+        }
+
+        return status;
+    }
+
+    /**
+     * Builds a basic assertion with its id, issue instant, SAML version, issuer, subject, and conditions populated.
+     * 
+     * @param issueInstant time to use as assertion issue instant
+     * @param rpConfig the relying party configuration
+     * @param profileConfig current profile configuration
+     * 
+     * @return the built assertion
+     */
+    protected Assertion buildAssertion(DateTime issueInstant, RelyingPartyConfiguration rpConfig,
+            AbstractSAML2ProfileConfiguration profileConfig) {
+        Assertion assertion = assertionBuilder.buildObject();
+        assertion.setID(getIdGenerator().generateIdentifier());
+        assertion.setIssueInstant(issueInstant);
+        assertion.setVersion(SAMLVersion.VERSION_20);
+        assertion.setIssuer(buildEntityIssuer(rpConfig));
+        //TODO assertion.setSubject(buildSubject());
+
+        Conditions conditions = buildConditions(issueInstant, profileConfig);
+        assertion.setConditions(conditions);
+
+        return assertion;
+    }
+
+    /**
+     * Builds an entity type Issuer populated with the correct provider Id for this relying party configuration.
+     * 
+     * @param rpConfig the relying party configuration
+     * 
+     * @return the built Issuer
+     */
+    protected Issuer buildEntityIssuer(RelyingPartyConfiguration rpConfig) {
+        Issuer issuer = getIssuerBuilder().buildObject();
+        issuer.setFormat(Issuer.ENTITY);
+        issuer.setValue(rpConfig.getProviderId());
+
+        return issuer;
+    }
+
+    /**
+     * Builds the SAML subject for the user for the service provider.
+     * 
+     * @return SAML subject for the user for the service provider
+     * 
+     * @throws EncryptionException thrown if there is a problem encryption the subject's NameID
+     */
+    protected Subject buildSubject() throws EncryptionException {
+        // TODO
+        return null;
+    }
+
+    /**
+     * Builds a SAML assertion condition set. The following fields are set; not before, not on or after, audience
+     * restrictions, and proxy restrictions.
+     * 
+     * @param issueInstant timestamp the assertion was created
+     * @param profileConfig current profile configuration
+     * 
+     * @return constructed conditions
+     */
+    private Conditions buildConditions(DateTime issueInstant, AbstractSAML2ProfileConfiguration profileConfig) {
+        Conditions conditions = conditionsBuilder.buildObject();
+        conditions.setNotBefore(issueInstant);
+        conditions.setNotOnOrAfter(issueInstant.plus(profileConfig.getAssertionLifetime()));
+
+        Collection<String> audiences;
+
+        // add audience restrictions
+        audiences = profileConfig.getAssertionAudiences();
+        if (audiences != null && audiences.size() > 0) {
+            AudienceRestriction audienceRestriction = audienceRestrictionBuilder.buildObject();
+            Audience audience;
+            for (String audienceUri : audiences) {
+                audience = audienceBuilder.buildObject();
+                audience.setAudienceURI(audienceUri);
+                audienceRestriction.getAudiences().add(audience);
+            }
+            conditions.getAudienceRestrictions().add(audienceRestriction);
+        }
+
+        // add proxy restrictions
+        audiences = profileConfig.getProxyAudiences();
+        if (audiences != null && audiences.size() > 0) {
+            ProxyRestriction proxyRestriction = proxyRestrictionBuilder.buildObject();
+            Audience audience;
+            for (String audienceUri : audiences) {
+                audience = audienceBuilder.buildObject();
+                audience.setAudienceURI(audienceUri);
+                proxyRestriction.getAudiences().add(audience);
+            }
+
+            proxyRestriction.setProxyCount(profileConfig.getProxyCount());
+            conditions.getConditions().add(proxyRestriction);
+        }
+
+        return conditions;
+    }
+
+    /**
+     * Signs the given assertion if either the current profile configuration or the relying party configuration contains
+     * signing credentials.
+     * 
+     * @param assertion assertion to sign
+     * @param rpConfig relying party configuration
+     * @param profileConfig current profile configuration
+     */
+    protected void signAssertion(Assertion assertion, RelyingPartyConfiguration rpConfig,
+            AbstractSAML2ProfileConfiguration profileConfig) {
+        if (!profileConfig.getSignAssertions()) {
+            return;
+        }
+
+        Credential signatureCredential = profileConfig.getSigningCredential();
+        if (signatureCredential == null) {
+            signatureCredential = rpConfig.getDefaultSigningCredential();
+        }
+
+        if (signatureCredential == null) {
+            return;
+        }
+
+        SAMLObjectContentReference contentRef = new SAMLObjectContentReference(assertion);
+        Signature signature = signatureBuilder.buildObject(Signature.DEFAULT_ELEMENT_NAME);
+        signature.getContentReferences().add(contentRef);
+        assertion.setSignature(signature);
+
+        Signer.signObject(signature);
+    }
+    
+    protected void signResponse(StatusResponseType response, RelyingPartyConfiguration rpConfig, AbstractSAML2ProfileConfiguration profileConfig){
+        if (!profileConfig.getSignResponses()) {
+            return;
+        }
+
+        Credential signatureCredential = profileConfig.getSigningCredential();
+        if (signatureCredential == null) {
+            signatureCredential = rpConfig.getDefaultSigningCredential();
+        }
+
+        if (signatureCredential == null) {
+            return;
+        }
+
+        SAMLObjectContentReference contentRef = new SAMLObjectContentReference(response);
+        Signature signature = signatureBuilder.buildObject(Signature.DEFAULT_ELEMENT_NAME);
+        signature.getContentReferences().add(contentRef);
+        response.setSignature(signature);
+
+        Signer.signObject(signature);
+    }
+
+    // TODO encryption support
+}
\ No newline at end of file