<resolver:AttributeEncoder xsi:type="SAML1StringNameIdentifier" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
nameFormat="urn:mace:shibboleth:1.0:nameIdentifier" />
- <resolver:AttributeEncoder xsi:type="SAML1StringNameIdentifier" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
- nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
-
<resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" />
- <resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
- nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
</resolver:AttributeDefinition>
<!-- ========================================== -->
supportedLoginHandler = supportedLoginHandlerItr.next();
if (!(supportedLoginHandler.getKey().equals(PreviousSessionLoginHandler.PREVIOUS_SESSION_AUTHN_METHOD))
&& !loginContext.getRequestedAuthenticationMethods().contains(supportedLoginHandler.getKey())) {
+// treat no req method as any
supportedLoginHandlerItr.remove();
continue;
}
package edu.internet2.middleware.shibboleth.idp.profile;
+import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import org.opensaml.common.IdentifierGenerator;
import org.opensaml.common.binding.decoding.SAMLMessageDecoder;
import org.opensaml.common.binding.encoding.SAMLMessageEncoder;
+import org.opensaml.saml1.core.NameIdentifier;
+import org.opensaml.saml2.metadata.AttributeAuthorityDescriptor;
+import org.opensaml.saml2.metadata.AuthnAuthorityDescriptor;
import org.opensaml.saml2.metadata.Endpoint;
import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml2.metadata.NameIDFormat;
+import org.opensaml.saml2.metadata.PDPDescriptor;
+import org.opensaml.saml2.metadata.RoleDescriptor;
+import org.opensaml.saml2.metadata.SSODescriptor;
import org.opensaml.saml2.metadata.provider.MetadataProvider;
import org.opensaml.saml2.metadata.provider.MetadataProviderException;
import org.opensaml.ws.message.encoder.MessageEncodingException;
}
/**
+ * Gets the name identifier formats to use when creating identifiers for the relying party.
+ *
+ * @param requestContext current request context
+ *
+ * @return list of formats that may be used with the relying party, or an empty list for no preference
+ *
+ * @throws ProfileException thrown if there is a problem determining the name identifier format to use
+ */
+ protected List<String> getNameFormats(BaseSAMLProfileRequestContext requestContext) throws ProfileException {
+ ArrayList<String> nameFormats = new ArrayList<String>();
+
+ RoleDescriptor relyingPartyRole = requestContext.getPeerEntityRoleMetadata();
+ if (relyingPartyRole != null) {
+ List<String> relyingPartySupportedFormats = getEntitySupportedFormats(relyingPartyRole);
+ if (relyingPartySupportedFormats != null && !relyingPartySupportedFormats.isEmpty()) {
+ nameFormats.addAll(relyingPartySupportedFormats);
+ }
+ }
+
+ // If metadata contains the unspecified name format this means that any are supported
+ if (nameFormats.contains(NameIdentifier.UNSPECIFIED)) {
+ nameFormats.clear();
+ }
+
+ return nameFormats;
+ }
+
+ /**
+ * Gets the list of name identifier formats supported for a given role.
+ *
+ * @param role the role to get the list of supported name identifier formats
+ *
+ * @return list of supported name identifier formats
+ */
+ protected List<String> getEntitySupportedFormats(RoleDescriptor role) {
+ List<NameIDFormat> nameIDFormats = null;
+
+ if (role instanceof SSODescriptor) {
+ nameIDFormats = ((SSODescriptor) role).getNameIDFormats();
+ } else if (role instanceof AuthnAuthorityDescriptor) {
+ nameIDFormats = ((AuthnAuthorityDescriptor) role).getNameIDFormats();
+ } else if (role instanceof PDPDescriptor) {
+ nameIDFormats = ((PDPDescriptor) role).getNameIDFormats();
+ } else if (role instanceof AttributeAuthorityDescriptor) {
+ nameIDFormats = ((AttributeAuthorityDescriptor) role).getNameIDFormats();
+ }
+
+ ArrayList<String> supportedFormats = new ArrayList<String>();
+ if (nameIDFormats != null) {
+ for (NameIDFormat format : nameIDFormats) {
+ supportedFormats.add(format.getFormat());
+ }
+ }
+
+ return supportedFormats;
+ }
+
+ /**
* Populates the request context with the information about the user if they have an existing session. Unless
* overridden, {@link #populateRequestContext(BaseSAMLProfileRequestContext)} has already invoked
* {@link #populateRelyingPartyInformation(BaseSAMLProfileRequestContext)},
package edu.internet2.middleware.shibboleth.idp.profile.saml1;
-import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import java.util.Map;
import org.opensaml.saml1.core.StatusMessage;
import org.opensaml.saml1.core.Subject;
import org.opensaml.saml1.core.SubjectConfirmation;
-import org.opensaml.saml2.metadata.AttributeAuthorityDescriptor;
-import org.opensaml.saml2.metadata.AuthnAuthorityDescriptor;
-import org.opensaml.saml2.metadata.NameIDFormat;
-import org.opensaml.saml2.metadata.PDPDescriptor;
import org.opensaml.saml2.metadata.RoleDescriptor;
import org.opensaml.saml2.metadata.SPSSODescriptor;
-import org.opensaml.saml2.metadata.SSODescriptor;
import org.opensaml.ws.message.encoder.MessageEncodingException;
import org.opensaml.xml.XMLObjectBuilder;
import org.opensaml.xml.io.Marshaller;
}
/**
- * Gets the NameIdentifier format to use when creating NameIdentifiers for the relying party.
- *
- * @param requestContext current request context
- *
- * @return list of formats that may be used with the relying party, or an empty list for no preference
- *
- * @throws ProfileException thrown if there is a problem determining the NameIdentifier format to use
- */
- protected List<String> getNameFormats(BaseSAML1ProfileRequestContext<?, ?, ?> requestContext)
- throws ProfileException {
- ArrayList<String> nameFormats = new ArrayList<String>();
-
- RoleDescriptor relyingPartyRole = requestContext.getPeerEntityRoleMetadata();
- if (relyingPartyRole != null) {
- List<String> relyingPartySupportedFormats = getEntitySupportedFormats(relyingPartyRole);
- if (relyingPartySupportedFormats != null && !relyingPartySupportedFormats.isEmpty()) {
- nameFormats.addAll(relyingPartySupportedFormats);
- }
- }
-
- return nameFormats;
- }
-
- /**
- * Gets the list of NameIdentifier formats supported for a given role.
- *
- * @param role the role to get the list of supported NameIdentifier formats
- *
- * @return list of supported NameIdentifier formats
- */
- protected List<String> getEntitySupportedFormats(RoleDescriptor role) {
- List<NameIDFormat> nameIDFormats = null;
-
- if (role instanceof SSODescriptor) {
- nameIDFormats = ((SSODescriptor) role).getNameIDFormats();
- } else if (role instanceof AuthnAuthorityDescriptor) {
- nameIDFormats = ((AuthnAuthorityDescriptor) role).getNameIDFormats();
- } else if (role instanceof PDPDescriptor) {
- nameIDFormats = ((PDPDescriptor) role).getNameIDFormats();
- } else if (role instanceof AttributeAuthorityDescriptor) {
- nameIDFormats = ((AttributeAuthorityDescriptor) role).getNameIDFormats();
- }
-
- ArrayList<String> supportedFormats = new ArrayList<String>();
- if (nameIDFormats != null) {
- for (NameIDFormat format : nameIDFormats) {
- supportedFormats.add(format.getFormat());
- }
- }
-
- return supportedFormats;
- }
-
- /**
* Constructs an SAML response message carrying a request error.
*
* @param requestContext current request context containing the failure status
}
/**
- * Gets the NameID format to use when creating NameIDs for the relying party.
- *
- * @param requestContext current request context
- *
- * @return list of formats that may be used with the relying party, or an empty list for no preference
- *
- * @throws ProfileException thrown if there is a problem determining the NameID format to use
- */
- protected List<String> getNameFormats(BaseSAML2ProfileRequestContext<?, ?, ?> requestContext)
- throws ProfileException {
- ArrayList<String> nameFormats = new ArrayList<String>();
-
- // Determine SP-supported formats.
- RoleDescriptor relyingPartyRole = requestContext.getPeerEntityRoleMetadata();
- if (relyingPartyRole != null) {
- List<String> relyingPartySupportedFormats = getEntitySupportedFormats(relyingPartyRole);
- if (relyingPartySupportedFormats != null && !relyingPartySupportedFormats.isEmpty()) {
- nameFormats.addAll(relyingPartySupportedFormats);
- }
- }
-
- return nameFormats;
- }
-
- /**
- * Gets the list of NameID formats supported for a given role.
- *
- * @param role the role to get the list of supported NameID formats
- *
- * @return list of supported NameID formats
- */
- protected List<String> getEntitySupportedFormats(RoleDescriptor role) {
- List<NameIDFormat> nameIDFormats = null;
-
- if (role instanceof SSODescriptor) {
- nameIDFormats = ((SSODescriptor) role).getNameIDFormats();
- } else if (role instanceof AuthnAuthorityDescriptor) {
- nameIDFormats = ((AuthnAuthorityDescriptor) role).getNameIDFormats();
- } else if (role instanceof PDPDescriptor) {
- nameIDFormats = ((PDPDescriptor) role).getNameIDFormats();
- } else if (role instanceof AttributeAuthorityDescriptor) {
- nameIDFormats = ((AttributeAuthorityDescriptor) role).getNameIDFormats();
- }
-
- ArrayList<String> supportedFormats = new ArrayList<String>();
- if (nameIDFormats != null) {
- for (NameIDFormat format : nameIDFormats) {
- supportedFormats.add(format.getFormat());
- }
- }
-
- return supportedFormats;
- }
-
- /**
* Constructs an SAML response message carrying a request error.
*
* @param requestContext current request context