AssertionRequestState
The new HTTP client shipped with nevisAuth 4.38.0.12 will likely require changes in this auth state configuration, specifically in the area of certificate configuration and handling.
Visit the migration guide for additional information.
Introduction and overview
The AssertionRequestState can be used to issue the following SAML requests:
- AuthnRequest
- AssertionIDRequest
- SubjectQuery
- AuthnQuery
- AttributeQuery
- AuthzDecision Query
Description
The following table and chapters describe the characteristics of the AuthState.
Topic | Description |
---|---|
Class | ch.nevis.esauth.auth.states.saml.AssertionRequestState |
Logging | Saml |
Auditing | none |
Marker | none |
Methods | authenticate, unlock, logout,stepup |
Properties
consumerURL
(string, required)URL of the SAML consumer location. Messages to the IdP will request responses to be sent to this URL.
idpURL
(string, required)URL of the IdP. Messages to the IdP will use this as destination address.
soap.content-type
(string, "application/soap+xml")Content type to use for outgoing SOAP messages. Some SOAP services may accept only content type text/xml.
Output
out.binding
({http-post,http-redirect, http-post-deferred, http-redirect-deferred, internal}, "http-post")Defines the SAML binding for outgoing SAML messages.
The deferred bindings will prepare the necessary data, but instead of initiating the binding right away, will place those values in the following OutArg fields:
nevis.deferred-transfer.destination
The destination of the deferred bindingnevis.deferred-transfer.field.<fieldname>
The request, response and RelayState with field names SAMLRequest, SAMLResponse and RelayState respectively.
The internal binding causes the AuthState to place the outgoing messages in the outargs
saml.SAMLRequest
andsaml.RelayState
.out.issuer
(string, "${request:EsAuthId}")The issuer name to be used in outgoing SAML messages.
out.requestType
(enum {AuthnRequest, AssertionIDRequest, SubjectQuery, AuthnQuery, AttributeQuery, AuthzDecisionQuery}, AttributeQuery)The request message type to issue.
out.sign
(string (list), "AuthnRequest")List of outgoing SAML message types that will be signed with the configured key materials.
out.sign.hashAlgorithm
(string, "SHA256")Hash algorithm used in SAML signatures. Supported algorithms: SHA1, SHA256, SHA384, SHA512. See also chapter Signatures and signature validation.
out.signatureKeyInfo
(comma-separated list of {SKI,Certificate,CertificateChain,Subject,IssuerSerial,CRLs,SubjectDN,SubjectCN,KeyNames,PublicKey}, SKI)List of KeyInfo content to add to signatures. One, several or none of the listed options may be configured. Note that some of the options require non-mandatory fields within signer certificate used. E.g., SKI may not add anything to the KeyInfo if the signer certificate does not contain an SKI.
infonevisAuth currently requires one SKI, Certificate or IssuerSerial to identify the correct verification certificate when several are configured. Similarly, Ninja only supports SKI when several verification certificates are configured.
out.keystoreref
,out.keyobjectref
These properties configure the key materials used to sign SAML messages whose type is listed in out.sign. Refer to chapter Certificates keys and public key infrastructure.
AuthnRequest
request.Subject
(string, -)Subject of the AuthnRequest.
request.ProviderName
(string, -)The ProviderName of the AuthnRequest.
request.RequestedAuthnContext.AuthnContextClassRef
(comma-separated list of strings, -)Comma-separated list of AuthnContextClassRefs to the request.
request.RequestedAuthnContext.AuthnContextDeclRef
(comma-separated list of strings, -)Comma-separated list of AuthnContextDeclRefs to the request.
request.RequestedAuthnContext.Comparison
(enum {exact, minimum, maximum, better}, -)The comparison to be applied for the requested AuthnContext to be valid.
request.ttl
(int, 10)TTL of the AuthnRequest, in seconds.
AssertionIDRequest
request.AssertionIDRef
(list of string, -, required)Comma-separated list of assertion IDs referenced by the AssertionIDRequest.
SubjectQuery
request.Subject
(string, -, required)Subject of the SubjectQuery.
AuthnQuery
request.Subject
(string, -, required)Subject of the AuthnQuery.
request.SessionIndex
(string, -)Index of SAML sessions assigned to the authentication.
request.RequestedAuthnContext.AuthnContextClassRef
(comma-separated list of strings, -)Comma-separated list of AuthnContextClassRefs to request.
request.RequestedAuthnContext.AuthnContextDeclRef
(comma-separated list of strings, -)Comma-separated list of AuthnContextDeclRefs to request.
request.RequestedAuthnContext.Comparison
(enum {exact, minimum, maximum, better}, -)The comparison to be applied for the requested AuthnContext to be valid.
AttributeQuery
request.Subject
(string, -, required)Subject of the AttributeQuery.
request.Attribute
(comma-separated list of string, -)Comma-separated list of attributes to request.
AuthzDecision Query
request.Subject
(string, -, required)Subject of the AuthzDecisionQuery.
request.Action
(comma-separated list of string, -)Comma-separated list of actions for which authorization is requested.
request.Resource
(string, - , required)A URI reference indicating the resource for which the authorization is requested.
request.Evidence.Assertion
(string, -)An assertion that may be used for making the authorization decision.
request.Evidence.AssertionIdReference
(comma-separated list of string, -)Comma-separated list of IDs of assertions that may be used for taking the authorization decision.
Plugins
out.extension.<extension-name>
(string, classname),<extension-name>.<property-name>
(syntax)This syntax specifies plug-ins that will be called to process incoming messages. Properties may be passed to the plug-ins using the second syntax shown. Currently, only the output-extender
ch.nevis.esauth.auth.states.saml.extensions.SuisseIDAttributeServiceExtender
is implemented. This extension adds requests for SuisseID attributes to outgoing messages. It takes the following properties:<extension-name>.Attribute
Comma-separated list of attributes to request in the issued message.
Example configuration for SuisseIDAttributeServiceExtender<property name="out.extension.SuisseID" value="ch.nevis.esauth.auth.states.saml.extensions.SuisseIDAttributeServiceExtender" />
<property name="SuisseID.Attribute" value="${inargs:attributes}" />
HTTP Client
soap.httpclient.*
(String)Configure the outgoing HTTP communication towards the web locations specified in the connection properties. For a list of valid HTTP properties, see HTTP Client.
Input
All inputs used to resolve SAML bindings are according to SAML specification: inargs:SAMLRequest
, SAMLResponse
, RelayState
etc.
Transitions
ok
Successfully issued SAML message
Output
none
Errors
lasterror=99
lasterrorinfo=Generic error