org.sourceid.saml20.adapter.idp.authn

Class AbstractPasswordIdpAuthnAdapter

java.lang.Object

org.sourceid.saml20.adapter.idp.authn.AbstractPasswordIdpAuthnAdapter

All Implemented Interfaces:

ConfigurablePlugin, ConfigurableAuthnAdapter, IdpAuthenticationAdapter

Deprecated.

Use the HttpBasicIdpAuthnAdapter and HttpFormIdpAuthnAdapter. These classes separate the Basic/Form functionality and use the PasswordCredentialValidator which is the new direction PF is taking for un/pw validation

public abstract class AbstractPasswordIdpAuthnAdapter
extends Object
implements IdpAuthenticationAdapter

An abstract class to provide common base functionally for an IdpAuthenticationAdapter. Interactions with the user to obtain authentication credentials can take place via HTTP Basic Authentication or an HTML form depending on the setOperationalMode(org.sourceid.saml20.adapter.idp.authn.AbstractPasswordIdpAuthnAdapter.Mode) Operational Mode}.

After a successful authentication most modern browsers will resubmit HTTP basic credentials with every request. Because of this, logging out of a session that was authenticated via HTTP basic isn't really possible. This adapter simulates logout functionality with HTTP basic authentication by keeping session state and sending a 401 status code if it finds a logout flag in that session state, regardless of whether basic credentials were presented.

It is possible, however, that the session might expire, eliminating the logout flag. But then the browser sends the HTTP basic credentials with a request after the session expiration, since it appears to the server and adapter that the user is authenticated. For this reason, if subclasses of this adapter are used in HTTP basic mode, it is highly recommended that you suggest to end users that they close their browser after logout.

Developers extending this class must implement the methods defined on ConfigurableAuthnAdapter as appropriate. The abstract methods getRealm() and getAuthenticationIdentifiers(String, String) must also be implemented.

Optionally the getMaxUserChallengeRetries() can be overridden to control the number of times a user can attempt authentication.

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	AbstractPasswordIdpAuthnAdapter.Mode Deprecated.

Field Summary

Fields inherited from interface org.sourceid.saml20.adapter.idp.authn.IdpAuthenticationAdapter

AUTHN_CTX_ATTRIBUTE_NAME, AUTHN_INSTANT_ATTRIBUTE_NAME, DEVICE_SHARING_TYPE_ATTRIBUTE_NAME, POLICY_ACTION_ATTRIBUTE_NAME

Constructor Summary

Constructors

Constructor and Description
AbstractPasswordIdpAuthnAdapter() Deprecated.

Method Summary

Modifier and Type	Method and Description
AbstractPasswordIdpAuthnAdapter.Mode	getOperationalMode() Deprecated. Gets the current operational mode of the adapter.
boolean	logoutAuthN(Map authnIdentifiers, javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse resp, String resumePath) Deprecated. This is the method that the PingFederate server will invoke during processing of a single logout to terminate a security context for a user at the external application or authentication provider service.
Map	lookupAuthN(javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse resp, String entityId, AuthnPolicy authnPolicy, String resumeUrl) Deprecated. This is the method that the PingFederate server will invoke during processing of a single sign-on transaction to lookup information about an authenticated security context or session for a user at the external application or authentication provider service.
Map	lookupAuthnBasic(javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse resp, String entityId, AuthnPolicy authnPolicy, String resumeUrl) Deprecated.
Map	lookupAuthnForm(javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse resp, String entityId, AuthnPolicy authnPolicy, String resumeUrl) Deprecated.
void	setOperationalMode(AbstractPasswordIdpAuthnAdapter.Mode operationalMode) Deprecated. Sets the current operational mode of the adapter.

Methods inherited from class java.lang.Object

equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.sourceid.saml20.adapter.idp.authn.IdpAuthenticationAdapter

getAdapterDescriptor

Methods inherited from interface org.sourceid.saml20.adapter.ConfigurableAuthnAdapter

configure

Constructor Detail

AbstractPasswordIdpAuthnAdapter

public AbstractPasswordIdpAuthnAdapter()

Deprecated.

Method Detail

getOperationalMode

public AbstractPasswordIdpAuthnAdapter.Mode getOperationalMode()

Deprecated.

Gets the current operational mode of the adapter.

Returns:

Mode (form or basic).

setOperationalMode

public void setOperationalMode(AbstractPasswordIdpAuthnAdapter.Mode operationalMode)

Deprecated.

Sets the current operational mode of the adapter.

Parameters:

operationalMode - the new mode.

lookupAuthnBasic

public Map lookupAuthnBasic(javax.servlet.http.HttpServletRequest req,
                            javax.servlet.http.HttpServletResponse resp,
                            String entityId,
                            AuthnPolicy authnPolicy,
                            String resumeUrl)
                     throws IOException

Deprecated.

Throws:

IOException

lookupAuthnForm

public Map lookupAuthnForm(javax.servlet.http.HttpServletRequest req,
                           javax.servlet.http.HttpServletResponse resp,
                           String entityId,
                           AuthnPolicy authnPolicy,
                           String resumeUrl)
                    throws IOException

Deprecated.

Throws:

IOException

lookupAuthN

public Map lookupAuthN(javax.servlet.http.HttpServletRequest req,
                       javax.servlet.http.HttpServletResponse resp,
                       String entityId,
                       AuthnPolicy authnPolicy,
                       String resumeUrl)
                throws IOException

Deprecated.

Description copied from interface: IdpAuthenticationAdapter

This is the method that the PingFederate server will invoke during processing of a single sign-on transaction to lookup information about an authenticated security context or session for a user at the external application or authentication provider service.

If your implementation of this method needs to operate asynchronously, it just needs to write to the HttpServletResponse as appropriate and commit it. Right after invoking this method the PingFederate server checks to see if the response has been committed. If the response has been committed, PingFederate saves the state it needs and discontinues processing for the current transaction. Processing of the transaction is continued when the user agent returns to the resumePath at the PingFederate server at which point the server invokes this method again. This series of events will be repeated until this method returns without committing the response. When that happens (which could be the first invocation) PingFederate will complete the protocol transaction processing with the return result of this method.

Note that if the response is committed, then PingFederate ignores the return value. Only the return value of an invocation that does not commit the response will be used.

If this adapter is implemented asynchronously, it's recommended that the user agent always returns to the resumePath in order to be compatible with Composite Adapter's "Sufficent" adapter chaining policy. The Composite Adapter allows an Administrator to "chain" a selection of available adapter instances for a connection. At runtime, adapter chaining means that SSO requests are passed sequentially through each adapter instance specified until one or more authentication results are found for the user. If the user agent does not return control to PingFederate for failed authentication scenarios, then the authentication chain will break and should not be used with Composite Adapter's "Sufficient" chaining policy.

Specified by:

lookupAuthN in interface IdpAuthenticationAdapter

Parameters:

req - the HttpServletRequest can be used to read cookies, parameters, headers, etc. It can also be used to find out more about the request like the full URL the request was made to. Accessing the HttpSession from the request is not recommended and doing so is deprecated. Use SessionStateSupport as an alternative.

resp - the HttpServletResponse. The response can be used to facilitate an asynchronous interaction. Sending a client side redirect or writing (and flushing) custom content to the response are two ways that an invocation of this method allows for the adapter to take control of the user agent. Note that if control of the user agent is taken in this way, then the agent must eventually be returned to the resumePath endpoint at the PingFederate server to complete the protocol transaction.

entityId - the entity id of the SP to whom the single sign-on will be sent.

authnPolicy - an object with values that restricts what kind of user interaction is allowed or required during the authentication.

resumeUrl - the relative URL that the user agent needs to return to, if the implementation of this method invocation needs to operate asynchronously. If this method operates synchronously, this parameter can be ignored. The resumePath is the full path portion of the URL - everything after hostname and port. If the hostname, port, or protocol are needed, they can be derived using the HttpServletRequest.

Returns:

a map of attributes that uniquely identify the authenticated security context of the user. The keys of this map should be the same as the set of attributes defined as this adapters attribute contract in its AuthnAdapterDescriptor (IdpAuthenticationAdapter.getAdapterDescriptor()). This map will also be passed back to the adapter implementation on logout as the first parameter of the IdpAuthenticationAdapter.logoutAuthN(java.util.Map, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, java.lang.String) method. This enables the adapter to identify what session or security context to terminate during logout.

Throws:

IOException - for any problem with I/O (typically any operation that writes to the HttpServletResponse).

logoutAuthN

public boolean logoutAuthN(Map authnIdentifiers,
                           javax.servlet.http.HttpServletRequest req,
                           javax.servlet.http.HttpServletResponse resp,
                           String resumePath)
                    throws IOException

Deprecated.

Description copied from interface: IdpAuthenticationAdapter

This is the method that the PingFederate server will invoke during processing of a single logout to terminate a security context for a user at the external application or authentication provider service.

If your implementation of this method needs to operate asynchronously, it just needs to write to the HttpServletResponse as appropriate and commit it. Right after invoking this method the PingFederate server checks to see if the response has been committed. If the response has been committed, PingFederate saves the state it needs and discontinues processing for the current transaction. Processing of the transaction is continued when the user agent returns to the resumePath at the PingFederate server at which point the server invokes this method again. This series of events will be repeated until this method returns without committing the response. When that happens (which could be the first invocation) PingFederate will complete the protocol transaction processing with the return result of this method.

Note that if the response is committed, then PingFederate ignores the return value. Only the return value of an invocation that does not commit the response will be used. Accessing the HttpSession from the request is not recommended and doing so is deprecated. Use SessionStateSupport as an alternative.

Note on SOAP logout: If this logout is being invoked as the result of a back channel protocol request, the request, response and resumePath parameters will all be null as they have no meaning in such a context where the user agent is inaccessible.

Specified by:

logoutAuthN in interface IdpAuthenticationAdapter

Parameters:

authnIdentifiers - the map of authentication identifiers originally returned to the PingFederate server by the IdpAuthenticationAdapter.lookupAuthN(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, java.lang.String, org.sourceid.saml20.adapter.idp.authn.AuthnPolicy, java.lang.String) method. This enables the adapter to associate a security context or session returned by lookupAuthN with the invocation of this logout method.

req - the HttpServletRequest can be used to read cookies, parameters, headers, etc. It can also be used to find out more about the request like the full URL the request was made to.

resp - the HttpServletResponse. The response can be used to facilitate an asynchronous interaction. Sending a client side redirect or writing (and flushing) custom content to the response are two ways that an invocation of this method allows for the adapter to take control of the user agent. Note that if control of the user agent is taken in this way, then the agent must eventually be returned to the resumePath endpoint at the PingFederate server to complete the protocol transaction.

resumePath - the relative URL that the user agent needs to return to, if the implementation of this method invocation needs to operate asynchronously. If this method operates synchronously, this parameter can be ignored. The resumePath is the full path portion of the URL - everything after hostname and port. If the hostname, port, or protocol are needed, they can be derived using the HttpServletRequest.

Returns:

a boolean indicating if the logout was successful.

Throws:

IOException - for any problem with I/O (typically any operation that writes to the HttpServletResponse will throw an IOException.