Liking cljdoc? Tell your friends :D

saml20-clj.core

Main interface for saml20-clj SP functionality. The core functionality is broken out into several separate namespaces, but vars are made available here via Potemkin.

Main interface for saml20-clj SP functionality. The core functionality is broken out into several separate
namespaces, but vars are made available here via Potemkin.
raw docstring

->Responseclj

(->Response this)

->X509Certificateclj

(->X509Certificate this)

Coerce something such as a base-64-encoded string or byte array to a java.security.cert.X509Certificate. This class isn't used directly by OpenSAML; instead, certificate must be coerced to an OpenSAML Credential. See ->Credential.

Coerce something such as a base-64-encoded string or byte array to a `java.security.cert.X509Certificate`. This
 class isn't used directly by OpenSAML; instead, certificate must be coerced to an OpenSAML `Credential`. See
`->Credential`.
raw docstring

->xml-stringclj

(->xml-string this)

accept-response!clj

(accept-response! this request-id)

Called whenever a new response from IdP is received. The state manager should verify that request-id was actually issued by us (e.g., one we've seen earlier when record-request!), and (hopefully) that it is not too old; if the response is not acceptable, it must throw an Exception. The state manager should remove the request from its state a response with the same ID cannot be used again (e.g. to prevent replay attacks).

Called whenever a new response from IdP is received. The state manager should verify that `request-id` was
actually issued by us (e.g., one we've seen earlier when `record-request!`), and (hopefully) that it is not too old;
if the response is not acceptable, it must throw an Exception. The state manager should remove the request from its
state a response with the same ID cannot be used again (e.g. to prevent replay attacks).
raw docstring

assertionsclj

(assertions decrypted-response)
(assertions possibly-encrypted-response sp-private-key)

Returns the assertions (encrypted or not) of a SAML Response object

Returns the assertions (encrypted or not) of a SAML Response object
raw docstring

base64->strclj

(base64->str string)

decrypt-responseclj

(decrypt-response response sp-private-key)

Decrypt response using sp-private-key if it has encrypted Assertions. If it does not have encrypted assertions, return response as-is.

Decrypt `response` using `sp-private-key` if it has encrypted Assertions. If it does not have encrypted assertions,
return `response` as-is.
raw docstring

default-validation-optionsclj


idp-redirect-responseclj

(idp-redirect-response saml-request idp-url relay-state)

Return Ring response for HTTP 302 redirect.

Return Ring response for HTTP 302 redirect.
raw docstring

in-memory-state-managerclj

(in-memory-state-manager)
(in-memory-state-manager request-timeout-seconds)
(in-memory-state-manager request-timeout-seconds initial-state)

A simple in-memory state manager, suitable for a single instance. Requests IDs are considered valid for a minimum of request-timeout-seconds.

A simple in-memory state manager, suitable for a single instance. Requests IDs are considered valid for a minimum of
`request-timeout-seconds`.
raw docstring

metadataclj

(metadata {:keys [app-name acs-url slo-url sp-cert requests-signed
                  want-assertions-signed]
           :or {want-assertions-signed true requests-signed true}})

record-request!clj

(record-request! this request-id)

Called whenever a new request to the IdP goes out. The state manager should record request-id (and probably the current timestamp as well) so it can be used for validating responses.

Called whenever a new request to the IdP goes out. The state manager should record `request-id` (and probably the
current timestamp as well) so it can be used for validating responses.
raw docstring

requestclj

(request {:keys [request-id sp-name acs-url idp-url issuer state-manager
                 credential instant]
          :or {request-id (str "id" (java.util.UUID/randomUUID))
               instant (t/instant)}})

Return XML elements that represent a SAML 2.0 auth request.

Return XML elements that represent a SAML 2.0 auth request.
raw docstring

str->base64clj

(str->base64 string)

validateclj

(validate response idp-cert sp-private-key)
(validate response
          idp-cert
          sp-private-key
          {:keys [response-validators assertion-validators acs-url request-id
                  state-manager user-agent-address issuer solicited?
                  allowable-clock-skew-seconds]})

Validate response. Returns decrypted response if valid. Options:

  • :response-validators - optional. The validators to run against the <Response> itself. Validators are implemented as methods of validate-response. If this is not passed, uses validators defined in default-validation-options.

  • :assertion-validators - optional. the validators to run against each <Assertion> in the response. Validators are implemented as methods of validate-assertion. If this is not passed, uses validators defined in default-validation-options.

  • :acs-url - REQUIRED. Assertion consumer service URL. The :recipient assertion validates this.

  • :request-id - optional. Validated by the :in-response-to validator if passed.

  • :state-manager - optional. An instance of StateManager (such as in-memory-state-manager) that can check whether a Response with the given ID was already processed.

  • :user-agent-address - optional. Address of the client. If present, the :address validator will check that any Address information in the <SubjectConfimrationData> passes.

  • :issuer - optional. Unique identifier for the IdP. If passed, the :issuer validators will validate any Issuer information present on the <Response>, and the Issuer of each <Assertion> (Issuer is required for Assertions).

  • :solicited? - optional. Whether this request is the result of an SSO login flow initiated by the SP (us). If this is false, the :in-response-tovalidator checks that therequest-idinnil`.

  • :allowable-clock-skew-seconds - optional. By default, 3 minutes. The amount of leeway to use when validating NotOnOrAfter and NotBefore attributes.

Validate response. Returns decrypted response if valid. Options:

* `:response-validators` - optional. The validators to run against the `<Response>` itself. Validators are
   implemented as methods of `validate-response`. If this is not passed, uses validators defined in
   `default-validation-options`.

* `:assertion-validators` - optional. the validators to run against each `<Assertion>` in the response. Validators are
  implemented as methods of `validate-assertion`. If this is not passed, uses validators defined in
  `default-validation-options`.

* `:acs-url` - REQUIRED. Assertion consumer service URL. The `:recipient` assertion validates this.

* `:request-id` - optional. Validated by the `:in-response-to` validator if passed.

* `:state-manager` - optional. An instance of `StateManager` (such as `in-memory-state-manager`) that can check
  whether a Response with the given ID was already processed.

* `:user-agent-address` - optional. Address of the client. If present, the `:address` validator will check that any
  `Address` information in the `<SubjectConfimrationData>` passes.

* `:issuer` - optional. Unique identifier for the IdP. If passed, the `:issuer` validators will validate any
  `Issuer` information present on the `<Response>`, and the `Issuer` of each `<Assertion>` (`Issuer` is required for
  Assertions).

* `:solicited?` - optional. Whether this request is the result of an SSO login flow initiated by the SP (us). If
  this is `false`, the :in-response-to` validator checks that the `request-id` in `nil`.

* `:allowable-clock-skew-seconds` - optional. By default, 3 minutes. The amount of leeway to use when validating
  `NotOnOrAfter` and `NotBefore` attributes.
raw docstring

cljdoc is a website building & hosting documentation for Clojure/Script libraries

× close