Main interface for saml20-clj SP functionality. The core functionality is broken out into several separate namespaces, but vars are made available here via Potemkin.
Main interface for saml20-clj SP functionality. The core functionality is broken out into several separate namespaces, but vars are made available here via Potemkin.
(->Response this)
(->X509Certificate this)
Coerce something such as a base-64-encoded string or byte array to a java.security.cert.X509Certificate
. This
class isn't used directly by OpenSAML; instead, certificate must be coerced to an OpenSAML Credential
. See
->Credential
.
Coerce something such as a base-64-encoded string or byte array to a `java.security.cert.X509Certificate`. This class isn't used directly by OpenSAML; instead, certificate must be coerced to an OpenSAML `Credential`. See `->Credential`.
(->xml-string this)
(accept-response! this request-id)
Called whenever a new response from IdP is received. The state manager should verify that request-id
was
actually issued by us (e.g., one we've seen earlier when record-request!
), and (hopefully) that it is not too old;
if the response is not acceptable, it must throw an Exception. The state manager should remove the request from its
state a response with the same ID cannot be used again (e.g. to prevent replay attacks).
Called whenever a new response from IdP is received. The state manager should verify that `request-id` was actually issued by us (e.g., one we've seen earlier when `record-request!`), and (hopefully) that it is not too old; if the response is not acceptable, it must throw an Exception. The state manager should remove the request from its state a response with the same ID cannot be used again (e.g. to prevent replay attacks).
(assertions decrypted-response)
(assertions possibly-encrypted-response sp-private-key)
Returns the assertions (encrypted or not) of a SAML Response object
Returns the assertions (encrypted or not) of a SAML Response object
(base64->str string)
(decrypt-response response sp-private-key)
Decrypt response
using sp-private-key
if it has encrypted Assertions. If it does not have encrypted assertions,
return response
as-is.
Decrypt `response` using `sp-private-key` if it has encrypted Assertions. If it does not have encrypted assertions, return `response` as-is.
(idp-redirect-response saml-request idp-url relay-state)
Return Ring response for HTTP 302 redirect.
Return Ring response for HTTP 302 redirect.
(in-memory-state-manager)
(in-memory-state-manager request-timeout-seconds)
(in-memory-state-manager request-timeout-seconds initial-state)
A simple in-memory state manager, suitable for a single instance. Requests IDs are considered valid for a minimum of
request-timeout-seconds
.
A simple in-memory state manager, suitable for a single instance. Requests IDs are considered valid for a minimum of `request-timeout-seconds`.
(metadata {:keys [app-name acs-url slo-url sp-cert requests-signed
want-assertions-signed]
:or {want-assertions-signed true requests-signed true}})
(record-request! this request-id)
Called whenever a new request to the IdP goes out. The state manager should record request-id
(and probably the
current timestamp as well) so it can be used for validating responses.
Called whenever a new request to the IdP goes out. The state manager should record `request-id` (and probably the current timestamp as well) so it can be used for validating responses.
(request {:keys [request-id sp-name acs-url idp-url issuer state-manager
credential instant]
:or {request-id (str "id" (java.util.UUID/randomUUID))
instant (t/instant)}})
Return XML elements that represent a SAML 2.0 auth request.
Return XML elements that represent a SAML 2.0 auth request.
(str->base64 string)
(validate response idp-cert sp-private-key)
(validate response
idp-cert
sp-private-key
{:keys [response-validators assertion-validators acs-url request-id
state-manager user-agent-address issuer solicited?
allowable-clock-skew-seconds]})
Validate response. Returns decrypted response if valid. Options:
:response-validators
- optional. The validators to run against the <Response>
itself. Validators are
implemented as methods of validate-response
. If this is not passed, uses validators defined in
default-validation-options
.
:assertion-validators
- optional. the validators to run against each <Assertion>
in the response. Validators are
implemented as methods of validate-assertion
. If this is not passed, uses validators defined in
default-validation-options
.
:acs-url
- REQUIRED. Assertion consumer service URL. The :recipient
assertion validates this.
:request-id
- optional. Validated by the :in-response-to
validator if passed.
:state-manager
- optional. An instance of StateManager
(such as in-memory-state-manager
) that can check
whether a Response with the given ID was already processed.
:user-agent-address
- optional. Address of the client. If present, the :address
validator will check that any
Address
information in the <SubjectConfimrationData>
passes.
:issuer
- optional. Unique identifier for the IdP. If passed, the :issuer
validators will validate any
Issuer
information present on the <Response>
, and the Issuer
of each <Assertion>
(Issuer
is required for
Assertions).
:solicited?
- optional. Whether this request is the result of an SSO login flow initiated by the SP (us). If
this is false
, the :in-response-tovalidator checks that the
request-idin
nil`.
:allowable-clock-skew-seconds
- optional. By default, 3 minutes. The amount of leeway to use when validating
NotOnOrAfter
and NotBefore
attributes.
Validate response. Returns decrypted response if valid. Options: * `:response-validators` - optional. The validators to run against the `<Response>` itself. Validators are implemented as methods of `validate-response`. If this is not passed, uses validators defined in `default-validation-options`. * `:assertion-validators` - optional. the validators to run against each `<Assertion>` in the response. Validators are implemented as methods of `validate-assertion`. If this is not passed, uses validators defined in `default-validation-options`. * `:acs-url` - REQUIRED. Assertion consumer service URL. The `:recipient` assertion validates this. * `:request-id` - optional. Validated by the `:in-response-to` validator if passed. * `:state-manager` - optional. An instance of `StateManager` (such as `in-memory-state-manager`) that can check whether a Response with the given ID was already processed. * `:user-agent-address` - optional. Address of the client. If present, the `:address` validator will check that any `Address` information in the `<SubjectConfimrationData>` passes. * `:issuer` - optional. Unique identifier for the IdP. If passed, the `:issuer` validators will validate any `Issuer` information present on the `<Response>`, and the `Issuer` of each `<Assertion>` (`Issuer` is required for Assertions). * `:solicited?` - optional. Whether this request is the result of an SSO login flow initiated by the SP (us). If this is `false`, the :in-response-to` validator checks that the `request-id` in `nil`. * `:allowable-clock-skew-seconds` - optional. By default, 3 minutes. The amount of leeway to use when validating `NotOnOrAfter` and `NotBefore` attributes.
cljdoc is a website building & hosting documentation for Clojure/Script libraries
× close