saml20-clj.core
Main interface for saml20-clj SP functionality. The core functionality is broken out into several separate namespaces, but vars are made available here via Potemkin.
Main interface for saml20-clj SP functionality. The core functionality is broken out into several separate namespaces, but vars are made available here via Potemkin.
->Responseclj
(->Response this)->X509Certificateclj
(->X509Certificate this)Coerce something such as a base-64-encoded string or byte array to a java.security.cert.X509Certificate. This
class isn't used directly by OpenSAML; instead, certificate must be coerced to an OpenSAML Credential. See
->Credential.
Coerce something such as a base-64-encoded string or byte array to a `java.security.cert.X509Certificate`. This class isn't used directly by OpenSAML; instead, certificate must be coerced to an OpenSAML `Credential`. See `->Credential`.
->xml-stringclj
(->xml-string this)accept-response!clj
(accept-response! this request-id)Called whenever a new response from IdP is received. The state manager should verify that request-id was
actually issued by us (e.g., one we've seen earlier when record-request!), and (hopefully) that it is not too old;
if the response is not acceptable, it must throw an Exception. The state manager should remove the request from its
state a response with the same ID cannot be used again (e.g. to prevent replay attacks).
Called whenever a new response from IdP is received. The state manager should verify that `request-id` was actually issued by us (e.g., one we've seen earlier when `record-request!`), and (hopefully) that it is not too old; if the response is not acceptable, it must throw an Exception. The state manager should remove the request from its state a response with the same ID cannot be used again (e.g. to prevent replay attacks).
assertionsclj
(assertions decrypted-response)(assertions possibly-encrypted-response sp-private-key)Returns the assertions (encrypted or not) of a SAML Response object
Returns the assertions (encrypted or not) of a SAML Response object
base64->strclj
(base64->str string)decrypt-responseclj
(decrypt-response response sp-private-key)Decrypt response using sp-private-key if it has encrypted Assertions. If it does not have encrypted assertions,
return response as-is.
Decrypt `response` using `sp-private-key` if it has encrypted Assertions. If it does not have encrypted assertions, return `response` as-is.
default-validation-optionsclj
has-private-key?clj
(has-private-key? credential)Will check if the provided keystore contains a private key or not.
Will check if the provided keystore contains a private key or not.
idp-redirect-responseclj
(idp-redirect-response saml-request idp-url relay-state)Return Ring response for HTTP 302 redirect.
Return Ring response for HTTP 302 redirect.
in-memory-state-managerclj
(in-memory-state-manager)(in-memory-state-manager request-timeout-seconds)(in-memory-state-manager request-timeout-seconds initial-state)A simple in-memory state manager, suitable for a single instance. Requests IDs are considered valid for a minimum of
request-timeout-seconds.
A simple in-memory state manager, suitable for a single instance. Requests IDs are considered valid for a minimum of `request-timeout-seconds`.
metadataclj
(metadata {:keys [app-name acs-url slo-url sp-cert requests-signed
want-assertions-signed]
:or {want-assertions-signed true requests-signed true}})record-request!clj
(record-request! this request-id)Called whenever a new request to the IdP goes out. The state manager should record request-id (and probably the
current timestamp as well) so it can be used for validating responses.
Called whenever a new request to the IdP goes out. The state manager should record `request-id` (and probably the current timestamp as well) so it can be used for validating responses.
requestclj
(request {:keys [request-id sp-name acs-url idp-url issuer state-manager
credential instant]
:or {request-id (str "id" (java.util.UUID/randomUUID))
instant (t/instant)}})Return XML elements that represent a SAML 2.0 auth request.
Return XML elements that represent a SAML 2.0 auth request.
str->base64clj
(str->base64 string)validateclj
(validate response idp-cert sp-private-key)(validate response
idp-cert
sp-private-key
{:keys [response-validators assertion-validators acs-url request-id
state-manager user-agent-address issuer solicited?
allowable-clock-skew-seconds]})Validate response. Returns decrypted response if valid. Options:
-
:response-validators- optional. The validators to run against the<Response>itself. Validators are implemented as methods ofvalidate-response. If this is not passed, uses validators defined indefault-validation-options. -
:assertion-validators- optional. the validators to run against each<Assertion>in the response. Validators are implemented as methods ofvalidate-assertion. If this is not passed, uses validators defined indefault-validation-options. -
:acs-url- REQUIRED. Assertion consumer service URL. The:recipientassertion validates this. -
:request-id- optional. Validated by the:in-response-tovalidator if passed. -
:state-manager- optional. An instance ofStateManager(such asin-memory-state-manager) that can check whether a Response with the given ID was already processed. -
:user-agent-address- optional. Address of the client. If present, the:addressvalidator will check that anyAddressinformation in the<SubjectConfimrationData>passes. -
:issuer- optional. Unique identifier for the IdP. If passed, the:issuervalidators will validate anyIssuerinformation present on the<Response>, and theIssuerof each<Assertion>(Issueris required for Assertions). -
:solicited?- optional. Whether this request is the result of an SSO login flow initiated by the SP (us). If this isfalse, the :in-response-tovalidator checks that therequest-idinnil`. -
:allowable-clock-skew-seconds- optional. By default, 3 minutes. The amount of leeway to use when validatingNotOnOrAfterandNotBeforeattributes.
Validate response. Returns decrypted response if valid. Options: * `:response-validators` - optional. The validators to run against the `<Response>` itself. Validators are implemented as methods of `validate-response`. If this is not passed, uses validators defined in `default-validation-options`. * `:assertion-validators` - optional. the validators to run against each `<Assertion>` in the response. Validators are implemented as methods of `validate-assertion`. If this is not passed, uses validators defined in `default-validation-options`. * `:acs-url` - REQUIRED. Assertion consumer service URL. The `:recipient` assertion validates this. * `:request-id` - optional. Validated by the `:in-response-to` validator if passed. * `:state-manager` - optional. An instance of `StateManager` (such as `in-memory-state-manager`) that can check whether a Response with the given ID was already processed. * `:user-agent-address` - optional. Address of the client. If present, the `:address` validator will check that any `Address` information in the `<SubjectConfimrationData>` passes. * `:issuer` - optional. Unique identifier for the IdP. If passed, the `:issuer` validators will validate any `Issuer` information present on the `<Response>`, and the `Issuer` of each `<Assertion>` (`Issuer` is required for Assertions). * `:solicited?` - optional. Whether this request is the result of an SSO login flow initiated by the SP (us). If this is `false`, the :in-response-to` validator checks that the `request-id` in `nil`. * `:allowable-clock-skew-seconds` - optional. By default, 3 minutes. The amount of leeway to use when validating `NotOnOrAfter` and `NotBefore` attributes.
cljdoc is a website building & hosting documentation for Clojure/Script libraries
× close