PredefinedBeans
The IdP configuration provides many "named beans" to simplify configuration and to reduce the burden of knowing specific class names, particularly in cases where the class names may be subject to change in future major versions. Other classes may not have supporting beans but are part of the API and provide useful pre-built logic to use in configuring the system.
For ease of navigation, this topic divides them into three groups, Predicates (which can also generally be used in ActivationConditions), Functions, and other beans. These categories also include BiPredicates and BiFunctions, which are binary input variants of traditional unary interfaces that are occasionally needed.
Predicates
Predicate beans are implementation of the Java Predicate functional interface; they are applied to a "thing" and return true or false.
Logic
shibboleth.Conditions.FALSE - returns false for any input
shibboleth.Conditions.TRUE - returns true for any input
shibboleth.Conditions.AND - the result is the logical conjunction of two (similarly typed) conditions
shibboleth.Conditions.OR - the result is the logical disjunction of two (similarly typed) conditions
shibboleth.Conditions.NOT - the result is the logical negation of the provided condition
Profile Request Conditions
The most common use of Predicates is in ActivationConditions, and the majority of the predefined beans are of type Predicate<ProfileRequestContext>. Such conditions are called with the object at the root of the tree of contexts that makes up the state of a request, so they can be very generic, or implemented for very specific purposes.
shibboleth.Conditions.BrowserProfile - returns true if the current profile is one which assumes browser interaction.
shibboleth.Conditions.RelyingPartyId - returns true based on the name (typically SAML entityID) of the relying party/peer system
shibboleth.Conditions.Scripted - returns the result of running a JSR-223 scriptlet
shibboleth.Conditions.Expression - returns the value specified by a SpEL expression
shibboleth.Conditions.EntityDescriptor - adapter that returns the value of a predicate applied to the SAML metadata for a request
shibboleth.Conditions.MappedEntityAttribute - predicate generally used with the above adapter to test for presence of EntityAttribute “tag” values in SAML metadata
shibboleth.Conditions.SubjectName - adapter that returns the value of a predicate or collection of strings applied to the subject name for a request
Attribute Predicates
These predicates support decisions based on a subject's resolved attributes. All variants allow for either the filtered or unfiltered attributes to be consulted. Obviously these predicates are only valid after attribute resolution has taken place.
They generally assume the "normal" attribute resolution process; more specialized or deployer-triggered resolution processes (e.g., during authentication) will typically require additional customizations in order to locate the AttributeContext containing the data. As an example, using one of these predicates as an ActivationCondition guarding an AttributeDefinition or DataConnector will typically require the PreRequestedAttributes feature, and the use of the shibboleth.ChildLookup.PreRequestedAttributeContext lookup bean.
shibboleth.Conditions.DateAttribute - returns true if the content of a provided string-valued attribute parses into a date which is later that the current time
shibboleth.Conditions.SimpleAttribute - matches a set of attribute/value rules against the resolved attribute data
shibboleth.Conditions.RegexAttribute - matches a set of attribute/value regular expressions against the resolved attribute data
shibboleth.Conditions.DynamicAttribute - similar to the SimpleAttributePredicate, but the matching rules come from a supplied Function and not a statically defined set of values
Other Predicates
These are not named beans, but are useful classes:
org.opensaml.profile.logic.IPRangePredicate - returns true if a servlet request client address falls within a particular address range
BiPredicates
shibboleth.BiConditions.FALSE 5.1 - returns false for any inputs
shibboleth.BiConditions.TRUE 5.1 - returns true for any inputs
shibboleth.BiConditions.AND - the result is the logical conjunction of two (similarly typed) BiPredicates
shibboleth.BiConditions.OR - the result is the logical disjunction of two (similarly typed) BiPredicates
shibboleth.BiConditions.NOT - the result is the logical negation of the provided BiPredicate
shibboleth.BiConditions.Scripted - returns the result of running a JSR-223 scriptlet
shibboleth.BiConditions.Expression - returns the value specified by a SpEL expression
See Also
Functions
All Function beans are implementation of the Java Function functional interface; they are given a "thing" and return a "thing". The most common uses in the IdP are either for overriding how information is located, or to supply dynamically computed information to the IdP that might be based on local deployment customizations.
Use of Functions tends to be more varied than Predicate, but ProfileRequestContext is still the most common input type, with the output type obviously varying.
For a few unusual cases, there are also a set of BiFunction beans, which support two inputs instead of just one.
General Purpose
shibboleth.Functions.Constant - a Function that returns its input
shibboleth.Functions.Compose - a Function that composes two other input Functions
shibboleth.Functions.Scripted - a Function that returns the result of running a JSR-223 scriptlet
shibboleth.Functions.Expression - a Function that returns the value specified by a SpEL expression
shibboleth.BiFunctions.Constant - a BiFunction that returns its input
shibboleth.BiFunctions.Compose - a BiFunction that composes a BiFunction with a Function
shibboleth.BiFunctions.Scripted - a BiFunction that returns the result of running a JSR-223 scriptlet
shibboleth.BiFunctions.Expression - a BiFunction that returns the value specified by a SpEL expression
Context Functions
Context functions are a specialized subset of Function that operate on a particular "context class" from the hierarchy of objects that manage request state, often though not exclusively the ProfileRequestContext type. They return various pieces of data associated with the input context and act as navigation functions that provide access to the data being operated on.
The two generic extension points are:
A number of concrete, defined beans exist for looking up various bits of information directly, as part of more complex function composition or via scripting to avoid hard-wiring in particular expressions and to automate null checking to avoid exceptions. They generally return nulls if unable to return legitimate values.
shibboleth.MessageLookup.SAMLObject – a function that returns a message inside a MessageContext if and only if it is a SAML message type
shibboleth.MessageLookup.AuthnRequest – a function that returns a message inside a MessageContext if and only if it is a SAML AuthnRequest
shibboleth.PrincipalNameLookup.Subject – a function that returns the authenticated principal name from a SubjectContext
shibboleth.PrincipalNameLookup.Session – a function that returns the principal name from a SessionContext
RelyingParty-Based Context Functions
A subset of context functions rely first on locating a RelyingPartyContext, and then on to particular data. The default behavior of these functions is to locate a RelyingPartyContext as a direct child of the input ProfileRequestContext, which is overrideable using the relyingPartyContextLookupStrategy
property of the bean to change the behavior.
shibboleth.ResponderIdLookup.Simple – a function that returns the IdP's own entityID during interaction with a relying party
shibboleth.RelyingPartyIdLookup.Simple – a function that returns the name of a relying party
Tag Lookup Functions
A set of function beans exists to extract metadata extension “tags”. See AccessingMetadataTags for details and examples.
Context Lookup Functions
Context lookup functons are another type of context function with the particular purpose of navigating around the context tree from one context type to another. Most of these unlinked beans are of type ChildContextLookup and return a child context of the associated type (or null).
The "ChildLookupOrCreate" variants will create contexts of the designated type in the event none exists, so a non-null input will never return a null in those cases. Any of the "ChildLookup" variants can be given creation semantics by deriving a new bean from the existing parent and adding c:createContext="true"
The reason these are somewhat willy-nilly is that the beans that exist are primarily the ones needed to drive the IdP's own code, but there are many others that could be defined in principle.
shibboleth.MessageContextLookup.Inbound – a function that returns a ProfileRequestContext's inbound MessageContext
shibboleth.MessageContextLookup.Outbound – a function that returns a ProfileRequestContext's outbound MessageContext
shibboleth.ChildLookup.RelyingParty – RelyingPartyContext
shibboleth.ChildLookup.MultiRelyingParty – MultiRelyingPartyContext
shibboleth.ChildLookup.ProfileRequestContext – ProfileRequestContext
shibboleth.ChildLookup.AttributeContext – AttributeContext
shibboleth.ChildLookup.PreRequestedAttributeContext – AttributeContext (after PreRequestedAttributes resolution)
shibboleth.ChildLookup.AuthenticationContext – AuthenticationContext
shibboleth.ChildLookup.RequestedPrincipalContext – RequestedPrincipalContext
shibboleth.ChildLookup.MultiFactorAuthenticationContext – MultiFactorAuthenticationContext
shibboleth.ChildLookup.ExternalAuthenticationContext – ExternalAuthenticationContext
shibboleth.ChildLookup.SubjectContext – SubjectContext
shibboleth.ChildLookup.SubjectCanonicalizationContext – SubjectCanonicalizationContext
shibboleth.ChildLookup.SessionContext – SessionContext
shibboleth.ChildLookup.LogoutContext – LogoutContext
shibboleth.ChildLookup.SecurityParameters – SecurityParametersContext
shibboleth.ChildLookup.EncryptionParameters – EncryptionContext
shibboleth.ChildLookup.SAMLBindingContext – SAMLBindingContext
shibboleth.ChildLookup.SAMLProtocolContext – SAMLProtocolContext
shibboleth.ChildLookup.SAMLPeerEntityContext – SAMLPeerEntityContext
shibboleth.ChildLookup.SAMLMetadataContext – SAMLMetadataContext
shibboleth.ChildLookupOrCreate.AttributeContext - AttributeContext
shibboleth.ChildLookupOrCreate.AttributeFilterContext – AttributeFilterContext
shibboleth.ChildLookupOrCreate.RelyingPartyUIContext – RelyingPartyUIContext
shibboleth.ChildLookupOrCreate.SAMLMessageInfoContext – SAMLMessageInfoContext
shibboleth.ChildLookupOrCreate.SecurityParameters – SecurityParametersContext
Consumers / BiConsumers
Consumers and BiConsumers are similar to Functions and BiFunctions except that they don't return a result but simply produce side effects against their input(s). They are not common, but appear in a few places in the API where side effects are needed but no exceptions are expected to be raised. A pair of beans are supplied to implement them more easily.
Other Beans
A few other beans of general utility are defined.
shibboleth.Pair – a parent bean for creating objects of type net.shibboleth.shared.collection.Pair
shibboleth.CommaDelimStringArray – a utility bean for converting a comma-delimited string into an array of strings (the input is provided as a constructor argument)
shibboleth.HttpServletRequestSupplier – an automated way of injecting a request's HttpServletRequest object into another bean (via a Supplier)
shibboleth.HttpServletResponseSupplier – an automated way of injecting a request's HttpServletResponse object into another bean (via a Supplier)
shibboleth.SAML2AuthnContextClassRef – a parent bean for defining a SAML 2.0 AuthnContextClassRef custom Principal object
shibboleth.SAML2AuthnContextDeclRef – a parent bean for defining a SAML 2.0 AuthnContextDeclRef custom Principal object (these are almost never used, but are present for completeness)
shibboleth.SAML1AuthenticationMethod – a parent bean for defining a SAML 1.1 AuthenticationMethod custom Principal object