Package com.sun.identity.saml2.plugins

Class DefaultLibrarySPAccountMapper

  • All Implemented Interfaces:
    SPAccountMapper
    Direct Known Subclasses:
    DefaultSPAccountMapper
    public class DefaultLibrarySPAccountMapper
extends DefaultAccountMapper
implements SPAccountMapper
    This class DefaultLibrarySPAccountMapper is the default implementation of the SPAccountMapper that is used to map the SAML protocol objects to the user accounts at the ServiceProvider side of SAML v2 plugin. Custom implementations may extend from this class to override some of these implementations if they choose to do so.

    • Constructor Detail

      • DefaultLibrarySPAccountMapper

        public DefaultLibrarySPAccountMapper()
        Default constructor

    • Method Detail

      • getIdentity

        public String getIdentity​(Assertion assertion,
                          String hostEntityID,
                          String realm)
                   throws SAML2Exception
        Returns the user's distinguished name or the universal ID for the corresponding SAML Assertion. This method will be invoked by the SAML framework while processing the Assertion and retrieves the identity information. The implementation of this method first checks if the NameID-Format is transient and returns the transient user. Otherwise it checks for the user for the corresponding name identifier in the assertion. If not found, then it will check if this is an auto federation case.
        Specified by:
        getIdentity in interface SPAccountMapper
        Parameters:
        assertion - SAML Assertion that needs to be mapped to the user.
        hostEntityID - EntityID of the hosted provider.
        realm - Realm or the organization name that may be used to find the user information.
        Returns:
        User's distinguished name or the universal ID.
        Throws:
        SAML2Exception - If there was any failure.

      • shouldPersistNameIDFormat

        public boolean shouldPersistNameIDFormat​(String realm,
                                         String hostEntityID,
                                         String remoteEntityID,
                                         String nameIDFormat)
        Description copied from interface: SPAccountMapper
        Tells whether the provided NameID-Format should be persisted in the user data store or not.
        Specified by:
        shouldPersistNameIDFormat in interface SPAccountMapper
        Parameters:
        realm - The hosted SP's realm.
        hostEntityID - The hosted SP's entityID.
        remoteEntityID - The remote IdP's entityID.
        nameIDFormat - The non-transient NameID-Format in question.
        Returns:
        true if the provided NameID-Format should be persisted in the user data store, false otherwise.

      • getTransientUser

        protected String getTransientUser​(String realm,
                                  String entityID)
        Returns the transient user configured in the hosted entity configuration.
        Parameters:
        realm - Realm name for the given entity.
        entityID - Hosted EntityID.
        Returns:
        The transient user id configured in entity configuration, or null if not configured or failed for any reason.

      • getAutoFedUser

        protected String getAutoFedUser​(String realm,
                                String entityID,
                                Assertion assertion,
                                String decryptedNameID,
                                Set<PrivateKey> decryptionKeys)
                         throws SAML2Exception
        Returns user for the auto federate attribute.
        Parameters:
        realm - Realm name.
        entityID - Hosted EntityID.
        assertion - Assertion from the identity provider.
        Returns:
        Auto federation mapped user from the assertion auto federation AttributeStatement. if the statement does not have the auto federation attribute then the NameID value will be used if use NameID as SP user ID is enabled, otherwise null.
        Throws:
        SAML2Exception

      • isDynamicalOrIgnoredProfile

        protected boolean isDynamicalOrIgnoredProfile​(String realm)
        Checks if dynamical profile creation or ignore profile is enabled.
        Parameters:
        realm - Realm to check the dynamical profile creation attributes.
        Returns:
        true if dynamical profile creation or ignore profile is enabled, false otherwise.