opensaml-3.2.1
SecurityPolicyRule.h File Reference

Licensed to the University Corporation for Advanced Internet Development, Inc. More...

#include <saml/base.h>
#include <set>
#include <string>

Classes

class  opensaml::SecurityPolicyRule
 A rule that a protocol request and message must meet in order to be valid and secure. More...
 

Namespaces

 opensaml
 Common classes for OpenSAML library.
 

Macros

#define AUDIENCE_POLICY_RULE   "Audience"
 SecurityPolicyRule for evaluation of SAML AudienceRestriction Conditions.
 
#define DELEGATION_POLICY_RULE   "Delegation"
 SecurityPolicyRule for evaluation of SAML DelegationRestriction Conditions.
 
#define CLIENTCERTAUTH_POLICY_RULE   "ClientCertAuth"
 SecurityPolicyRule for TLS client certificate authentication. More...
 
#define CONDITIONS_POLICY_RULE   "Conditions"
 SecurityPolicyRule for evaluation of SAML Conditions.
 
#define IGNORE_POLICY_RULE   "Ignore"
 SecurityPolicyRule for ignoring a SAML Condition.
 
#define MESSAGEFLOW_POLICY_RULE   "MessageFlow"
 SecurityPolicyRule for replay detection and freshness checking. More...
 
#define NULLSECURITY_POLICY_RULE   "NullSecurity"
 SecurityPolicyRule for disabling security. More...
 
#define SIMPLESIGNING_POLICY_RULE   "SimpleSigning"
 SecurityPolicyRule for protocol message "blob" signing. More...
 
#define XMLSIGNING_POLICY_RULE   "XMLSigning"
 SecurityPolicyRule for protocol message XML signing. More...
 
#define SAML1BROWSERSSO_POLICY_RULE   "SAML1BrowserSSO"
 SecurityPolicyRule for SAML 1.x Browser SSO profile validation. More...
 
#define BEARER_POLICY_RULE   "Bearer"
 SecurityPolicyRule for SAML 2.0 bearer SubjectConfirmation. More...
 

Functions

void opensaml::registerSecurityPolicyRules ()
 Registers SecurityPolicyRule plugins into the runtime.
 

Detailed Description

Licensed to the University Corporation for Advanced Internet Development, Inc.

(UCAID) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership.

UCAID licenses this file to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Policy rules that secure and authenticate bindings.

Macro Definition Documentation

◆ BEARER_POLICY_RULE

#define BEARER_POLICY_RULE   "Bearer"

SecurityPolicyRule for SAML 2.0 bearer SubjectConfirmation.

Optionally enforces message delivery requirements based on SubjectConfirmationData.

The XML attributes "checkValidity", "checkRecipient", and "checkCorrelation" can be set "false" to disable checks of NotBefore/NotOnOrAfter, Recipient, and InResponseTo confirmation data respectively.

◆ CLIENTCERTAUTH_POLICY_RULE

#define CLIENTCERTAUTH_POLICY_RULE   "ClientCertAuth"

SecurityPolicyRule for TLS client certificate authentication.

Evaluates client certificates against the issuer's metadata.

◆ MESSAGEFLOW_POLICY_RULE

#define MESSAGEFLOW_POLICY_RULE   "MessageFlow"

SecurityPolicyRule for replay detection and freshness checking.

A ReplayCache instance must be available from the runtime, unless a "checkReplay" XML attribute is set to "0" or "false" when instantiating the policy rule.

Messages must have been issued in the past, but no more than 60 seconds ago, or up to a number of seconds set by an "expires" XML attribute when instantiating the policy rule.

◆ NULLSECURITY_POLICY_RULE

#define NULLSECURITY_POLICY_RULE   "NullSecurity"

SecurityPolicyRule for disabling security.

Allows the message issuer to be authenticated regardless of the message or transport. Used mainly for debugging or in situations that I wouldn't care to comment on.

◆ SAML1BROWSERSSO_POLICY_RULE

#define SAML1BROWSERSSO_POLICY_RULE   "SAML1BrowserSSO"

SecurityPolicyRule for SAML 1.x Browser SSO profile validation.

Enforces presence of time conditions and proper subject confirmation.

◆ SIMPLESIGNING_POLICY_RULE

#define SIMPLESIGNING_POLICY_RULE   "SimpleSigning"

SecurityPolicyRule for protocol message "blob" signing.

Allows the message issuer to be authenticated using a non-XML digital signature over the message body. The transport layer is not considered.

◆ XMLSIGNING_POLICY_RULE

#define XMLSIGNING_POLICY_RULE   "XMLSigning"

SecurityPolicyRule for protocol message XML signing.

Allows the message issuer to be authenticated using an XML digital signature over the message. The transport layer is not considered.