2 * Copyright 2001-2006 Internet2
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * @file saml/saml2/core/Assertions.h
20 * XMLObjects representing the SAML 2.0 Assertions schema
23 #ifndef __saml2_assertions_h__
24 #define __saml2_assertions_h__
26 #include <saml/signature/SignableObject.h>
27 #include <saml/util/SAMLConstants.h>
29 #include <xmltooling/AttributeExtensibleXMLObject.h>
30 #include <xmltooling/ElementProxy.h>
31 #include <xmltooling/SimpleElement.h>
32 #include <xmltooling/XMLObjectBuilder.h>
33 #include <xmltooling/encryption/Encryption.h>
34 #include <xmltooling/signature/KeyResolver.h>
35 #include <xmltooling/signature/Signature.h>
36 #include <xmltooling/util/DateTime.h>
37 #include <xmltooling/validation/ValidatorSuite.h>
39 #define DECL_SAML2OBJECTBUILDER(cname) \
40 DECL_XMLOBJECTBUILDER(SAML_API,cname,opensaml::SAMLConstants::SAML20_NS,opensaml::SAMLConstants::SAML20_PREFIX)
45 * @namespace opensaml::saml2
46 * SAML 2.0 assertion namespace
51 class SAML_API Assertion;
52 class SAML_API EncryptedAssertion;
54 DECL_XMLOBJECT_SIMPLE(SAML_API,AssertionIDRef,AssertionID,SAML 2.0 AssertionIDRef element);
55 DECL_XMLOBJECT_SIMPLE(SAML_API,AssertionURIRef,AssertionURI,SAML 2.0 AssertionURIRef element);
56 DECL_XMLOBJECT_SIMPLE(SAML_API,Audience,AudienceURI,SAML 2.0 Audience element);
57 DECL_XMLOBJECT_SIMPLE(SAML_API,AuthnContextClassRef,Reference,SAML 2.0 AuthnContextClassRef element);
58 DECL_XMLOBJECT_SIMPLE(SAML_API,AuthnContextDeclRef,Reference,SAML 2.0 AuthnContextDeclRef element);
59 DECL_XMLOBJECT_SIMPLE(SAML_API,AuthenticatingAuthority,ID,SAML 2.0 AuthenticatingAuthority element);
61 BEGIN_XMLOBJECT(SAML_API,EncryptedElementType,xmltooling::XMLObject,SAML 2.0 EncryptedElementType type);
62 DECL_TYPED_FOREIGN_CHILD(EncryptedData,xmlencryption);
63 DECL_TYPED_FOREIGN_CHILDREN(EncryptedKey,xmlencryption);
64 /** EncryptedElementType local name */
65 static const XMLCh TYPE_NAME[];
68 * Decrypts the element using a standard approach based on a wrapped decryption key
69 * inside the message. The key decryption key should be supplied using the provided
70 * resolver. The recipient name may be used when multiple encrypted keys are found.
71 * The object returned will be unmarshalled around the decrypted DOM element, but the
72 * DOM itself will be released.
74 * @param KEKresolver resolver supplying key decryption key
75 * @param recipient identifier naming the recipient (the entity performing the decryption)
76 * @return the decrypted and unmarshalled object
78 virtual xmltooling::XMLObject* decrypt(xmlsignature::KeyResolver* KEKresolver, const XMLCh* recipient) const=0;
81 BEGIN_XMLOBJECT(SAML_API,EncryptedID,EncryptedElementType,SAML 2.0 EncryptedID element);
84 BEGIN_XMLOBJECT(SAML_API,BaseID,xmltooling::XMLObject,SAML 2.0 BaseIDAbstractType abstract type);
85 DECL_STRING_ATTRIB(NameQualifier,NAMEQUALIFIER);
86 DECL_STRING_ATTRIB(SPNameQualifier,SPNAMEQUALIFIER);
89 BEGIN_XMLOBJECT(SAML_API,NameIDType,xmltooling::SimpleElement,SAML 2.0 NameIDType type);
90 DECL_STRING_ATTRIB(NameQualifier,NAMEQUALIFIER);
91 DECL_STRING_ATTRIB(SPNameQualifier,SPNAMEQUALIFIER);
92 DECL_STRING_ATTRIB(Format,FORMAT);
93 DECL_STRING_ATTRIB(SPProvidedID,SPPROVIDEDID);
94 DECL_XMLOBJECT_CONTENT(Name);
95 /** NameIDType local name */
96 static const XMLCh TYPE_NAME[];
97 /** Unspecified name format ID */
\r
98 static const XMLCh UNSPECIFIED[];
\r
99 /** Email address name format ID */
\r
100 static const XMLCh EMAIL[];
\r
101 /** X.509 subject name format ID */
\r
102 static const XMLCh X509_SUBJECT[];
\r
103 /** Windows domain qualified name format ID */
\r
104 static const XMLCh WIN_DOMAIN_QUALIFIED[];
\r
105 /** Kerberos principal name format ID */
\r
106 static const XMLCh KERBEROS[];
\r
107 /** Entity identifier name format ID */
\r
108 static const XMLCh ENTITY[];
\r
109 /** Persistent identifier name format ID */
\r
110 static const XMLCh PERSISTENT[];
\r
111 /** Transient identifier name format ID */
\r
112 static const XMLCh TRANSIENT[];
\r
115 BEGIN_XMLOBJECT(SAML_API,NameID,NameIDType,SAML 2.0 NameID element);
118 BEGIN_XMLOBJECT(SAML_API,Issuer,NameIDType,SAML 2.0 Issuer element);
121 BEGIN_XMLOBJECT(SAML_API,Condition,xmltooling::XMLObject,SAML 2.0 Condition element);
124 BEGIN_XMLOBJECT(SAML_API,AudienceRestriction,Condition,SAML 2.0 AudienceRestriction element);
125 DECL_TYPED_CHILDREN(Audience);
126 /** AudienceRestrictionType local name */
127 static const XMLCh TYPE_NAME[];
130 BEGIN_XMLOBJECT(SAML_API,OneTimeUse,Condition,SAML 2.0 OneTimeUse element);
131 /** OneTimeUseType local name */
132 static const XMLCh TYPE_NAME[];
135 BEGIN_XMLOBJECT(SAML_API,ProxyRestriction,Condition,SAML 2.0 ProxyRestriction element);
136 DECL_INTEGER_ATTRIB(Count,COUNT);
137 DECL_TYPED_CHILDREN(Audience);
138 /** ProxyRestrictionType local name */
139 static const XMLCh TYPE_NAME[];
142 BEGIN_XMLOBJECT(SAML_API,Conditions,xmltooling::XMLObject,SAML 2.0 Conditions element);
143 DECL_DATETIME_ATTRIB(NotBefore,NOTBEFORE);
144 DECL_DATETIME_ATTRIB(NotOnOrAfter,NOTONORAFTER);
145 DECL_TYPED_CHILDREN(AudienceRestriction);
146 DECL_TYPED_CHILDREN(OneTimeUse);
147 DECL_TYPED_CHILDREN(ProxyRestriction);
148 DECL_TYPED_CHILDREN(Condition);
149 /** ConditionsType local name */
150 static const XMLCh TYPE_NAME[];
153 BEGIN_XMLOBJECT2(SAML_API,SubjectConfirmationData,xmltooling::ElementProxy,xmltooling::AttributeExtensibleXMLObject,SAML 2.0 SubjectConfirmationData element);
154 DECL_DATETIME_ATTRIB(NotBefore,NOTBEFORE);
155 DECL_DATETIME_ATTRIB(NotOnOrAfter,NOTONORAFTER);
156 DECL_STRING_ATTRIB(Recipient,RECIPIENT);
157 DECL_STRING_ATTRIB(InResponseTo,INRESPONSETO);
158 DECL_STRING_ATTRIB(Address,ADDRESS);
159 DECL_XMLOBJECT_CONTENT(Data);
162 BEGIN_XMLOBJECT(SAML_API,KeyInfoConfirmationDataType,xmltooling::AttributeExtensibleXMLObject,SAML 2.0 KeyInfoConfirmationDataType type);
163 DECL_DATETIME_ATTRIB(NotBefore,NOTBEFORE);
164 DECL_DATETIME_ATTRIB(NotOnOrAfter,NOTONORAFTER);
165 DECL_STRING_ATTRIB(Recipient,RECIPIENT);
166 DECL_STRING_ATTRIB(InResponseTo,INRESPONSETO);
167 DECL_STRING_ATTRIB(Address,ADDRESS);
168 DECL_TYPED_FOREIGN_CHILDREN(KeyInfo,xmlsignature);
169 /** KeyInfoConfirmationDataType local name */
170 static const XMLCh TYPE_NAME[];
173 BEGIN_XMLOBJECT(SAML_API,SubjectConfirmation,xmltooling::XMLObject,SAML 2.0 SubjectConfirmation element);
174 DECL_STRING_ATTRIB(Method,METHOD);
175 DECL_TYPED_CHILD(BaseID);
176 DECL_TYPED_CHILD(NameID);
177 DECL_TYPED_CHILD(EncryptedID);
178 DECL_XMLOBJECT_CHILD(SubjectConfirmationData);
179 DECL_TYPED_CHILD(KeyInfoConfirmationDataType);
180 /** SubjectConfirmationType local name */
181 static const XMLCh TYPE_NAME[];
182 /** Bearer confirmation method */
183 static const XMLCh BEARER[];
\r
184 /** Holder of key confirmation method */
\r
185 static const XMLCh HOLDER_KEY[];
\r
186 /** Sender vouches confirmation method */
\r
187 static const XMLCh SENDER_VOUCHES[];
\r
190 BEGIN_XMLOBJECT(SAML_API,Subject,xmltooling::XMLObject,SAML 2.0 Subject element);
191 DECL_TYPED_CHILD(BaseID);
192 DECL_TYPED_CHILD(NameID);
193 DECL_TYPED_CHILD(EncryptedID);
194 DECL_TYPED_CHILDREN(SubjectConfirmation);
195 /** SubjectType local name */
196 static const XMLCh TYPE_NAME[];
199 BEGIN_XMLOBJECT(SAML_API,Statement,xmltooling::XMLObject,SAML 2.0 Statement element);
202 BEGIN_XMLOBJECT(SAML_API,SubjectLocality,xmltooling::XMLObject,SAML 2.0 SubjectLocality element);
203 DECL_STRING_ATTRIB(Address,ADDRESS);
204 DECL_STRING_ATTRIB(DNSName,DNSNAME);
205 /** SubjectLocalityType local name */
206 static const XMLCh TYPE_NAME[];
209 BEGIN_XMLOBJECT2(SAML_API,AuthnContextDecl,xmltooling::ElementProxy,xmltooling::AttributeExtensibleXMLObject,SAML 2.0 AuthnContextDecl element);
212 BEGIN_XMLOBJECT(SAML_API,AuthnContext,xmltooling::XMLObject,SAML 2.0 AuthnContext element);
213 DECL_TYPED_CHILD(AuthnContextClassRef);
214 DECL_XMLOBJECT_CHILD(AuthnContextDecl);
215 DECL_TYPED_CHILD(AuthnContextDeclRef);
216 DECL_TYPED_CHILDREN(AuthenticatingAuthority);
217 /** AuthnContextType local name */
218 static const XMLCh TYPE_NAME[];
221 BEGIN_XMLOBJECT(SAML_API,AuthnStatement,Statement,SAML 2.0 AuthnStatement element);
222 DECL_DATETIME_ATTRIB(AuthnInstant,AUTHNINSTANT);
223 DECL_STRING_ATTRIB(SessionIndex,SESSIONINDEX);
224 DECL_DATETIME_ATTRIB(SessionNotOnOrAfter,SESSIONNOTONORAFTER);
225 DECL_TYPED_CHILD(SubjectLocality);
226 DECL_TYPED_CHILD(AuthnContext);
227 /** AuthnStatementType local name */
228 static const XMLCh TYPE_NAME[];
231 BEGIN_XMLOBJECT(SAML_API,Action,xmltooling::SimpleElement,SAML 2.0 Action element);
232 DECL_STRING_ATTRIB(Namespace,NAMESPACE);
233 DECL_XMLOBJECT_CONTENT(Action);
234 /** ActionType local name */
235 static const XMLCh TYPE_NAME[];
236 /** Read/Write/Execute/Delete/Control Action Namespace */
237 static const XMLCh RWEDC_NEG_ACTION_NAMESPACE[];
\r
238 /** Read/Write/Execute/Delete/Control with Negation Action Namespace */
239 static const XMLCh RWEDC_ACTION_NAMESPACE[];
\r
240 /** Get/Head/Put/Post Action Namespace */
241 static const XMLCh GHPP_ACTION_NAMESPACE[];
\r
242 /** UNIX File Permissions Action Namespace */
243 static const XMLCh UNIX_ACTION_NAMESPACE[];
\r
246 BEGIN_XMLOBJECT(SAML_API,Evidence,xmltooling::XMLObject,SAML 2.0 Evidence element);
247 DECL_TYPED_CHILDREN(AssertionIDRef);
248 DECL_TYPED_CHILDREN(AssertionURIRef);
249 DECL_TYPED_CHILDREN(Assertion);
250 DECL_TYPED_CHILDREN(EncryptedAssertion);
251 /** EvidenceType local name */
252 static const XMLCh TYPE_NAME[];
255 BEGIN_XMLOBJECT(SAML_API,AuthzDecisionStatement,Statement,SAML 2.0 AuthzDecisionStatement element);
256 DECL_STRING_ATTRIB(Resource,RESOURCE);
257 DECL_STRING_ATTRIB(Decision,DECISION);
258 DECL_TYPED_CHILDREN(Action);
259 DECL_TYPED_CHILD(Evidence);
260 /** AuthzDecisionStatementType local name */
261 static const XMLCh TYPE_NAME[];
262 /** Permit Decision */
263 static const XMLCh DECISION_PERMIT[];
265 static const XMLCh DECISION_DENY[];
266 /** Indeterminate Decision */
267 static const XMLCh DECISION_INDETERMINATE[];
270 BEGIN_XMLOBJECT2(SAML_API,AttributeValue,xmltooling::ElementProxy,xmltooling::AttributeExtensibleXMLObject,SAML 2.0 AttributeValue element);
273 BEGIN_XMLOBJECT(SAML_API,Attribute,xmltooling::AttributeExtensibleXMLObject,SAML 2.0 Attribute element);
274 DECL_STRING_ATTRIB(Name,NAME);
275 DECL_STRING_ATTRIB(NameFormat,NAMEFORMAT);
276 DECL_STRING_ATTRIB(FriendlyName,FRIENDLYNAME);
277 DECL_XMLOBJECT_CHILDREN(AttributeValue);
278 /** AttributeType local name */
279 static const XMLCh TYPE_NAME[];
280 /** Unspecified attribute name format ID */
\r
281 static const XMLCh UNSPECIFIED[];
\r
282 /** URI reference attribute name format ID */
\r
283 static const XMLCh URI_REFERENCE[];
\r
284 /** Basic attribute name format ID */
\r
285 static const XMLCh BASIC[];
\r
288 BEGIN_XMLOBJECT(SAML_API,EncryptedAttribute,EncryptedElementType,SAML 2.0 EncryptedAttribute element);
291 BEGIN_XMLOBJECT(SAML_API,AttributeStatement,Statement,SAML 2.0 AttributeStatement element);
292 DECL_TYPED_CHILDREN(Attribute);
293 DECL_TYPED_CHILDREN(EncryptedAttribute);
294 /** AttributeStatementType local name */
295 static const XMLCh TYPE_NAME[];
298 BEGIN_XMLOBJECT(SAML_API,EncryptedAssertion,EncryptedElementType,SAML 2.0 EncryptedAssertion element);
301 BEGIN_XMLOBJECT(SAML_API,Advice,xmltooling::XMLObject,SAML 2.0 Advice element);
302 DECL_TYPED_CHILDREN(AssertionIDRef);
303 DECL_TYPED_CHILDREN(AssertionURIRef);
304 DECL_TYPED_CHILDREN(Assertion);
305 DECL_TYPED_CHILDREN(EncryptedAssertion);
306 DECL_XMLOBJECT_CHILDREN(Other);
307 /** AdviceType local name */
308 static const XMLCh TYPE_NAME[];
311 BEGIN_XMLOBJECT(SAML_API,Assertion,SignableObject,SAML 2.0 Assertion element);
312 DECL_STRING_ATTRIB(Version,VER);
313 DECL_STRING_ATTRIB(ID,ID);
314 DECL_DATETIME_ATTRIB(IssueInstant,ISSUEINSTANT);
315 DECL_TYPED_CHILD(Issuer);
316 DECL_TYPED_FOREIGN_CHILD(Signature,xmlsignature);
317 DECL_TYPED_CHILD(Subject);
318 DECL_TYPED_CHILD(Conditions);
319 DECL_TYPED_CHILD(Advice);
320 DECL_TYPED_CHILDREN(Statement);
321 DECL_TYPED_CHILDREN(AuthnStatement);
322 DECL_TYPED_CHILDREN(AttributeStatement);
323 DECL_TYPED_CHILDREN(AuthzDecisionStatement);
324 /** AssertionType local name */
325 static const XMLCh TYPE_NAME[];
328 DECL_SAML2OBJECTBUILDER(Action);
329 DECL_SAML2OBJECTBUILDER(Advice);
330 DECL_SAML2OBJECTBUILDER(Assertion);
331 DECL_SAML2OBJECTBUILDER(AssertionIDRef);
332 DECL_SAML2OBJECTBUILDER(AssertionURIRef);
333 DECL_SAML2OBJECTBUILDER(Attribute);
334 DECL_SAML2OBJECTBUILDER(AttributeStatement);
335 DECL_SAML2OBJECTBUILDER(AttributeValue);
336 DECL_SAML2OBJECTBUILDER(Audience);
337 DECL_SAML2OBJECTBUILDER(AudienceRestriction);
338 DECL_SAML2OBJECTBUILDER(AuthenticatingAuthority);
339 DECL_SAML2OBJECTBUILDER(AuthnContext);
340 DECL_SAML2OBJECTBUILDER(AuthnContextClassRef);
341 DECL_SAML2OBJECTBUILDER(AuthnContextDecl);
342 DECL_SAML2OBJECTBUILDER(AuthnContextDeclRef);
343 DECL_SAML2OBJECTBUILDER(AuthnStatement);
344 DECL_SAML2OBJECTBUILDER(AuthzDecisionStatement);
345 DECL_SAML2OBJECTBUILDER(Conditions);
346 DECL_SAML2OBJECTBUILDER(EncryptedAssertion);
347 DECL_SAML2OBJECTBUILDER(EncryptedAttribute);
348 DECL_SAML2OBJECTBUILDER(EncryptedID);
349 DECL_SAML2OBJECTBUILDER(Evidence);
350 DECL_SAML2OBJECTBUILDER(Issuer);
351 DECL_SAML2OBJECTBUILDER(NameID);
352 DECL_SAML2OBJECTBUILDER(OneTimeUse);
353 DECL_SAML2OBJECTBUILDER(ProxyRestriction);
354 DECL_SAML2OBJECTBUILDER(Subject);
355 DECL_SAML2OBJECTBUILDER(SubjectConfirmation);
356 DECL_SAML2OBJECTBUILDER(SubjectConfirmationData);
357 DECL_SAML2OBJECTBUILDER(SubjectLocality);
360 * Builder for NameIDType objects.
362 * This is customized to force the element name to be specified.
364 class SAML_API NameIDTypeBuilder : public xmltooling::XMLObjectBuilder {
366 virtual ~NameIDTypeBuilder() {}
367 /** Builder that allows element/type override. */
368 virtual NameIDType* buildObject(
369 const XMLCh* nsURI, const XMLCh* localName, const XMLCh* prefix=NULL, const xmltooling::QName* schemaType=NULL
372 /** Singleton builder. */
373 static NameIDType* buildNameIDType(const XMLCh* nsURI, const XMLCh* localName, const XMLCh* prefix=NULL) {
374 const NameIDTypeBuilder* b = dynamic_cast<const NameIDTypeBuilder*>(
375 XMLObjectBuilder::getBuilder(xmltooling::QName(SAMLConstants::SAML20_NS,NameIDType::TYPE_NAME))
378 xmltooling::QName schemaType(SAMLConstants::SAML20_NS,NameIDType::TYPE_NAME,SAMLConstants::SAML20_PREFIX);
379 return b->buildObject(nsURI, localName, prefix, &schemaType);
381 throw xmltooling::XMLObjectException("Unable to obtain typed builder for NameIDType.");
386 * Builder for KeyInfoConfirmationDataType objects.
388 * This is customized to return a SubjectConfirmationData element with an
389 * xsi:type of KeyInfoConfirmationDataType.
391 class SAML_API KeyInfoConfirmationDataTypeBuilder : public xmltooling::XMLObjectBuilder {
393 virtual ~KeyInfoConfirmationDataTypeBuilder() {}
394 /** Default builder. */
395 virtual KeyInfoConfirmationDataType* buildObject() const {
396 xmltooling::QName schemaType(
397 SAMLConstants::SAML20_NS,KeyInfoConfirmationDataType::TYPE_NAME,SAMLConstants::SAML20_PREFIX
400 SAMLConstants::SAML20_NS,KeyInfoConfirmationDataType::LOCAL_NAME,SAMLConstants::SAML20_PREFIX,&schemaType
403 /** Builder that allows element/type override. */
404 virtual KeyInfoConfirmationDataType* buildObject(
405 const XMLCh* nsURI, const XMLCh* localName, const XMLCh* prefix=NULL, const xmltooling::QName* schemaType=NULL
408 /** Singleton builder. */
409 static KeyInfoConfirmationDataType* buildKeyInfoConfirmationDataType() {
410 const KeyInfoConfirmationDataTypeBuilder* b = dynamic_cast<const KeyInfoConfirmationDataTypeBuilder*>(
411 XMLObjectBuilder::getBuilder(xmltooling::QName(SAMLConstants::SAML20_NS,KeyInfoConfirmationDataType::TYPE_NAME))
414 return b->buildObject();
415 throw xmltooling::XMLObjectException("Unable to obtain typed builder for KeyInfoConfirmationDataType.");
420 * Registers builders and validators for SAML 2.0 Assertion classes into the runtime.
422 void SAML_API registerAssertionClasses();
425 * Validator suite for SAML 2.0 Assertion schema validation.
427 extern SAML_API xmltooling::ValidatorSuite AssertionSchemaValidators;
431 #endif /* __saml2_assertions_h__ */