Package com.nimbusds.oauth2.sdk.assertions.saml2

Class SAML2AssertionDetails

java.lang.Object
com.nimbusds.oauth2.sdk.assertions.AssertionDetails
com.nimbusds.oauth2.sdk.assertions.saml2.SAML2AssertionDetails
@Immutable public class SAML2AssertionDetails extends AssertionDetails
SAML 2.0 bearer assertion details for OAuth 2.0 client authentication and authorisation grants.

Used for SAML 2.0 bearer assertion grants.

Example SAML 2.0 assertion: 

 <Assertion IssueInstant="2010-10-01T20:07:34.619Z"
            ID="ef1xsbZxPV2oqjd7HTLRLIBlBb7"
            Version="2.0"
            xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
     <Issuer>https://saml-idp.example.com</Issuer>
     <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
         [...omitted for brevity...]
     </ds:Signature>
     <Subject>
         <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
             brian@example.com
         </NameID>
         <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
             <SubjectConfirmationData NotOnOrAfter="2010-10-01T20:12:34.619Z"
                                      Recipient="https://authz.example.net/token.oauth2"/>
         </SubjectConfirmation>
     </Subject>
     <Conditions>
         <AudienceRestriction>
             <Audience>https://saml-sp.example.net</Audience>
         </AudienceRestriction>
     </Conditions>
     <AuthnStatement AuthnInstant="2010-10-01T20:07:34.371Z">
         <AuthnContext>
             <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:X509</AuthnContextClassRef>
         </AuthnContext>
     </AuthnStatement>
 </Assertion>

Related specifications:

  • Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7522), section 3.

  • Constructor Details

    • SAML2AssertionDetails

      public SAML2AssertionDetails(Issuer issuer, Subject subject, Audience audience)
      Creates a new SAML 2.0 bearer assertion details instance. The expiration time is set to five minutes from the current system time. Generates a default identifier for the assertion. The issue time is set to the current system time.
      Parameters:
      issuer - The issuer. Must not be null.
      subject - The subject. Must not be null.
      audience - The audience, typically the URI of the authorisation server's token endpoint. Must not be null.

    • SAML2AssertionDetails

      public SAML2AssertionDetails(Issuer issuer, Subject subject, String subjectFormat, Date subjectAuthTime, ACR subjectACR, List<Audience> audience, Date exp, Date nbf, Date iat, Identifier id, InetAddress clientAddress, Map<String,List<String>> attrStatement)
      Creates a new SAML 2.0 bearer assertion details instance.
      Parameters:
      issuer - The issuer. Must not be null.
      subject - The subject. Must not be null.
      subjectFormat - The subject format, null if not specified.
      subjectAuthTime - The subject authentication time, null if not specified.
      subjectACR - The subject Authentication Context Class Reference (ACR), null if not specified.
      audience - The audience, typically including the URI of the authorisation server's token endpoint. Must not be null.
      exp - The expiration time. Must not be null.
      nbf - The time before which the assertion must not be accepted for processing, null if not specified.
      iat - The time at which the assertion was issued. Must not be null.
      id - Unique identifier for the assertion. Must not be null.
      clientAddress - The client address, null if not specified.
      attrStatement - The attribute statement (in simplified form), null if not specified.

  • Method Details

    • getSubjectFormat

      public String getSubjectFormat()
      Returns the optional subject format.
      Returns:
      The subject format, null if not specified.

    • getSubjectAuthenticationTime

      public Date getSubjectAuthenticationTime()
      Returns the optional subject authentication time.
      Returns:
      The subject authentication time, null if not specified.

    • getSubjectACR

      public ACR getSubjectACR()
      Returns the optional subject Authentication Context Class Reference (ACR).
      Returns:
      The subject ACR, null if not specified.

    • getNotBeforeTime

      public Date getNotBeforeTime()
      Returns the optional not-before time.
      Returns:
      The not-before time, null if not specified.

    • getClientInetAddress

      public InetAddress getClientInetAddress()
      Returns the optional client address to which this assertion is bound.
      Returns:
      The client address, null if not specified.

    • getAttributeStatement

      public Map<String,List<String>> getAttributeStatement()
      Returns the optional attribute statement.
      Returns:
      The attribute statement (in simplified form), null if not specified.

    • toSAML2Assertion

      public org.opensaml.saml.saml2.core.Assertion toSAML2Assertion() throws SerializeException
      Returns a SAML 2.0 assertion (unsigned) representation of this assertion details instance.
      Returns:
      The SAML 2.0 assertion (with no signature element).
      Throws:
      SerializeException - If serialisation failed.

    • parse

      public static SAML2AssertionDetails parse(org.opensaml.saml.saml2.core.Assertion assertion) throws ParseException
      Parses a SAML 2.0 bearer assertion details instance from the specified assertion object.
      Parameters:
      assertion - The assertion. Must not be null.
      Returns:
      The SAML 2.0 bearer assertion details.
      Throws:
      ParseException - If the assertion couldn't be parsed to a SAML 2.0 bearer assertion details instance.