Skip to main content


class EnsLib.SOAP.SAMLGenericService extends EnsLib.SOAP.GenericService

SOAP Generic Service that can validate the signature and timestamps on a SAML token

Property Inventory

Method Inventory


parameter SETTINGS = Validation:Connection,TrustedX509File:Connection;
Inherited description: Can't do grace period without an OnTask loop


property SAMLAttributes as %String;
Comma separated list of attributes to record for statistics.
The attribute names are case sensitive.
Property methods: SAMLAttributesDisplayToLogical(), SAMLAttributesGet(), SAMLAttributesIsValid(), SAMLAttributesLogicalToDisplay(), SAMLAttributesLogicalToOdbc(), SAMLAttributesNormalize(), SAMLAttributesSet()
property TrustedX509File as %String (MAXLEN = 900);
Location of a file containing certificates that can be used to verify the signatures on received SAML tokens. The file should contain one or more trusted X.509 certificates in PEM-encoded format. These certificates should complete a 'chain of trust' from the signatures contained in the SAML tokens to a trusted root Certificate Authority. If empty and the 'mgr' directory contains a 'iris.cer' file then that file will be used.
Property methods: TrustedX509FileDisplayToLogical(), TrustedX509FileGet(), TrustedX509FileIsValid(), TrustedX509FileLogicalToDisplay(), TrustedX509FileLogicalToOdbc(), TrustedX509FileNormalize(), TrustedX509FileSet()
property Validation as %String [ InitialExpression = "1" ];
Specifies types of Assertion validation to perform on element:
  • t - must contain a signed SAML token
  • a - token must contain an Assertion
  • u - token must contain an unsigned Assertion. If not found the error text is "No Unsigned Assertion".
  • If both a and u are specified then either a signed or unsigned assertion needs to be present.
  • s - combine with u - if unsigned assertions exist the s requires them be a children of signed elements. Note: The Assertion might be wrapped in a structure that does not follow from schema.
  • r - require Assertions to contain NotBefore/NotOnOrAfter time conditions
  • v - verify Assertion signatures using a Trusted X.509 certificate and, if present, NotBefore/NotOnOrAfter conditions
  • If option 'u' is specified and 'v' NotBefore/NotOnOrAfter conditions will also be checked.
  • o - validate other signed nodes within the assertion such as TimeStamp. Signed reference elements with attribute name of ID or Id will be searched for.
If 1 is specified it is equivalent to 'tarvo'.

When checking the NotBefore/NotOnOrAfter time conditions the default clock skew allowance is 90 seconds.
To change the skew allowance Set ^Ens.Config("SAML","ClockSkew",<ConfigName>) for a specific item or ^Ens.Config("SAML","ClockSkew") for all items using this validation to the desired number of seconds.
Set to -1 to prevent NotBefore/NotOnOrAfter condition checking for the relevant item or items.
This does not validate the XML schema used for the SAML token.

Property methods: ValidationDisplayToLogical(), ValidationGet(), ValidationIsValid(), ValidationLogicalToDisplay(), ValidationLogicalToOdbc(), ValidationNormalize(), ValidationSet()


method OnValidate(pMsg As EnsLib.SOAP.GenericMessage, pValSpec As %String, Output pStatus As %Status) as %Boolean
Return non-zero to prevent default validation of the message (if any);
classmethod normalizeValSpec(pValSpec As %String) as %String
Convert to lower case, with inverse spec chars converted to upper case

Inherited Members

Inherited Properties

Inherited Methods

FeedbackOpens in a new tab