Skip to main content


class Ens.Util.XML.SecuritySignature extends %Library.RegisteredObject

Used to check SAML Assertion signature outside SOAP framework

Method Inventory


classmethod FindAssertionAttributes(pSAML As %Stream.Object, ByRef pAssertionAttributes, Output pAttributes) as %Status
classmethod GetAssertionAttribute(pSAMLDoc As %XML.XPATH.Document, pNSP As %String = "", pSAMLVersion As %Integer = 2, pAssertAttribName As %String, ByRef pAssertAttribValues) as %Status
Retrieves SAML Assertion AttributeValue(s) from a SAML XPATH Doc for a given pAssertAttribName
classmethod ValidateSAML(pSAML As %GlobalCharacterStream, pValSpec As %String, pTrustedX509File As %String, pClockSkew As %String, ByRef pAttributes As %String, ByRef pAssertionAttributes As %String, Output pResults As %String, pXMLReader As %XML.Reader) as %Status
Check signatures and expiration as specified by pValSpec
This does not validate the XML schema used for the SAML token.
pValSpec Specifies types of Assertion validation to perform:
  • t - must contain a signed token
  • a - token must contain a signed Assertion. If not found the error text is "No Assertion"
  • u - token must contain an unsigned Assertion. If not found the error text is "No Unsigned Assertion".
  • If both a and u are specified then either a signed or unsigned assertion needs to be present.
  • s - combine with u - if unsigned assertions exist the s requires them be a children of signed elements. Note: The Assertion might be wrapped in a structure that does not follow from schema.
  • r - require Assertions to contain both NotBefore and NotOnOrAfter time conditions.
  • v - verify Assertion signature and, if present, NotBefore/NotOnOrAfter conditions. If option 'u' is specified and 'v' NotBefore/NotOnOrAfter conditions will also be checked.
  • o - validate other signed nodes within the assertion such as TimeStamp. Signed reference elements with attribute name of ID or Id will be searched for.
  • Set pClockSkew to the desired number of seconds or to -1 to prevent NotBefore/NotOnOrAfter condition checking.
    To carry out schema validation of the input stream create an instance of %XML.Reader, setting the appropriate properties for validation and pass in as optional parameter pXMLReader
classmethod validateSignatures(pXMLReader As %XML.Reader, pCertFile As %String = "", Output pSignedNodes) as %Status

Inherited Members

Inherited Methods

FeedbackOpens in a new tab