EnsLib.REST.SAMLGenericService
class EnsLib.REST.SAMLGenericService extends EnsLib.REST.GenericService
REST Generic Service that can validate the signature and timestamps on a SAML tokenProperty Inventory
Method Inventory
Parameters
parameter SETTINGS = Validation:Connection,TrustedX509File:Connection;
Inherited description: List of properties can be set as settings in the configuration file
format is a comma separated list of property names
Properties
property SAMLAttributes as %String;
Comma separated list of attributes to record for statistics.
The attribute names are case sensitive.
The attribute names are case sensitive.
Property methods: SAMLAttributesDisplayToLogical(), SAMLAttributesGet(), SAMLAttributesIsValid(), SAMLAttributesLogicalToDisplay(), SAMLAttributesLogicalToOdbc(), SAMLAttributesNormalize(), SAMLAttributesSet()
property TrustedX509File as %String (MAXLEN = 900);
Location of a file containing certificates that can be used to verify the signatures on received SAML tokens.
The file should contain one or more trusted X.509 certificates in PEM-encoded format.
These certificates should complete a 'chain of trust' from the signatures contained in the SAML tokens to a trusted root Certificate Authority.
If empty and the 'mgr' directory contains a 'iris.cer' file then that file will be used.
Property methods: TrustedX509FileDisplayToLogical(), TrustedX509FileGet(), TrustedX509FileIsValid(), TrustedX509FileLogicalToDisplay(), TrustedX509FileLogicalToOdbc(), TrustedX509FileNormalize(), TrustedX509FileSet()
property Validation as %String [ InitialExpression = "1" ];
Specifies types of Assertion validation to perform on element:
To change the skew allowance Set ^Ens.Config("SAML","ClockSkew",<ConfigName>) for a specific item or ^Ens.Config("SAML","ClockSkew") for all items using this validation to the desired number of seconds.
Set to -1 to prevent NotBefore/NotOnOrAfter condition checking for the relevant item or items.
This does not validate the XML schema used for the SAML token.
- t - must contain an Authorization header SAML token with key 'access_token='
- a - token must contain an Assertion
- u - token must contain an unsigned Assertion. If not found the error text is "No Unsigned Assertion".
- If both a and u are specified then either a signed or unsigned assertion needs to be present.
- s - combine with u - if unsigned assertions exist the s requires them be a children of signed elements. Note: The Assertion might be wrapped in a structure that does not follow from schema.
- r - require Assertions to contain NotBefore/NotOnOrAfter time conditions
- v - verify Assertion signatures using a Trusted X.509 certificate and, if present, NotBefore/NotOnOrAfter conditions If option 'u' is specified and 'v' NotBefore/NotOnOrAfter conditions will also be checked.
- o - validate other signed nodes within the assertion such as TimeStamp. Signed reference elements with attribute name of ID or Id will be searched for.
To change the skew allowance Set ^Ens.Config("SAML","ClockSkew",<ConfigName>) for a specific item or ^Ens.Config("SAML","ClockSkew") for all items using this validation to the desired number of seconds.
Set to -1 to prevent NotBefore/NotOnOrAfter condition checking for the relevant item or items.
This does not validate the XML schema used for the SAML token.
Property methods: ValidationDisplayToLogical(), ValidationGet(), ValidationIsValid(), ValidationLogicalToDisplay(), ValidationLogicalToOdbc(), ValidationNormalize(), ValidationSet()
Methods
classmethod OnErrorStream(pStatus As %Status, pInstance As EnsLib.REST.SAMLGenericService)
Control the type and content of error returned to the REST caller
method OnValidate(pMsg As EnsLib.REST.GenericMessage, pValSpec As %String, Output pStatus As %Status) as %Boolean
Return non-zero to prevent default validation of the message (if any);
Convert to lower case, with inverse spec chars converted to upper case
Inherited Members
Inherited Properties
- %AlertStartTime
- %ConfigName
- %ConfigQueueName
- %ExcludeResponseHttpHeaders
- %LastActionTime
- %LastHandledTime
- %LastReportedError
- %OutsideCreated
- %PreserveSession
- %ProcessInputCalled
- %QuitTask
- %RequestHeader
- %SessionId
- %SuperSession
- %SuperSessionCreatedBeforeSession
- %WaitForNextCallInterval
- %WarnedLatest
- %isShadow
- Adapter
- AlertGracePeriod
- AlertGroups
- AlertOnError
- ArchiveIO
- BusinessPartner
- CSPNoCharSetConvert
- EnableStandardRequests
- GenerateSuperSessionID
- IOLogEntry
- InactivityTimeout
- KeepCSPPartition
- OneWay
- PersistInProcData
- SearchTableClass
- TargetConfigName
- ThrottleDelay
Inherited Methods
- %AddToSaveSet()
- %ClassIsLatestVersion()
- %ClassName()
- %ConstructClone()
- %DispatchClassMethod()
- %DispatchGetModified()
- %DispatchGetProperty()
- %DispatchMethod()
- %DispatchSetModified()
- %DispatchSetMultidimProperty()
- %DispatchSetProperty()
- %Extends()
- %GetParameter()
- %IsA()
- %IsModified()
- %New()
- %NormalizeObject()
- %ObjectModified()
- %OnClose()
- %OnNew()
- %OriginalNamespace()
- %PackageName()
- %RemoveFromSaveSet()
- %SerializeObject()
- %SetModified()
- %SuperSessionSet()
- %ValidateObject()
- AdapterName()
- AssignOneSetting()
- CloseIOLogEntry()
- ConvertParameter()
- Decrypt()
- Encrypt()
- EnumerateSettingsClose()
- EnumerateSettingsExecute()
- EnumerateSettingsFetch()
- EscapeHTML()
- EscapeURL()
- ForceSessionId()
- GenerateSuperSession()
- GetDeferredResponseToken()
- GetMsgHdrRequestKey()
- GetProductionSettingValue()
- GetProductionSettings()
- GetPropertyConnections()
- GetSettings()
- GetShadowInstance()
- HyperEventCall()
- HyperEventHead()
- Include()
- InsertHiddenField()
- InsertHiddenFields()
- IsPrivate()
- Link()
- NewIOLogEntry()
- OnAdapterHTTPResponse()
- OnError()
- OnGenerateSuperSession()
- OnGetConnections()
- OnHTTPHeader()
- OnInit()
- OnKeepalive()
- OnMonitor()
- OnPageError()
- OnPostHyperEvent()
- OnPreHTTP()
- OnPreHyperEvent()
- OnProcessInput()
- OnProductionStart()
- OnProductionStop()
- OnResolveDocType()
- OnTearDown()
- Page()
- PopulateSuperSession()
- QueueName()
- QuoteJS()
- RewriteURL()
- SaveIOLogEntry()
- SendAlert()
- SendDeferredResponse()
- SendRequestAsync()
- SendRequestSync()
- ShowError()
- StartTimer()
- StopTimer()
- ThrowError()
- UnescapeHTML()
- UnescapeURL()
- findDataNotInQuery()
- resolveAndIndex()
- resolveDocType()
- restoreFormEncoded()
- restoreMultipart()