Skip to main content

This version of the product is no longer supported, and this documentation is no longer updated regularly. See the latest version of this content.Opens in a new tab

EnsLib.SOAP.SAMLGenericService

class EnsLib.SOAP.SAMLGenericService extends EnsLib.SOAP.GenericService

SOAP Generic Service that can validate the signature and timestamps on a SAML token

Property Inventory

Method Inventory

Parameters

parameter SETTINGS = Validation:Connection,TrustedX509File:Connection;
Inherited description: Can't do grace period without an OnTask loop

Properties

property SAMLAttributes as %String;
Comma separated list of attributes to record for statistics.
The attribute names are case sensitive.
Property methods: SAMLAttributesDisplayToLogical(), SAMLAttributesGet(), SAMLAttributesIsValid(), SAMLAttributesLogicalToDisplay(), SAMLAttributesLogicalToOdbc(), SAMLAttributesNormalize(), SAMLAttributesSet()
property TrustedX509File as %String (MAXLEN = 900);
Location of a file containing certificates that can be used to verify the signatures on received SAML tokens. The file should contain one or more trusted X.509 certificates in PEM-encoded format. These certificates should complete a 'chain of trust' from the signatures contained in the SAML tokens to a trusted root Certificate Authority. If empty and the Ensemble 'mgr' directory contains a 'cache.cer' file then that file will be used.
Property methods: TrustedX509FileDisplayToLogical(), TrustedX509FileGet(), TrustedX509FileIsValid(), TrustedX509FileLogicalToDisplay(), TrustedX509FileLogicalToOdbc(), TrustedX509FileNormalize(), TrustedX509FileSet()
property Validation as %String [ InitialExpression = "1" ];
Specifies types of Assertion validation to perform:
  • t - must contain a signed SAML token
  • a - token must contain an Assertion
  • r - require Assertions to contain NotBefore/NotOnOrAfter time conditions
  • v - verify Assertion signatures using a Trusted X.509 certificate and, if present, NotBefore/NotOnOrAfter conditions
  • o - validate other signed nodes such as TimeStamp
If 1 is specified it is equivalent to 'tarvo'.

When checking the NotBefore/NotOnOrAfter time conditions the default clock skew allowance is 90 seconds.
To change the skew allowance Set ^Ens.Config("SAML","ClockSkew",<ConfigName>) for a specific item or ^Ens.Config("SAML","ClockSkew") for all items using this validation to the desired number of seconds.
Set to -1 to prevent NotBefore/NotOnOrAfter condition checking for the relevant item or items.

Property methods: ValidationDisplayToLogical(), ValidationGet(), ValidationIsValid(), ValidationLogicalToDisplay(), ValidationLogicalToOdbc(), ValidationNormalize(), ValidationSet()

Methods

method OnValidate(pMsg As EnsLib.SOAP.GenericMessage, pValSpec As %String, Output pStatus As %Status) as %Boolean
Return non-zero to prevent default validation of the message (if any);
classmethod normalizeValSpec(pValSpec As %String) as %String
Convert to lower case, with inverse spec chars converted to upper case

Inherited Members

Inherited Properties

Inherited Methods

FeedbackOpens in a new tab