Home > Class Reference > ENSLIB namespace > EnsLib.REST.SAMLGenericService
Private  Storage   


class EnsLib.REST.SAMLGenericService extends EnsLib.REST.GenericService

REST Generic Service that can validate the signature and timestamps on a SAML token


Parameters Properties Methods Queries Indices ForeignKeys Triggers
1 3 3


This is a Business Service class.

The associated Adapter class is EnsLib.HTTP.InboundAdapter.

%AlertStartTime %ConfigName %ConfigQueueName
%ExcludeResponseHttpHeaders %LastActionTime %LastHandledTime
%LastReportedError %OutsideCreated %PreserveSession
%ProcessInputCalled %QuitTask %RequestHeader
%SessionId %SuperSession %SuperSessionCreatedBeforeSession
%WaitForNextCallInterval %WarnedLatest %isShadow
Adapter AlertGracePeriod AlertGroups
AlertOnError ArchiveIO BusinessPartner
CSPNoCharSetConvert EnableStandardRequests GenerateSuperSessionID
IOLogEntry InactivityTimeout KeepCSPPartition
OneWay PersistInProcData SAMLAttributes
SearchTableClass TargetConfigName ThrottleDelay
TrustedX509File Validation

%AddToSaveSet %ClassIsLatestVersion %ClassName %ConstructClone
%DispatchClassMethod %DispatchGetModified %DispatchGetProperty %DispatchMethod
%DispatchSetModified %DispatchSetMultidimProperty %DispatchSetProperty %Extends
%GetParameter %IsA %IsModified %New
%NormalizeObject %ObjectModified %OnClose %OnNew
%OriginalNamespace %PackageName %RemoveFromSaveSet %SerializeObject
%SetModified %SuperSessionSet %ValidateObject AdapterName
AssignOneSetting CloseIOLogEntry ConvertParameter Decrypt
Encrypt EnumerateSettingsClose EnumerateSettingsExecute EnumerateSettingsFetch
EscapeHTML EscapeURL ForceSessionId GenerateSuperSession
GetDeferredResponseToken GetProductionSettingValue GetProductionSettings GetPropertyConnections
GetSettings GetShadowInstance HyperEventCall HyperEventHead
Include InsertHiddenField InsertHiddenFields IsPrivate
Link NewIOLogEntry OnAdapterHTTPResponse OnError
OnErrorStream OnGenerateSuperSession OnGetConnections OnHTTPHeader
OnInit OnKeepalive OnMonitor OnPageError
OnPostHyperEvent OnPreHTTP OnPreHyperEvent OnProcessInput
OnProductionStart OnProductionStop OnResolveDocType OnTearDown
OnValidate Page PopulateSuperSession QueueName
QuoteJS RewriteURL SaveIOLogEntry SendAlert
SendDeferredResponse SendRequestAsync SendRequestSync ShowError
StartTimer StopTimer ThrowError UnescapeHTML
UnescapeURL findDataNotInQuery normalizeValSpec resolveAndIndex
resolveDocType restoreFormEncoded restoreMultipart


• parameter SETTINGS = "Validation:Connection,TrustedX509File:Connection";
List of properties can be set as settings in the configuration file format is a comma separated list of property names


• property SAMLAttributes as %String;
Comma separated list of attributes to record for statistics.
The attribute names are case sensitive.
• property TrustedX509File as %String(MAXLEN=900);
Location of a file containing certificates that can be used to verify the signatures on received SAML tokens. The file should contain one or more trusted X.509 certificates in PEM-encoded format. These certificates should complete a 'chain of trust' from the signatures contained in the SAML tokens to a trusted root Certificate Authority. If empty and the 'mgr' directory contains a 'iris.cer' file then that file will be used.
• property Validation as %String [ InitialExpression = "1" ];
Specifies types of Assertion validation to perform on element:
  • t - must contain an Authorization header SAML token with key 'access_token='
  • a - token must contain an Assertion
  • u - token must contain an unsigned Assertion. If not found the error text is "No Unsigned Assertion".
  • If both a and u are specified then either a signed or unsigned assertion needs to be present.
  • s - combine with u - if unsigned assertions exist the s requires them be a children of signed elements. Note: The Assertion might be wrapped in a structure that does not follow from schema.
  • r - require Assertions to contain NotBefore/NotOnOrAfter time conditions
  • v - verify Assertion signatures using a Trusted X.509 certificate and, if present, NotBefore/NotOnOrAfter conditions
  • If option 'u' is specified and 'v' NotBefore/NotOnOrAfter conditions will also be checked.
  • o - validate other signed nodes within the assertion such as TimeStamp. Signed reference elements with attribute name of ID or Id will be searched for.
If 1 is specified it is equivalent to 'tarvo'.

When checking the NotBefore/NotOnOrAfter time conditions the default clock skew allowance is 90 seconds.
To change the skew allowance Set ^Ens.Config("SAML","ClockSkew",<ConfigName>) for a specific item or ^Ens.Config("SAML","ClockSkew") for all items using this validation to the desired number of seconds.
Set to -1 to prevent NotBefore/NotOnOrAfter condition checking for the relevant item or items.
This does not validate the XML schema used for the SAML token.


• classmethod OnErrorStream(pStatus As %Status, pInstance As EnsLib.REST.SAMLGenericService)
Control the type and content of error returned to the REST caller
• method OnValidate(pMsg As EnsLib.REST.GenericMessage, pValSpec As %String, Output pStatus As %Status) as %Boolean
Return non-zero to prevent default validation of the message (if any);
• classmethod normalizeValSpec(pValSpec As %String) as %String
Convert to lower case, with inverse spec chars converted to upper case