Open Exchange
Global Masters
Home / Class Reference / ENSLIB namespace / EnsLib.SOAP.SAMLGenericService
Private  Storage   


class EnsLib.SOAP.SAMLGenericService extends

SOAP Generic Service that can validate the signature and timestamps on a SAML token


Parameters Properties Methods Queries Indices ForeignKeys Triggers
1 3 2


This is a Business Service class.

The associated Adapter class is EnsLib.SOAP.InboundAdapter.

%AlertStartTime %ConfigName %ConfigQueueName
%ExcludeResponseHttpHeaders %LastActionTime %LastHandledTime
%LastReportedError %OutsideCreated %PreserveSession
%ProcessError %ProcessInputCalled %QuitTask
%RequestHeader %SearchTableType %SessionId
%SuperSession %SuperSessionCreatedBeforeSession %VDocFormat
%WaitForNextCallInterval %WarnedLatest %isShadow
Action Adapter AddressingIn
AddressingOut AlertGracePeriod AlertGroups
AlertOnError ArchiveIO Attachments
Base64LineBreaks BodyId BodyXmlId
BusinessPartner ContentId ContentLocation
FaultAddressing FaultHeaders GenerateSuperSessionID
HeaderDocType HeadersIn HeadersOut
IOLogEntry ImportHandler InactivityTimeout
IsMTOM KeepCSPPartition Location
MTOMRequired MethodName MsgClass
NamespacesOut OneWay OutputTypeAttribute
Password PersistInProcData ProcessHeaders
RMSession ReferencesInline RequestMessageStart
ResponseAttachments ResponseContentId ResponseContentLocation
SAMLAttributes SAXFlags SOAPInvoked
SearchTableClass SecurityContextToken SecurityIn
SecurityNamespace SecurityOut SessionCookie
SoapFault SoapVersion TargetConfigName
ThrottleDelay Timeout Transport
TrustedX509File Username Validation
WSDL WriteSOAPBodyMethod policyAlternative

%%OIDGet %AddEnvelopeNamespace %AddToSaveSet %BindExport
%BuildObjectGraph %ClassIsLatestVersion %ClassName %Close
%ConstructClone %DispatchClassMethod %DispatchGetModified %DispatchGetProperty
%DispatchMethod %DispatchSetModified %DispatchSetMultidimProperty %DispatchSetProperty
%Extends %GetElementFromBody %GetParameter %IncrementCount
%IsA %IsModified %New %NormalizeObject
%ObjectModified %OnClose %OnCreateRMSession %OnNew
%OriginalNamespace %PackageName %ProcessInputCalledGet %ProcessInputCalledSet
%RemoveFromSaveSet %RestoreTCPDevice %SaveTCPDevice %SerializeObject
%SetModified %SuperSessionSet %ValidateObject AdapterName
AssignOneSetting BeginSOAPEnvelope CallProcessInputAsync CheckProcessInputAsyncStatus
CheckSOAPEnvelope CloseIOLogEntry ConvertParameter Decrypt
Encrypt EncryptBroker EndSOAPEnvelope EnumerateSettingsClose
EnumerateSettingsExecute EnumerateSettingsFetch EscapeHTML EscapeURL
EvalInitialExpression Fault FileWSDL ForceSessionId
GenerateSuperSession GetBinaryWriter GetBodyId GetDeferredResponseToken
GetLastError GetLastErrorText GetMsgClass GetProductionSettingValue
GetProductionSettings GetPropertyConnections GetRequestClassList GetResponseClassList
GetSecurityOut GetSettings GetShadowInstance HandleException
HyperEventBody HyperEventCall HyperEventFrame HyperEventHead
Include Initialize InitializeSecurity InsertHiddenField
InsertHiddenFields InvokeMsgClass IsPrivate Link
LogGlobal LogInput LogInputHTTPHeaders LogOutput
LogOutputHTTPHeaders LogText MakeFault MakeFault12
MakeFault12Code MakeFault12Text MakeSecurityFault MakeStatusFault
MessageHeaderHandler Namespace NewIOLogEntry NormalizeName
OnAdapterHTTPResponse OnAuthorize OnCancelSecureConversation OnCompile
OnError OnErrorStream OnFaultString OnGenerateSuperSession
OnGetConnections OnHTTPHeader OnInit OnKeepalive
OnMonitor OnPage OnPageError OnPostHTTP
OnPostHyperEvent OnPostSOAP OnPostWebMethod OnPreHTTP
OnPreHyperEvent OnPreSOAP OnPreWebMethod OnProcessInput
OnProductionStart OnProductionStop OnRequestMessage OnResolveDocType
OnSOAPRequest OnStartSecureConversation OnTask OnTearDown
OnValidate Page PopulateSuperSession Process
ProcessBinary ProcessBody ProcessBodyNode ProcessHTTP
ProcessInput ProcessSOAPEnvelope PurgeProcessInputAsyncTempData QueueName
QuoteJS ReadBinaryMessage Reset ResetSecurity
ReturnFault ReturnInternalStatusFault ReturnMethodStatusFault ReturnOneWay
ReturnStatusFault RewriteURL SaveIOLogEntry SecurityOutGet
SecurityOutSet SendAlert SendDeferredResponse SendRequestAsync
SendRequestSync SendRequestSyncMultiple SessionCookieSet SessionCookieSetInternal
ShowError StartTimer StopTimer ThrowError
TimeoutSet TmpCreate UnescapeHTML UnescapeURL
WSAddSignatureConfirmation WebMethod WriteFaultHeaders WriteHTTPContent
WriteSOAPHeaders WriteSOAPMessage WriteStartAttachments acceptRequestAsync
acceptRequestSync backgroundJob cloneTo copyStream
copyStreamUntil ensMakeFault ensMakeStatusFault findCachedObject
getStartTag initConfig inprocRequest makeConnections
normalizeValSpec onOutsideErr preProcessInput prepJoinedResponse
queueRequestAsync queueRequestSync readSplitEnvelopeStreamX resolveAndIndex
resolveDocType splitEnvelopeStream statusError statusReturn
writeJoinedResponse writeStream writeStreamUntil


• parameter SETTINGS = "Validation:Connection,TrustedX509File:Connection";
Can't do grace period without an OnTask loop


• property SAMLAttributes as %String;
Comma separated list of attributes to record for statistics.
The attribute names are case sensitive.
• property TrustedX509File as %String(MAXLEN=900);
Location of a file containing certificates that can be used to verify the signatures on received SAML tokens. The file should contain one or more trusted X.509 certificates in PEM-encoded format. These certificates should complete a 'chain of trust' from the signatures contained in the SAML tokens to a trusted root Certificate Authority. If empty and the 'mgr' directory contains a 'iris.cer' file then that file will be used.
• property Validation as %String [ InitialExpression = "1" ];
Specifies types of Assertion validation to perform on element:
  • t - must contain a signed SAML token
  • a - token must contain an Assertion
  • u - token must contain an unsigned Assertion. If not found the error text is "No Unsigned Assertion".
  • If both a and u are specified then either a signed or unsigned assertion needs to be present.
  • s - combine with u - if unsigned assertions exist the s requires them be a children of signed elements. Note: The Assertion might be wrapped in a structure that does not follow from schema.
  • r - require Assertions to contain NotBefore/NotOnOrAfter time conditions
  • v - verify Assertion signatures using a Trusted X.509 certificate and, if present, NotBefore/NotOnOrAfter conditions
  • If option 'u' is specified and 'v' NotBefore/NotOnOrAfter conditions will also be checked.
  • o - validate other signed nodes within the assertion such as TimeStamp. Signed reference elements with attribute name of ID or Id will be searched for.
If 1 is specified it is equivalent to 'tarvo'.

When checking the NotBefore/NotOnOrAfter time conditions the default clock skew allowance is 90 seconds.
To change the skew allowance Set ^Ens.Config("SAML","ClockSkew",<ConfigName>) for a specific item or ^Ens.Config("SAML","ClockSkew") for all items using this validation to the desired number of seconds.
Set to -1 to prevent NotBefore/NotOnOrAfter condition checking for the relevant item or items.
This does not validate the XML schema used for the SAML token.


• method OnValidate(pMsg As EnsLib.SOAP.GenericMessage, pValSpec As %String, Output pStatus As %Status) as %Boolean
Return non-zero to prevent default validation of the message (if any);
• classmethod normalizeValSpec(pValSpec As %String) as %String
Convert to lower case, with inverse spec chars converted to upper case