SOAP Generic Service that can validate the signature and timestamps on a SAML token
Can't do grace period without an OnTask loop
Comma separated list of attributes to record for statistics. property TrustedX509File as %String(MAXLEN=900);
The attribute names are case sensitive.
Location of a file containing certificates that can be used to verify the signatures on received SAML tokens. The file should contain one or more trusted X.509 certificates in PEM-encoded format. These certificates should complete a 'chain of trust' from the signatures contained in the SAML tokens to a trusted root Certificate Authority. If empty and the 'mgr' directory contains a 'iris.cer' file then that file will be used. property Validation as %String [ InitialExpression = "1" ];
Specifies types of Assertion validation to perform on
If 1 is specified it is equivalent to 'tarvo'. When checking the NotBefore/NotOnOrAfter time conditions the default clock skew allowance is 90 seconds.
- t - must contain a signed SAML token
- a - token must contain an Assertion
- u - token must contain an unsigned Assertion. If not found the error text is "No Unsigned Assertion".
- If both a and u are specified then either a signed or unsigned assertion needs to be present.
- s - combine with u - if unsigned assertions exist the s requires them be a children of signed elements. Note: The Assertion might be wrapped in a structure that does not follow from schema.
- r - require Assertions to contain NotBefore/NotOnOrAfter time conditions
- v - verify Assertion signatures using a Trusted X.509 certificate and, if present, NotBefore/NotOnOrAfter conditionsIf option 'u' is specified and 'v' NotBefore/NotOnOrAfter conditions will also be checked.
- o - validate other signed nodes within the assertion such as TimeStamp. Signed reference elements with attribute name of ID or Id will be searched for.
To change the skew allowance Set ^Ens.Config("SAML","ClockSkew",<ConfigName>) for a specific item or ^Ens.Config("SAML","ClockSkew") for all items using this validation to the desired number of seconds.
Set to -1 to prevent NotBefore/NotOnOrAfter condition checking for the relevant item or items.
This does not validate the XML schema used for the SAML token.
Return non-zero to prevent default validation of the message (if any); classmethod normalizeValSpec(pValSpec As %String) as %String
Convert to lower case, with inverse spec chars converted to upper case