SamlServiceProviderConfigurationApi.java

package org.jboss.seam.security.external.saml.api;

import java.util.List;

import org.jboss.seam.security.external.saml.sp.SamlExternalIdentityProvider;

/**
 * API for the configuration of a SAML Service Provider.
 *
 * @author Marcel Kolsteren
 */
public interface SamlServiceProviderConfigurationApi extends SamlEntityConfigurationApi {
    /**
     * If this property is enabled, all authentication requests targeted at
     * identity providers will be signed. The property is disabled by default.
     * When enabling it, be sure to add a signing key by calling
     * {@link SamlEntityConfigurationApi#setSigningKey(String, String, String, String)}
     * .
     *
     * @return true iff the authentication requests are signed
     */
    boolean isAuthnRequestsSigned();

    /**
     * See {@link #isAuthnRequestsSigned}.
     */
    void setAuthnRequestsSigned(boolean authnRequestsSigned);

    /**
     * This property, which is enabled by default, determines whether incoming
     * authentication responses from the identity provider are required to have a
     * valid signature. It is strongly discouraged to disabled signature
     * validation, because this opens possibilities for sending fake
     * authentication responses to the service provider.
     *
     * @return true iff incoming assertions need to have a valid signature
     */
    boolean isWantAssertionsSigned();

    /**
     * See {@link #isWantAssertionsSigned()}.
     */
    void setWantAssertionsSigned(boolean wantAssertionsSigned);

    /**
     * This property indicates whether outgoing single logout messages are
     * signed. True by default, and the advice is not to disable this property,
     * unless you understand the security risks of doing so.
     *
     * @return true iff the single logout requests (sent to identity providers)
     *         are signed
     */
    boolean isSingleLogoutMessagesSigned();

    /**
     * See {@link #isSingleLogoutMessagesSigned()}.
     */
    void setSingleLogoutMessagesSigned(boolean singleLogoutMessagesSigned);

    /**
     * This property indicates whether incoming single logout requests are
     * required to have a valid signature. True by default, and the advice is not
     * to disable this property, unless you understand the security risks of
     * doing so.
     *
     * @return true iff incoming single logout requests need to have a valid
     *         signature
     */
    boolean isWantSingleLogoutMessagesSigned();

    /**
     * See {@link #isWantSingleLogoutMessagesSigned()}.
     */
    void setWantSingleLogoutMessagesSigned(boolean wantSingleLogoutMessagesSigned);

    /**
     * Returns a list with all identity providers that are trusted (i.e. identity
     * providers that have been added by calling
     * {@link SamlEntityConfigurationApi#addExternalSamlEntity}). This allows the
     * API client to present the list to the user, so that the user can choose
     * the provider that needs to be used for doing the login.
     *
     * @return list of identity providers
     */
    List<SamlExternalIdentityProvider> getIdentityProviders();
}