NAME
Authen::NZigovt::ServiceProvider - Class representing the local SAML2 Service Provider
DESCRIPTION
This class is used to represent the local SAML2 Service Provider which will be used to access the NZ igovt logon service Identity Provider. In normal use, an object of this class is initialised from the metadata-sp.xml in the configuration directory. This class can also be used to generate that metadata file.
METHODS
new
Constructor. Should not be called directly. Instead, call:
Authen::NZigovt->service_provider( args );
The conf_dir
parameter must be provided. It specifies the full pathname of the directory containing SP and IdP metadata files as well as certificate and key files for request signing and mutual-SSL.
new_defaults
Alternative constructor which is called to set up some sensible defaults when generating metadata.
conf_dir
Accessor for the conf_dir
parameter passed in to the constructor.
id
Accessor for the ID
parameter in the Service Provider metadata file.
entity_id
Accessor for the entityID
parameter in the Service Provider metadata file.
url_single_logout
Accessor for the SingleLogoutService
parameter in the Service Provider metadata file.
url_assertion_consumer
Accessor for the AssertionConsumerService
parameter in the Service Provider metadata file.
contact_company
Accessor for the Company
component of the ContactPerson
parameter in the Service Provider metadata file.
contact_first_name
Accessor for the GivenName
component of the ContactPerson
parameter in the Service Provider metadata file.
contact_surname
Accessor for the SurName
component of the ContactPerson
parameter in the Service Provider metadata file.
signing_cert_pathname
Accessor for the pathname of the Service Provider's signing certificate. This will always be the file sp-sign-crt.pem in the configuration directory.
signing_key_pathname
Accessor for the pathname of the Service Provider's signing key. This will always be the file sp-sign-key.pem in the configuration directory.
ssl_cert_pathname
Accessor for the pathname of the Service Provider's mutual SSL certificate. This will always be the file sp-ssl-crt.pem in the configuration directory.
ssl_key_pathname
Accessor for the pathname of the Service Provider's mutual SSL private key. This will always be the file sp-sign-crt.pem in the configuration directory.
idp
Accessor for an object representing the Identity Provider (See: Authen::NZigovt::IdentityProvider.
nameid_format
Returns a string URN representing the format of the NameID (Federated LogonTag - FLT) requested/expected from the Identity Provider.
generate_saml_id
Used by the request classes to generate a unique identifier for each request. It accepts one argument, being a string like 'AuthenRequest' to identify the type of request.
generate_certs
Called by the nzigovt make-certs
command to run an interactive Q&A session to generate either self-signed certificates or Certificate Signing Requests (CSRs). Delegates to Authen::NZigovt::ServiceProvider::CertFactory
build_new
Called by the nzigovt make-meta
command to run an interactive Q&A session to initialise or edit the contents of the Service Provider metadata file. Delegates to Authen::NZigovt::ServiceProvider::Builder
make_bundle
Called by the nzigovt make-bundle
command to create a zip archive of the files needed by the IdP. The archive will include the SP metadata and certificate files. Delegates to Authen::NZigovt::ServiceProvider::Builder
new_request( options )
Creates a new Authen::NZigovt::AuthenRequest object. The caller would typically use the as_url
method of the request to redirect the client to the Identity Provider's single logon service. The request object's request_id
method should be used to get the request ID and save it in session state for use later during artifact resolution.
The new_request
method does not require any arguments, but accepts the following optional key => value pairs:
- allow_create => boolean
-
Controls whether the user should be allowed to create a new account on the IdP. Default: false.
- force_auth => boolean
-
Controls whether the user will be forced to log in, rather than allowing the reuse of an existing logon session on the IdP. Default: true.
- auth_strength => string
-
The logon strength required. May be supplied as a URN, or as keyword ('low', 'mod', 'sms', etc). See Authen::NZigovt::LogonStrength for constants. Default: 'low'.
- relay_state => string
-
User-supplied string value that will be returned as a URL parameter to the assertion consumer service.as_url
metadata_xml
Serialises the current Service Provider config parameters to a SAML2 EntityDescriptor metadata document.
sign_query_string
Used by the Authen::NZigovt::AuthenRequest class to create a digital signature for the AuthnRequest HTTP-Redirect URL.
resolve_artifact
Takes an artifact (either the whole URL or just the SAMLart
parameter) and contacts the Identity Provider to resolve it to an FLT. Parameters (including the original request_id) must be supplied as key => value pairs, for example:
my $resp = $sp->resolve_artifact(
artifact => $framework->param('SAMLart'),
request_id => $framework->state('igovt_request_id'),
logon_strength => 'low', # optional
strength_match => 'minimum', # optional - default: 'minimum'
);
The assertion returned by the Identity Provider will be validated and its contents returned as an Authen::NZigovt::ResolutionResponse object. If an unexpected error occurs while resolving the artifact or while validating the resulting assertion, an exception will be thrown. Expected error conditions (eg: timeouts, user presses 'Cancel' etc) will not throw an exception, but will return a response object that can be interrogated to determine the nature of the error. The calling application may wish to log the expected errors with a severity of 'WARN' or 'INFO'.
now_as_iso
Convenience method returns the current time (UTC) formatted as an ISO date/time string.
SEE ALSO
See Authen::NZigovt for documentation index.
LICENSE AND COPYRIGHT
Copyright (c) 2010-2011 the New Zealand Electoral Enrolment Centre
Written by Grant McLean <grant@catalyst.net.nz>
This program is free software; you can redistribute it and/or modify it under the terms of either: the GNU General Public License as published by the Free Software Foundation; or the Artistic License.
See http://dev.perl.org/licenses/ for more information.