@Override protected SPSSODescriptor buildSPSSODescriptor(String entityBaseURL, String entityAlias, boolean requestSigned, boolean wantAssertionSigned, Collection<String> includedNameID) { SPSSODescriptor result = super.buildSPSSODescriptor(entityBaseURL, entityAlias, requestSigned, wantAssertionSigned, includedNameID); //metadata should not contain inactive keys KeyManager samlSPKeyManager = IdentityZoneHolder.getSamlSPKeyManager(); if (samlSPKeyManager != null && samlSPKeyManager.getAvailableCredentials()!=null) { Set<String> allKeyAliases = new HashSet(samlSPKeyManager.getAvailableCredentials()); String activeKeyAlias = samlSPKeyManager.getDefaultCredentialName(); allKeyAliases.remove(activeKeyAlias); for (String keyAlias : allKeyAliases) { result.getKeyDescriptors().add(getKeyDescriptor(UsageType.SIGNING, getServerKeyInfo(keyAlias))); } }//add inactive keys as signing verification keys int index = result.getAssertionConsumerServices().size(); result.getAssertionConsumerServices() .add( getAssertionConsumerService( getEntityBaseURL(), getEntityAlias(), false, index, "/oauth/token", "urn:oasis:names:tc:SAML:2.0:bindings:URI" )); return result; }
public EntityDescriptor generateMetadata() { boolean requestSigned = isRequestSigned(); boolean assertionSigned = isWantAssertionSigned(); Collection<String> includedNameID = getNameID(); String entityId = getEntityId(); String entityBaseURL = getEntityBaseURL(); String entityAlias = getEntityAlias(); validateRequiredAttributes(entityId, entityBaseURL); if (id == null) { // Use entityID cleaned as NCName for ID in case no value is provided id = SAMLUtil.getNCNameString(entityId); } SAMLObjectBuilder<EntityDescriptor> builder = (SAMLObjectBuilder<EntityDescriptor>) builderFactory.getBuilder(EntityDescriptor.DEFAULT_ELEMENT_NAME); EntityDescriptor descriptor = builder.buildObject(); if (id != null) { descriptor.setID(id); } descriptor.setEntityID(entityId); SPSSODescriptor ssoDescriptor = buildSPSSODescriptor(entityBaseURL, entityAlias, requestSigned, assertionSigned, includedNameID); if (ssoDescriptor != null) { descriptor.getRoleDescriptors().add(ssoDescriptor); } return descriptor; }