Class Reference
EnsLib.SOAP.SAMLGenericService
Server:appadmin-00044-deployment-6bf4cbc86d-9f4xc
Instance:IRIS
User:SuperUser
  
-
  [USER] >  [EnsLib] >  [SOAP] >  [SAMLGenericService]
Private  Storage

class EnsLib.SOAP.SAMLGenericService extends EnsLib.SOAP.GenericService

SOAP Generic Service that can validate the signature and timestamps on a SAML token

Inventory

Parameters Properties Methods Queries Indices ForeignKeys Triggers
1 3 2


Summary

Properties
%AlertStartTime %ConfigName %ConfigQueueName
%ExcludeResponseHttpHeaders %LastActionTime %LastHandledTime
%LastReportedError %OutsideCreated %PreserveSession
%ProcessInputCalled %QuitTask %RequestHeader
%SearchTableType %SessionId %SuperSession
%SuperSessionCreatedBeforeSession %VDocFormat %WaitForNextCallInterval
%WarnedLatest %isShadow Adapter
AddressingIn AddressingOut AlertGracePeriod
AlertGroups AlertOnError ArchiveIO
Attachments Base64LineBreaks BodyId
BodyXmlId BusinessPartner ContentId
ContentLocation FaultAddressing FaultHeaders
GatewayTimeout GenerateSuperSessionID HeaderDocType
HeadersIn HeadersOut IOLogEntry
ImportHandler InactivityTimeout IsMTOM
KeepCSPPartition Location MTOMRequired
MsgClass OutputTypeAttribute OverrideClientResponseWaitTimeout
Password PersistInProcData ProcessHeaders
RMSession ReferencesInline RequestMessageStart
ResponseAttachments ResponseContentId ResponseContentLocation
SAMLAttributes SAXFlags SOAPInvoked
SearchTableClass SecurityContextToken SecurityIn
SecurityNamespace SecurityOut SessionCookie
SoapFault SoapVersion SupportDelayedSyncRequest
TargetConfigName ThrottleDelay Timeout
Transport TrustedX509File UseSimulatedSync
Username Validation WSDL
WriteSOAPBodyMethod

Methods
%AddEnvelopeNamespace %AddToSaveSet %ClassIsLatestVersion
%ClassName %ConstructClone %DispatchClassMethod
%DispatchGetModified %DispatchGetProperty %DispatchMethod
%DispatchSetModified %DispatchSetMultidimProperty %DispatchSetProperty
%Extends %GetParameter %IsA
%IsModified %New %NormalizeObject
%ObjectModified %OnClose %OnCreateRMSession
%OnNew %OriginalNamespace %PackageName
%RemoveFromSaveSet %SerializeObject %SetModified
%SuperSessionSet %ValidateObject AdapterName
AssignOneSetting CloseIOLogEntry ConvertParameter
Decrypt Encrypt EnumerateSettingsClose
EnumerateSettingsExecute EnumerateSettingsFetch EscapeHTML
EscapeURL FileWSDL ForceSessionId
GatewayTimeout GenerateSuperSession GetBodyId
GetDeferredResponseToken GetMsgHdrRequestKey GetProductionSettingValue
GetProductionSettings GetPropertyConnections GetSettings
GetShadowInstance HyperEventCall HyperEventHead
Include Initialize InsertHiddenField
InsertHiddenFields IsPrivate Link
MakeFault MakeFault12 MakeSecurityFault
MakeStatusFault NewIOLogEntry NormalizeName
OnAdapterHTTPResponse OnAuthorize OnCancelSecureConversation
OnError OnErrorStream OnGenerateSuperSession
OnGetConnections OnHTTPHeader OnHandleNoResponseYet
OnInit OnKeepalive OnMonitor
OnPageError OnPopulateSendSyncHandling OnPostHTTP
OnPostHyperEvent OnPostWebMethod OnPreHyperEvent
OnPreWebMethod OnProcessInput OnProductionStart
OnProductionStop OnRequestMessage OnResolveDocType
OnSOAPRequest OnStartSecureConversation OnTearDown
OnValidate Page PopulateSuperSession
Process ProcessBinary ProcessBody
ProcessBodyNode QueueName QuoteJS
Reset ReturnFault ReturnMethodStatusFault
ReturnOneWay ReturnStatusFault RewriteURL
SOAPLogContains SaveIOLogEntry SendAlert
SendDeferredResponse SendRequestAsync SendRequestSync
SetReturnStatusCode ShowError StartTimer
StopTimer ThrowError UnescapeHTML
UnescapeURL VerifySendSyncHandlingInstructions WSAddSignatureConfirmation
normalizeValSpec resolveAndIndex resolveDocType
statusReturn


Parameters

• parameter SETTINGS = "Validation:Connection,TrustedX509File:Connection";
Can't do grace period without an OnTask loop

Properties

• property SAMLAttributes as %String;
Comma separated list of attributes to record for statistics.
The attribute names are case sensitive.
• property TrustedX509File as %String(MAXLEN=900);
Location of a file containing certificates that can be used to verify the signatures on received SAML tokens. The file should contain one or more trusted X.509 certificates in PEM-encoded format. These certificates should complete a 'chain of trust' from the signatures contained in the SAML tokens to a trusted root Certificate Authority. If empty and the 'mgr' directory contains a 'iris.cer' file then that file will be used.
• property Validation as %String [ InitialExpression = "1" ];
Specifies types of Assertion validation to perform on element:
  • t - must contain a signed SAML token
  • a - token must contain an Assertion
  • u - token must contain an unsigned Assertion. If not found the error text is "No Unsigned Assertion".
  • If both a and u are specified then either a signed or unsigned assertion needs to be present.
  • s - combine with u - if unsigned assertions exist the s requires them be a children of signed elements. Note: The Assertion might be wrapped in a structure that does not follow from schema.
  • r - require Assertions to contain NotBefore/NotOnOrAfter time conditions
  • v - verify Assertion signatures using a Trusted X.509 certificate and, if present, NotBefore/NotOnOrAfter conditions
    • If option 'u' is specified and 'v' NotBefore/NotOnOrAfter conditions will also be checked.
  • o - validate other signed nodes within the assertion such as TimeStamp. Signed reference elements with attribute name of ID or Id will be searched for.
If 1 is specified it is equivalent to 'tarvo'.

When checking the NotBefore/NotOnOrAfter time conditions the default clock skew allowance is 90 seconds.
To change the skew allowance Set ^Ens.Config("SAML","ClockSkew",<ConfigName>) for a specific item or ^Ens.Config("SAML","ClockSkew") for all items using this validation to the desired number of seconds.
Set to -1 to prevent NotBefore/NotOnOrAfter condition checking for the relevant item or items.
This does not validate the XML schema used for the SAML token.


Methods

• method OnValidate(pMsg As EnsLib.SOAP.GenericMessage, pValSpec As %String, Output pStatus As %Status) as %Boolean
Return non-zero to prevent default validation of the message (if any);
• classmethod normalizeValSpec(pValSpec As %String) as %String
Convert to lower case, with inverse spec chars converted to upper case

Copyright (c) 2025 by InterSystems Corporation. Cambridge, Massachusetts, U.S.A. All rights reserved. Confidential property of InterSystems Corporation.