Class Reference
IRIS for UNIX 2024.1.2
 InterSystems: The power behind what matters   
Documentation  Search
  [USER] >  [Ens] >  [Util] >  [XML] >  [SecuritySignature]
Private  Storage   

class Ens.Util.XML.SecuritySignature extends %RegisteredObject

Used to check SAML Assertion signature outside SOAP framework

Inventory

Parameters Properties Methods Queries Indices ForeignKeys Triggers
9


Summary

Methods
%AddToSaveSet %ClassIsLatestVersion %ClassName %ConstructClone
%DispatchClassMethod %DispatchGetModified %DispatchGetProperty %DispatchMethod
%DispatchSetModified %DispatchSetMultidimProperty %DispatchSetProperty %Extends
%GetParameter %IsA %IsModified %New
%NormalizeObject %ObjectModified %OriginalNamespace %PackageName
%RemoveFromSaveSet %SerializeObject %SetModified %ValidateObject
FindAssertionAttributes GetAssertionAttribute ValidateSAML validateSignatures


Methods

• classmethod FindAssertionAttributes(pSAML As %Stream.Object, ByRef pAssertionAttributes, Output pAttributes) as %Status
• classmethod GetAssertionAttribute(pSAMLDoc As %XML.XPATH.Document, pNSP As %String = "", pSAMLVersion As %Integer = 2, pAssertAttribName As %String, ByRef pAssertAttribValues) as %Status
Retrieves SAML Assertion AttributeValue(s) from a SAML XPATH Doc for a given pAssertAttribName
• classmethod ValidateSAML(pSAML As %GlobalCharacterStream, pValSpec As %String, pTrustedX509File As %String, pClockSkew As %String, ByRef pAttributes As %String, ByRef pAssertionAttributes As %String, Output pResults As %String, pXMLReader As %XML.Reader) as %Status
Check signatures and expiration as specified by pValSpec
This does not validate the XML schema used for the SAML token.
pValSpec Specifies types of Assertion validation to perform:
  • t - must contain a signed token
  • a - token must contain a signed Assertion. If not found the error text is "No Assertion"
  • u - token must contain an unsigned Assertion. If not found the error text is "No Unsigned Assertion".
  • If both a and u are specified then either a signed or unsigned assertion needs to be present.
  • s - combine with u - if unsigned assertions exist the s requires them be a children of signed elements. Note: The Assertion might be wrapped in a structure that does not follow from schema.
  • r - require Assertions to contain both NotBefore and NotOnOrAfter time conditions.
  • v - verify Assertion signature and, if present, NotBefore/NotOnOrAfter conditions. If option 'u' is specified and 'v' NotBefore/NotOnOrAfter conditions will also be checked.
  • o - validate other signed nodes within the assertion such as TimeStamp. Signed reference elements with attribute name of ID or Id will be searched for.
    • Set pClockSkew to the desired number of seconds or to -1 to prevent NotBefore/NotOnOrAfter condition checking.
    To carry out schema validation of the input stream create an instance of %XML.Reader, setting the appropriate properties for validation and pass in as optional parameter pXMLReader
• classmethod validateSignatures(pXMLReader As %XML.Reader, pCertFile As %String = "", Output pSignedNodes) as %Status

Copyright (c) 2025 by InterSystems Corporation. Cambridge, Massachusetts, U.S.A. All rights reserved. Confidential property of InterSystems Corporation.