ESOE SPEP Processor Design¶
Enterprise Sign On Engine Technical Architecture
Written by Bradley Beddoes
September 2006
Architecture design by Bradley Beddoes
Incorporates SAML 2.0, and (L)XACML 2.0 OASIS standards
Contributions by:
Shaun Mangelsdorf
Andre Zitelli
Edited by:
Bradley Beddoes
Shaun Mangelsdorf
Andre Zitelli
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY",
and "OPTIONAL" in this document are to be interpreted as
described in RFC 2119
SPEP Processor¶
| Component Lead | Shaun Mangelsdorf |
| Package | com.qut.middleware.esoe.spep.impl.\* |
| Type | SPEPProcessorImpl |
| Implemented Interfaces | com.qut.middleware.esoe.spep.SPEPProcessor |
The SPEP processor communicates with SPEP instances to ensure they have all information necessary in order to perform their roll. It also takes advice from SPEP's when they perform certain actions that is recorded centrally for possible future usage.
SPEP Startup Component¶
| Component Lead | Andre Zitelli |
| Package | com.qut.middleware.esoe.spep.impl.\* |
| Type | StartupImpl |
| Implemented Interfaces | com.qut.middleware.esoe.spep.Startup |
| Exceptions | InvalidRequest, DatabaseFailureNoSuchSPEP, SPEPCacheUpdateFailure |
Verify the supplied value of [com.qut.middleware.esoe.spep.bean.SPEPProcessorData.requestDocument|#Verifying Requests]. Any invalid request MUST set com.qut.middleware.esoe.aa.bean.SPEPProcessorData.responseDocument to a <ValidateInitalizationResponse> by creating a base response with <Status> of urn:oasis:names:tc:SAML:2.0:status:Requestor then create and throw com.qut.middleware.esoe.spep.exception.InvalidRequestException.
The value of <Issuer> should be retrieved and stored at com.qut.middleware.esoe.spep.bean.SPEPProcessorData.requestEntityID.
The value of <authzCache> should be retrieved and stored at com.qut.middleware.esoe.spep.bean.SPEPProcessorData.authzEndpointID.
Using iBatis database stack the supplied value com.qut.middleware.esoe.spep.bean.SPEPProcessorData.requestEntityID will be checked to ensure it exists in the table SPEP_REGISTRATION. If it does not a new record should be created in this table and store with it all the supplied values of ipAddress, compileDate, compileSystem, version and environment. An identical record SHOULD be stored in SPEP_REGISTRATION_HISTORY.
If a record already exists the values of ipAddress, compileDate, compileSystem, version and environment will be checked against the table SPEP_REGISTRATION. If ALL values are equal, then no further processing is undertaken. If any value is different all values of ipAddress, compileDate, compileSystem, version and environment should be written to the table and date_last_updated set to the current date. A new record should also be created in SPEP_REGISTRATION_HISTORY
If a primary key constraint exception occurs in the database the statup component MUST set the value of com.qut.middleware.esoe.spep.bean.SPEPProcessorData.responseDocument to a base response with <Status> of urn:oasis:names:tc:SAML:2.0:status:Requestor then create and throw com.qut.middleware.esoe.spep.exception.DatabaseFailureNoSuchSPEPException
If other exceptions occur the statup componenet MUST set the value of com.qut.middleware.esoe.spep.bean.SPEPProcessorData.responseDocument to a base response with <Status> of urn:oasis:names:tc:SAML:2.0:status:Responder then create and throw com.qut.middleware.esoe.spep.exception.DatabaseFailureException
Once database updates have been made the com.qut.middleware.esoe.pdp.cache.PolicyCacheProcessor SPEP Start component should be called and supplied the values com.qut.middleware.esoe.spep.bean.SPEPProcessorData.requestEntityID and com.qut.middleware.esoe.spep.bean.SPEPProcessorData.authzEndpointID. This inturn will make its own connection back to the SPEP and deliver initial caching state
Handled return values and actions¶
com.qut.middleware.esoe.pdp.cache.PolicyCacheProcessor.result.Failure
The startup component MUST set com.qut.middleware.esoe.spep.bean.SPEPProcessorData.responseDocument to a <ValidateInitalizationResponse> by creating a base response with <Status> of urn:oasis:names:tc:SAML:2.0:status:Requestor then create and throw com.qut.middleware.esoe.spep.exception.SPEPCacheUpdateException.
com.qut.middleware.esoe.pdp.cache.PolicyCacheProcessor.result.Successful
The startup component MUST set com.qut.middleware.esoe.spep.bean.SPEPProcessorData.responseDocument to a <ValidateInitalizationResponse> by creating a base response with <Status> of urn:oasis:names:tc:SAML:2.0:status:Requestor The startup component should then return.