ESOE SPEP Processor Design

Enterprise Sign On Engine Technical Architecture
Written by Bradley Beddoes
September 2006

Architecture design by Bradley Beddoes
Incorporates SAML 2.0, and (L)XACML 2.0 OASIS standards

Contributions by:
Shaun Mangelsdorf
Andre Zitelli

Edited by:
Bradley Beddoes
Shaun Mangelsdorf
Andre Zitelli

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY",
and "OPTIONAL" in this document are to be interpreted as
described in RFC 2119

SPEP Processor

Component Lead Shaun Mangelsdorf
Package com.qut.middleware.esoe.spep.impl.\*
Type SPEPProcessorImpl
Implemented Interfaces com.qut.middleware.esoe.spep.SPEPProcessor

The SPEP processor communicates with SPEP instances to ensure they have all information necessary in order to perform their roll. It also takes advice from SPEP's when they perform certain actions that is recorded centrally for possible future usage.

SPEP Startup Component

Component Lead Andre Zitelli
Package com.qut.middleware.esoe.spep.impl.\*
Type StartupImpl
Implemented Interfaces com.qut.middleware.esoe.spep.Startup
Exceptions InvalidRequest, DatabaseFailureNoSuchSPEP, SPEPCacheUpdateFailure

Verify the supplied value of [com.qut.middleware.esoe.spep.bean.SPEPProcessorData.requestDocument|#Verifying Requests]. Any invalid request MUST set com.qut.middleware.esoe.aa.bean.SPEPProcessorData.responseDocument to a <ValidateInitalizationResponse> by creating a base response with <Status> of urn:oasis:names:tc:SAML:2.0:status:Requestor then create and throw com.qut.middleware.esoe.spep.exception.InvalidRequestException.

The value of <Issuer> should be retrieved and stored at com.qut.middleware.esoe.spep.bean.SPEPProcessorData.requestEntityID.
The value of <authzCache> should be retrieved and stored at com.qut.middleware.esoe.spep.bean.SPEPProcessorData.authzEndpointID.

Using iBatis database stack the supplied value com.qut.middleware.esoe.spep.bean.SPEPProcessorData.requestEntityID will be checked to ensure it exists in the table SPEP_REGISTRATION. If it does not a new record should be created in this table and store with it all the supplied values of ipAddress, compileDate, compileSystem, version and environment. An identical record SHOULD be stored in SPEP_REGISTRATION_HISTORY.

If a record already exists the values of ipAddress, compileDate, compileSystem, version and environment will be checked against the table SPEP_REGISTRATION. If ALL values are equal, then no further processing is undertaken. If any value is different all values of ipAddress, compileDate, compileSystem, version and environment should be written to the table and date_last_updated set to the current date. A new record should also be created in SPEP_REGISTRATION_HISTORY

If a primary key constraint exception occurs in the database the statup component MUST set the value of com.qut.middleware.esoe.spep.bean.SPEPProcessorData.responseDocument to a base response with <Status> of urn:oasis:names:tc:SAML:2.0:status:Requestor then create and throw com.qut.middleware.esoe.spep.exception.DatabaseFailureNoSuchSPEPException

If other exceptions occur the statup componenet MUST set the value of com.qut.middleware.esoe.spep.bean.SPEPProcessorData.responseDocument to a base response with <Status> of urn:oasis:names:tc:SAML:2.0:status:Responder then create and throw com.qut.middleware.esoe.spep.exception.DatabaseFailureException

Once database updates have been made the com.qut.middleware.esoe.pdp.cache.PolicyCacheProcessor SPEP Start component should be called and supplied the values com.qut.middleware.esoe.spep.bean.SPEPProcessorData.requestEntityID and com.qut.middleware.esoe.spep.bean.SPEPProcessorData.authzEndpointID. This inturn will make its own connection back to the SPEP and deliver initial caching state

Handled return values and actions

com.qut.middleware.esoe.pdp.cache.PolicyCacheProcessor.result.Failure

The startup component MUST set com.qut.middleware.esoe.spep.bean.SPEPProcessorData.responseDocument to a <ValidateInitalizationResponse> by creating a base response with <Status> of urn:oasis:names:tc:SAML:2.0:status:Requestor then create and throw com.qut.middleware.esoe.spep.exception.SPEPCacheUpdateException.

com.qut.middleware.esoe.pdp.cache.PolicyCacheProcessor.result.Successful

The startup component MUST set com.qut.middleware.esoe.spep.bean.SPEPProcessorData.responseDocument to a <ValidateInitalizationResponse> by creating a base response with <Status> of urn:oasis:names:tc:SAML:2.0:status:Requestor The startup component should then return.

Also available in: HTML TXT