package org.pac4j.saml.sso.impl;

import com.google.common.annotations.VisibleForTesting;
import java.net.URI;
import java.net.URISyntaxException;
import java.time.Instant;
import java.time.ZoneOffset;
import java.time.ZonedDateTime;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import org.apache.commons.collections.CollectionUtils;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.saml.common.SAMLObject;
import org.opensaml.saml.common.SAMLVersion;
import org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.Attribute;
import org.opensaml.saml.saml2.core.AttributeStatement;
import org.opensaml.saml.saml2.core.Audience;
import org.opensaml.saml.saml2.core.AudienceRestriction;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.AuthnStatement;
import org.opensaml.saml.saml2.core.BaseID;
import org.opensaml.saml.saml2.core.Conditions;
import org.opensaml.saml.saml2.core.EncryptedAssertion;
import org.opensaml.saml.saml2.core.EncryptedAttribute;
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.saml.saml2.core.Subject;
import org.opensaml.saml.saml2.core.SubjectConfirmation;
import org.opensaml.saml.saml2.core.SubjectConfirmationData;
import org.opensaml.saml.saml2.encryption.Decrypter;
import org.opensaml.saml.saml2.metadata.AssertionConsumerService;
import org.opensaml.saml.saml2.metadata.Endpoint;
import org.opensaml.saml.saml2.metadata.SPSSODescriptor;
import org.opensaml.xmlsec.encryption.support.DecryptionException;
import org.opensaml.xmlsec.signature.Signature;
import org.opensaml.xmlsec.signature.support.SignatureTrustEngine;
import org.pac4j.core.credentials.Credentials;
import org.pac4j.saml.config.SAML2Configuration;
import org.pac4j.saml.context.SAML2ConfigurationContext;
import org.pac4j.saml.context.SAML2MessageContext;
import org.pac4j.saml.credentials.SAML2Credentials;
import org.pac4j.saml.crypto.SAML2SignatureTrustEngineProvider;
import org.pac4j.saml.exceptions.SAMAssertionSubjectException;
import org.pac4j.saml.exceptions.SAMLAssertionAudienceException;
import org.pac4j.saml.exceptions.SAMLAssertionConditionException;
import org.pac4j.saml.exceptions.SAMLAuthnContextClassRefException;
import org.pac4j.saml.exceptions.SAMLAuthnInstantException;
import org.pac4j.saml.exceptions.SAMLAuthnSessionCriteriaException;
import org.pac4j.saml.exceptions.SAMLException;
import org.pac4j.saml.exceptions.SAMLInResponseToMismatchException;
import org.pac4j.saml.exceptions.SAMLReplayException;
import org.pac4j.saml.exceptions.SAMLSignatureRequiredException;
import org.pac4j.saml.exceptions.SAMLSignatureValidationException;
import org.pac4j.saml.exceptions.SAMLSubjectConfirmationException;
import org.pac4j.saml.profile.impl.AbstractSAML2ResponseValidator;
import org.pac4j.saml.replay.ReplayCacheProvider;
import org.pac4j.saml.store.SAMLMessageStore;
import org.pac4j.saml.util.Configuration;
import org.pac4j.saml.util.SAML2Utils;

/* loaded from: input_file:WEB-INF/lib/pac4j-saml-5.3.1.jar:org/pac4j/saml/sso/impl/SAML2AuthnResponseValidator.class */
public class SAML2AuthnResponseValidator extends AbstractSAML2ResponseValidator {
    public SAML2AuthnResponseValidator(SAML2SignatureTrustEngineProvider sAML2SignatureTrustEngineProvider, Decrypter decrypter, ReplayCacheProvider replayCacheProvider, SAML2Configuration sAML2Configuration) {
        super(sAML2SignatureTrustEngineProvider, decrypter, sAML2Configuration.getLogoutHandler(), replayCacheProvider, sAML2Configuration.getUriComparator());
    }

    @Override // org.pac4j.saml.profile.api.SAML2ResponseValidator
    public Credentials validate(SAML2MessageContext sAML2MessageContext) {
        SAMLObject sAMLObject = (SAMLObject) sAML2MessageContext.getMessageContext().getMessage();
        if (!(sAMLObject instanceof Response)) {
            throw new SAMLException("Must be a Response type");
        }
        Response response = (Response) sAMLObject;
        SignatureTrustEngine build = this.signatureTrustEngineProvider.build();
        verifyMessageReplay(sAML2MessageContext);
        validateSamlProtocolResponse(response, sAML2MessageContext, build);
        if (this.decrypter != null) {
            decryptEncryptedAssertions(response, this.decrypter);
        }
        validateSamlSSOResponse(response, sAML2MessageContext, build, this.decrypter);
        return buildSAML2Credentials(sAML2MessageContext, response);
    }

    protected SAML2Credentials buildSAML2Credentials(SAML2MessageContext sAML2MessageContext, Response response) {
        Assertion subjectAssertion = sAML2MessageContext.getSubjectAssertion();
        List<Attribute> collectAssertionAttributes = collectAssertionAttributes(subjectAssertion);
        SAML2Credentials.SAMLNameID determineNameID = determineNameID(sAML2MessageContext, SAML2Credentials.SAMLAttribute.from(collectAssertionAttributes));
        String sessionIndex = getSessionIndex(subjectAssertion);
        String computeSloKey = computeSloKey(sessionIndex, determineNameID);
        if (computeSloKey != null) {
            this.logoutHandler.recordSession(sAML2MessageContext.getWebContext(), sAML2MessageContext.getSessionStore(), computeSloKey);
        }
        String value = subjectAssertion.getIssuer().getValue();
        List<AuthnStatement> authnStatements = subjectAssertion.getAuthnStatements();
        ArrayList arrayList = new ArrayList();
        for (AuthnStatement authnStatement : authnStatements) {
            if (authnStatement.getAuthnContext().getAuthnContextClassRef() != null) {
                arrayList.add(authnStatement.getAuthnContext().getAuthnContextClassRef().getURI());
            }
        }
        return new SAML2Credentials(determineNameID, value, SAML2Credentials.SAMLAttribute.from(collectAssertionAttributes), subjectAssertion.getConditions(), sessionIndex, arrayList, response.getInResponseTo());
    }

    protected List<Attribute> collectAssertionAttributes(Assertion assertion) {
        ArrayList arrayList = new ArrayList();
        for (AttributeStatement attributeStatement : assertion.getAttributeStatements()) {
            Iterator<Attribute> it = attributeStatement.getAttributes().iterator();
            while (it.hasNext()) {
                arrayList.add(it.next());
            }
            if (!attributeStatement.getEncryptedAttributes().isEmpty()) {
                if (this.decrypter == null) {
                    this.logger.warn("Encrypted attributes returned, but no keystore was provided.");
                } else {
                    Iterator<EncryptedAttribute> it2 = attributeStatement.getEncryptedAttributes().iterator();
                    while (it2.hasNext()) {
                        try {
                            arrayList.add(this.decrypter.decrypt(it2.next()));
                        } catch (DecryptionException e) {
                            this.logger.warn("Decryption of attribute failed, continue with the next one", (Throwable) e);
                        }
                    }
                }
            }
        }
        return arrayList;
    }

    protected SAML2Credentials.SAMLNameID determineNameID(SAML2MessageContext sAML2MessageContext, List<SAML2Credentials.SAMLAttribute> list) {
        SAML2ConfigurationContext configurationContext = sAML2MessageContext.getConfigurationContext();
        if (configurationContext.getNameIdAttribute() != null) {
            Optional<U> map = list.stream().filter(sAMLAttribute -> {
                return sAMLAttribute.getName().equals(configurationContext.getNameIdAttribute());
            }).findFirst().map(SAML2Credentials.SAMLNameID::from);
            if (map.isPresent()) {
                return (SAML2Credentials.SAMLNameID) map.get();
            }
        }
        return SAML2Credentials.SAMLNameID.from((NameID) Objects.requireNonNull(sAML2MessageContext.getSAMLSubjectNameIdentifierContext().getSAML2SubjectNameID()));
    }

    protected String getSessionIndex(Assertion assertion) {
        AuthnStatement authnStatement;
        List<AuthnStatement> authnStatements = assertion.getAuthnStatements();
        if (authnStatements == null || authnStatements.isEmpty() || (authnStatement = authnStatements.get(0)) == null) {
            return null;
        }
        return authnStatement.getSessionIndex();
    }

    protected void validateSamlProtocolResponse(Response response, SAML2MessageContext sAML2MessageContext, SignatureTrustEngine signatureTrustEngine) {
        SAML2ConfigurationContext configurationContext = sAML2MessageContext.getConfigurationContext();
        validateSuccess(response.getStatus());
        if (!response.getVersion().equals(SAMLVersion.VERSION_20)) {
            throw new SAMLException("Invalid SAML version assigned to the response " + response.getVersion());
        }
        if (configurationContext.isWantsResponsesSigned() && response.getSignature() == null) {
            this.logger.debug("Unable to find a signature on the SAML response returned. Pac4j is configured to enforce signatures on SAML2 responses from identity providers and the returned response\n{}\ndoes not contain any signature", Configuration.serializeSamlObject(response));
            throw new SAMLSignatureValidationException("Unable to find a signature on the SAML response returned");
        }
        validateSignatureIfItExists(response.getSignature(), sAML2MessageContext, signatureTrustEngine);
        validateIssueInstant(response.getIssueInstant());
        AuthnRequest authnRequest = null;
        SAMLMessageStore sAMLMessageStore = sAML2MessageContext.getSAMLMessageStore();
        if (sAMLMessageStore != null && response.getInResponseTo() != null) {
            Optional<XMLObject> optional = sAMLMessageStore.get(response.getInResponseTo());
            if (optional.isEmpty()) {
                throw new SAMLInResponseToMismatchException("InResponseToField of the Response doesn't correspond to sent message " + response.getInResponseTo());
            }
            if (!(optional.get() instanceof AuthnRequest)) {
                throw new SAMLInResponseToMismatchException("Sent request was of different type than the expected AuthnRequest " + response.getInResponseTo());
            }
            authnRequest = (AuthnRequest) optional.get();
        }
        Endpoint endpoint = (Endpoint) Objects.requireNonNull(sAML2MessageContext.getSAMLEndpointContext().getEndpoint());
        ArrayList arrayList = new ArrayList();
        if (endpoint.getLocation() != null) {
            arrayList.add(endpoint.getLocation());
        }
        if (endpoint.getResponseLocation() != null) {
            arrayList.add(endpoint.getResponseLocation());
        }
        verifyEndpoint(arrayList, response.getDestination(), sAML2MessageContext.getSAML2Configuration().isResponseDestinationAttributeMandatory());
        if (authnRequest != null) {
            verifyRequest(authnRequest, sAML2MessageContext);
        }
        validateIssuerIfItExists(response.getIssuer(), sAML2MessageContext);
    }

    protected void verifyRequest(AuthnRequest authnRequest, SAML2MessageContext sAML2MessageContext) {
        AssertionConsumerService assertionConsumerService = (AssertionConsumerService) sAML2MessageContext.getSAMLEndpointContext().getEndpoint();
        if (authnRequest.getAssertionConsumerServiceIndex() != null) {
            if (authnRequest.getAssertionConsumerServiceIndex().equals(assertionConsumerService.getIndex())) {
                return;
            }
            this.logger.warn("Response was received at a different endpoint index than was requested");
            return;
        }
        String assertionConsumerServiceURL = authnRequest.getAssertionConsumerServiceURL();
        String protocolBinding = authnRequest.getProtocolBinding();
        if (assertionConsumerServiceURL != null) {
            String responseLocation = assertionConsumerService.getResponseLocation() != null ? assertionConsumerService.getResponseLocation() : assertionConsumerService.getLocation();
            if (!assertionConsumerServiceURL.equals(responseLocation)) {
                this.logger.warn("Response was received at a different endpoint URL {} than was requested {}", responseLocation, assertionConsumerServiceURL);
            }
        }
        if (protocolBinding == null || protocolBinding.equals(sAML2MessageContext.getSAMLBindingContext().getBindingUri())) {
            return;
        }
        this.logger.warn("Response was received using a different binding {} than was requested {}", sAML2MessageContext.getSAMLBindingContext().getBindingUri(), protocolBinding);
    }

    protected void validateSamlSSOResponse(Response response, SAML2MessageContext sAML2MessageContext, SignatureTrustEngine signatureTrustEngine, Decrypter decrypter) {
        ArrayList arrayList = new ArrayList();
        Iterator<Assertion> it = response.getAssertions().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            Assertion next = it.next();
            if (!next.getAuthnStatements().isEmpty()) {
                try {
                    validateAssertion(next, sAML2MessageContext, signatureTrustEngine, decrypter);
                    sAML2MessageContext.setSubjectAssertion(next);
                    break;
                } catch (SAMLException e) {
                    this.logger.error("Current assertion validation failed, continue with the next one", (Throwable) e);
                    arrayList.add(e);
                }
            }
        }
        if (!arrayList.isEmpty()) {
            throw ((SAMLException) arrayList.get(0));
        }
        if (sAML2MessageContext.getSubjectAssertion() == null) {
            throw new SAMAssertionSubjectException("No valid subject assertion found in response");
        }
        List<SubjectConfirmation> subjectConfirmations = sAML2MessageContext.getSubjectConfirmations();
        SAML2ConfigurationContext configurationContext = sAML2MessageContext.getConfigurationContext();
        if (subjectConfirmations == null || subjectConfirmations.isEmpty()) {
            if (configurationContext.getNameIdAttribute() != null) {
                this.logger.debug("NameID will be determined from attribute {}", configurationContext.getNameIdAttribute());
                return;
            }
            NameID nameID = (NameID) sAML2MessageContext.getSAMLSubjectNameIdentifierContext().getSubjectNameIdentifier();
            if ((nameID == null || nameID.getValue() == null) && sAML2MessageContext.getBaseID() == null) {
                if (subjectConfirmations == null || subjectConfirmations.isEmpty()) {
                    throw new SAMLException("Subject NameID, BaseID and EncryptedID cannot be all null at the same time without Subject Confirmations.");
                }
            }
        }
    }

    protected void decryptEncryptedAssertions(Response response, Decrypter decrypter) {
        Iterator<EncryptedAssertion> it = response.getEncryptedAssertions().iterator();
        while (it.hasNext()) {
            try {
                response.getAssertions().add(decrypter.decrypt(it.next()));
            } catch (DecryptionException e) {
                this.logger.error("Decryption of assertion failed, continue with the next one", (Throwable) e);
            }
        }
    }

    protected void validateAssertion(Assertion assertion, SAML2MessageContext sAML2MessageContext, SignatureTrustEngine signatureTrustEngine, Decrypter decrypter) {
        if (!assertion.getVersion().equals(SAMLVersion.VERSION_20)) {
            throw new SAMLException("Invalid SAML assertion version");
        }
        validateIssueInstant(assertion.getIssueInstant());
        validateIssuer(assertion.getIssuer(), sAML2MessageContext);
        if (assertion.getSubject() == null) {
            throw new SAMAssertionSubjectException("Assertion subject cannot be null");
        }
        validateSubject(assertion.getSubject(), sAML2MessageContext, decrypter);
        validateAssertionConditions(assertion.getConditions(), sAML2MessageContext);
        validateAuthenticationStatements(assertion.getAuthnStatements(), sAML2MessageContext);
        validateAssertionSignature(assertion.getSignature(), sAML2MessageContext, signatureTrustEngine);
    }

    protected void validateSubject(Subject subject, SAML2MessageContext sAML2MessageContext, Decrypter decrypter) {
        boolean z = false;
        NameID nameID = subject.getNameID();
        BaseID baseID = subject.getBaseID();
        NameID decryptEncryptedId = decryptEncryptedId(subject.getEncryptedID(), decrypter);
        if (decryptEncryptedId != null) {
            nameID = decryptEncryptedId;
        }
        if (nameID != null || baseID != null) {
            sAML2MessageContext.getSAMLSubjectNameIdentifierContext().setSubjectNameIdentifier(nameID);
            sAML2MessageContext.setBaseID(baseID);
            z = true;
        }
        for (SubjectConfirmation subjectConfirmation : subject.getSubjectConfirmations()) {
            if (SubjectConfirmation.METHOD_BEARER.equals(subjectConfirmation.getMethod()) && isValidBearerSubjectConfirmationData(subjectConfirmation.getSubjectConfirmationData(), sAML2MessageContext)) {
                validateAssertionReplay((Assertion) subject.getParent(), subjectConfirmation.getSubjectConfirmationData());
                NameID nameID2 = subjectConfirmation.getNameID();
                BaseID baseID2 = subjectConfirmation.getBaseID();
                NameID decryptEncryptedId2 = decryptEncryptedId(subjectConfirmation.getEncryptedID(), decrypter);
                if (decryptEncryptedId2 != null) {
                    nameID2 = decryptEncryptedId2;
                }
                if (!z && (nameID2 != null || baseID2 != null)) {
                    sAML2MessageContext.getSAMLSubjectNameIdentifierContext().setSubjectNameIdentifier(nameID2);
                    sAML2MessageContext.setBaseID(baseID2);
                    sAML2MessageContext.getSubjectConfirmations().add(subjectConfirmation);
                    z = true;
                }
                if (z) {
                    return;
                }
                this.logger.warn("Could not find any Subject NameID/BaseID/EncryptedID, neither directly in the Subject nor in any Subject Confirmation.");
                return;
            }
        }
        throw new SAMLSubjectConfirmationException("Subject confirmation validation failed");
    }

    protected boolean isValidBearerSubjectConfirmationData(SubjectConfirmationData subjectConfirmationData, SAML2MessageContext sAML2MessageContext) {
        if (subjectConfirmationData == null) {
            this.logger.debug("SubjectConfirmationData cannot be null for Bearer confirmation");
            return false;
        }
        if (subjectConfirmationData.getNotBefore() != null) {
            this.logger.debug("SubjectConfirmationData notBefore must be null for Bearer confirmation");
            return false;
        }
        if (subjectConfirmationData.getNotOnOrAfter() == null) {
            this.logger.debug("SubjectConfirmationData notOnOrAfter cannot be null for Bearer confirmation");
            return false;
        }
        if (subjectConfirmationData.getNotOnOrAfter().plusSeconds(this.acceptedSkew).isBefore(ZonedDateTime.now(ZoneOffset.UTC).toInstant())) {
            this.logger.debug("SubjectConfirmationData notOnOrAfter is too old");
            return false;
        }
        try {
            if (subjectConfirmationData.getRecipient() == null) {
                this.logger.debug("SubjectConfirmationData recipient cannot be null for Bearer confirmation");
                return false;
            }
            Endpoint endpoint = sAML2MessageContext.getSAMLEndpointContext().getEndpoint();
            if (endpoint == null) {
                this.logger.warn("No endpoint was found in the SAML endpoint context");
                return false;
            }
            URI uri = new URI(subjectConfirmationData.getRecipient());
            URI uri2 = new URI(endpoint.getLocation());
            if (SAML2Utils.urisEqualAfterPortNormalization(uri, uri2)) {
                return true;
            }
            this.logger.debug("SubjectConfirmationData recipient {} does not match SP assertion consumer URL, found. SP ACS URL from context: {}", uri, uri2);
            return false;
        } catch (URISyntaxException e) {
            this.logger.error("Unable to check SubjectConfirmationData recipient, a URI has invalid syntax.", (Throwable) e);
            return false;
        }
    }

    protected void validateAssertionReplay(Assertion assertion, SubjectConfirmationData subjectConfirmationData) {
        if (assertion.getID() == null) {
            throw new SAMLReplayException("The assertion does not have an ID");
        }
        if (this.replayCache == null) {
            this.logger.warn("No replay cache specified, skipping replay verification");
            return;
        }
        if (!this.replayCache.get().check(getClass().getName(), assertion.getID(), Instant.ofEpochMilli(subjectConfirmationData.getNotOnOrAfter().toEpochMilli() + (this.acceptedSkew * 1000)))) {
            throw new SAMLReplayException("Rejecting replayed assertion ID '" + assertion.getID() + "'");
        }
    }

    protected void validateAssertionConditions(Conditions conditions, SAML2MessageContext sAML2MessageContext) {
        if (conditions == null) {
            return;
        }
        Instant instant = ZonedDateTime.now(ZoneOffset.UTC).toInstant();
        if (conditions.getNotBefore() != null && conditions.getNotBefore().minusSeconds(this.acceptedSkew).isAfter(instant)) {
            throw new SAMLAssertionConditionException("Assertion condition notBefore is not valid");
        }
        if (conditions.getNotOnOrAfter() != null && conditions.getNotOnOrAfter().plusSeconds(this.acceptedSkew).isBefore(instant)) {
            throw new SAMLAssertionConditionException("Assertion condition notOnOrAfter is not valid");
        }
        validateAudienceRestrictions(conditions.getAudienceRestrictions(), sAML2MessageContext.getSAMLSelfEntityContext().getEntityId());
    }

    protected void validateAudienceRestrictions(List<AudienceRestriction> list, String str) {
        if (list == null || list.isEmpty()) {
            throw new SAMLAssertionAudienceException("Audience restrictions cannot be null or empty");
        }
        HashSet hashSet = new HashSet();
        for (AudienceRestriction audienceRestriction : list) {
            if (audienceRestriction.getAudiences() != null) {
                Iterator<Audience> it = audienceRestriction.getAudiences().iterator();
                while (it.hasNext()) {
                    hashSet.add(it.next().getURI());
                }
            }
        }
        if (!hashSet.contains(str)) {
            throw new SAMLAssertionAudienceException("Assertion audience " + hashSet + " does not match SP configuration " + str);
        }
    }

    protected void validateAuthenticationStatements(List<AuthnStatement> list, SAML2MessageContext sAML2MessageContext) {
        ArrayList arrayList = new ArrayList();
        Instant instant = ZonedDateTime.now(ZoneOffset.UTC).toInstant();
        for (AuthnStatement authnStatement : list) {
            if (!isAuthnInstantValid(sAML2MessageContext, authnStatement.getAuthnInstant())) {
                throw new SAMLAuthnInstantException("Authentication issue instant is too old or in the future");
            }
            if (authnStatement.getSessionNotOnOrAfter() != null && authnStatement.getSessionNotOnOrAfter().isBefore(instant)) {
                throw new SAMLAuthnSessionCriteriaException("Authentication session between IDP and subject has ended");
            }
            if (authnStatement.getAuthnContext().getAuthnContextClassRef() != null) {
                arrayList.add(authnStatement.getAuthnContext().getAuthnContextClassRef().getURI());
            }
        }
        validateAuthnContextClassRefs(sAML2MessageContext, arrayList);
    }

    protected void validateAuthnContextClassRefs(SAML2MessageContext sAML2MessageContext, List<String> list) {
        SAML2ConfigurationContext configurationContext = sAML2MessageContext.getConfigurationContext();
        if (configurationContext.getAuthnContextClassRefs().isEmpty()) {
            return;
        }
        this.logger.debug("Required authentication context class refs are {}", configurationContext.getAuthnContextClassRefs());
        this.logger.debug("Found authentication context class refs are {}", list);
        if (CollectionUtils.intersection(configurationContext.getAuthnContextClassRefs(), list).size() != configurationContext.getAuthnContextClassRefs().size()) {
            throw new SAMLAuthnContextClassRefException("Requested authentication context class refs do not match  those in authentication statements from IDP.");
        }
    }

    protected void validateAssertionSignature(Signature signature, SAML2MessageContext sAML2MessageContext, SignatureTrustEngine signatureTrustEngine) {
        SAML2ConfigurationContext configurationContext = sAML2MessageContext.getConfigurationContext();
        SAMLPeerEntityContext sAMLPeerEntityContext = sAML2MessageContext.getSAMLPeerEntityContext();
        if (signature != null) {
            validateSignature(signature, sAMLPeerEntityContext.getEntityId(), signatureTrustEngine);
        } else {
            if (wantsAssertionsSigned(sAML2MessageContext).booleanValue()) {
                throw new SAMLSignatureRequiredException("Assertion must be explicitly signed");
            }
            if (!sAMLPeerEntityContext.isAuthenticated() && !configurationContext.getSAML2Configuration().isAllSignatureValidationDisabled()) {
                throw new SAMLSignatureRequiredException("Unauthenticated response contains an unsigned assertion");
            }
        }
    }

    @VisibleForTesting
    Boolean wantsAssertionsSigned(SAML2MessageContext sAML2MessageContext) {
        SAML2ConfigurationContext configurationContext = sAML2MessageContext.getConfigurationContext();
        SPSSODescriptor sPSSODescriptor = sAML2MessageContext.getSPSSODescriptor();
        return sPSSODescriptor == null ? configurationContext.isWantsAssertionsSigned() : sPSSODescriptor.getWantAssertionsSigned();
    }

    private boolean isAuthnInstantValid(SAML2MessageContext sAML2MessageContext, Instant instant) {
        Long maximumAuthenticationLifetime = sAML2MessageContext.getConfigurationContext().getMaximumAuthenticationLifetime();
        if (maximumAuthenticationLifetime.longValue() > 0) {
            return isDateValid(instant, maximumAuthenticationLifetime.longValue());
        }
        this.logger.info("Maximum authentication lifetime is set to {} with authn-instant {}. Validation will be disabled.", maximumAuthenticationLifetime, instant);
        return true;
    }
}
