keycloak-scim/securing_apps/topics/saml/java/jboss-adapter/securing_wars.adoc


===== Securing WARs via {project_name} SAML Subsystem

You do not have to crack open a WAR to secure it with {project_name}.
Alternatively, you can externally secure it via the {project_name} SAML Adapter Subsystem.
While you don't have to specify KEYCLOAK-SAML as an `auth-method`, you still have to define the `security-constraints` in `web.xml`.
You do not, however, have to create a `WEB-INF/keycloak-saml.xml` file.
This metadata is instead defined within the XML in your server's `domain.xml` or `standalone.xml` subsystem configuration section.

[source,xml]
----

<extensions>
  <extension module="org.keycloak.keycloak-saml-adapter-subsystem"/>
</extensions>

<profile>
  <subsystem xmlns="urn:jboss:domain:keycloak-saml:1.1">
    <secure-deployment name="WAR MODULE NAME.war">
      <SP entityID="APPLICATION URL">
        ...
      </SP>
    </secure-deployment>
  </subsystem>
</profile>
----        

The `secure-deployment` `name` attribute identifies the WAR you want to secure.
Its value is the `module-name` defined in `web.xml` with `.war` appended.
The rest of the configuration uses the same XML syntax as `keycloak-saml.xml` configuration defined in <<_saml-general-config,General Adapter Config>>.

An example configuration: 

[source,xml]
----

<subsystem xmlns="urn:jboss:domain:keycloak-saml:1.1">
  <secure-deployment name="saml-post-encryption.war">
    <SP entityID="http://localhost:8080/sales-post-enc/"
        sslPolicy="EXTERNAL"
        nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
        logoutPage="/logout.jsp"
        forceAuthentication="false">
      <Keys>
        <Key signing="true" encryption="true">
          <KeyStore resource="/WEB-INF/keystore.jks" password="store123">
            <PrivateKey alias="http://localhost:8080/sales-post-enc/" password="test123"/>
            <Certificate alias="http://localhost:8080/sales-post-enc/"/>
          </KeyStore>
        </Key>
      </Keys>
      <PrincipalNameMapping policy="FROM_NAME_ID"/>
      <RoleIdentifiers>
        <Attribute name="Role"/>
      </RoleIdentifiers>
      <IDP entityID="idp">
        <SingleSignOnService signRequest="true"
            validateResponseSignature="true"
            requestBinding="POST"
            bindingUrl="http://localhost:8080/auth/realms/saml-demo/protocol/saml"/>

        <SingleLogoutService
            validateRequestSignature="true"
            validateResponseSignature="true"
            signRequest="true"
            signResponse="true"
            requestBinding="POST"
            responseBinding="POST"
            postBindingUrl="http://localhost:8080/auth/realms/saml-demo/protocol/saml"
            redirectBindingUrl="http://localhost:8080/auth/realms/saml-demo/protocol/saml"/>
        <Keys>
          <Key signing="true" >
            <KeyStore resource="/WEB-INF/keystore.jks" password="store123">
              <Certificate alias="saml-demo"/>
            </KeyStore>
          </Key>
        </Keys>
      </IDP>
    </SP>
   </secure-deployment>
</subsystem>
----
initial saml 2016-06-02 16:07:45 +00:00
Convert documentation to AsciiDoctor 2017-08-28 12:50:14 +00:00			`===== Securing WARs via {project_name} SAML Subsystem`
initial saml 2016-06-02 16:07:45 +00:00
Convert documentation to AsciiDoctor 2017-08-28 12:50:14 +00:00			`You do not have to crack open a WAR to secure it with {project_name}.`
			`Alternatively, you can externally secure it via the {project_name} SAML Adapter Subsystem.`
initial saml 2016-06-02 16:07:45 +00:00			While you don't have to specify KEYCLOAK-SAML as an `auth-method`, you still have to define the `security-constraints` in `web.xml`.
			You do not, however, have to create a `WEB-INF/keycloak-saml.xml` file.
saml general config 2016-06-02 21:18:42 +00:00			This metadata is instead defined within the XML in your server's `domain.xml` or `standalone.xml` subsystem configuration section.
initial saml 2016-06-02 16:07:45 +00:00
			`[source,xml]`
			`----`

			`<extensions>`
			`<extension module="org.keycloak.keycloak-saml-adapter-subsystem"/>`
			`</extensions>`

			`<profile>`
			`<subsystem xmlns="urn:jboss:domain:keycloak-saml:1.1">`
			`<secure-deployment name="WAR MODULE NAME.war">`
			`<SP entityID="APPLICATION URL">`
			`...`
			`</SP>`
			`</secure-deployment>`
			`</subsystem>`
			`</profile>`
			`----`

			The `secure-deployment` `name` attribute identifies the WAR you want to secure.
			Its value is the `module-name` defined in `web.xml` with `.war` appended.
Convert documentation to AsciiDoctor 2017-08-28 12:50:14 +00:00			The rest of the configuration uses the same XML syntax as `keycloak-saml.xml` configuration defined in <<_saml-general-config,General Adapter Config>>.
initial saml 2016-06-02 16:07:45 +00:00
			`An example configuration:`

			`[source,xml]`
			`----`

			`<subsystem xmlns="urn:jboss:domain:keycloak-saml:1.1">`
			`<secure-deployment name="saml-post-encryption.war">`
			`<SP entityID="http://localhost:8080/sales-post-enc/"`
			`sslPolicy="EXTERNAL"`
			`nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"`
			`logoutPage="/logout.jsp"`
			`forceAuthentication="false">`
			`<Keys>`
			`<Key signing="true" encryption="true">`
			`<KeyStore resource="/WEB-INF/keystore.jks" password="store123">`
			`<PrivateKey alias="http://localhost:8080/sales-post-enc/" password="test123"/>`
			`<Certificate alias="http://localhost:8080/sales-post-enc/"/>`
			`</KeyStore>`
			`</Key>`
			`</Keys>`
			`<PrincipalNameMapping policy="FROM_NAME_ID"/>`
			`<RoleIdentifiers>`
			`<Attribute name="Role"/>`
			`</RoleIdentifiers>`
			`<IDP entityID="idp">`
			`<SingleSignOnService signRequest="true"`
			`validateResponseSignature="true"`
			`requestBinding="POST"`
			`bindingUrl="http://localhost:8080/auth/realms/saml-demo/protocol/saml"/>`

			`<SingleLogoutService`
			`validateRequestSignature="true"`
			`validateResponseSignature="true"`
			`signRequest="true"`
			`signResponse="true"`
			`requestBinding="POST"`
			`responseBinding="POST"`
			`postBindingUrl="http://localhost:8080/auth/realms/saml-demo/protocol/saml"`
			`redirectBindingUrl="http://localhost:8080/auth/realms/saml-demo/protocol/saml"/>`
			`<Keys>`
			`<Key signing="true" >`
			`<KeyStore resource="/WEB-INF/keystore.jks" password="store123">`
			`<Certificate alias="saml-demo"/>`
			`</KeyStore>`
			`</Key>`
			`</Keys>`
			`</IDP>`
			`</SP>`
			`</secure-deployment>`
			`</subsystem>`
			`----`