Merge remote-tracking branch 'upstream/master'

2015-03-02 21:40:01 -05:00 · 2015-03-02 21:40:01 -05:00 · 0559c1df06
commit 0559c1df06
parent 753feae49e eb43d0b779
2 changed files with 13 additions and 1 deletions
--- a/forms/common-themes/src/main/resources/theme/admin/base/resources/partials/application-detail.html
+++ b/forms/common-themes/src/main/resources/theme/admin/base/resources/partials/application-detail.html
@ -41,7 +41,8 @@
                            </select>
                        </div>
                    </div>
-                    <span tooltip-placement="right" tooltip="'Confidential' applications require a secret to initiate login protocol.  'Public' clients do not require a secret.  'Bearer-only' applications are web services that never initiate a login." class="fa fa-info-circle"></span>
+                    <span tooltip-placement="right" tooltip="'OpenID connect' allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server.
+                    'SAML' enables web-based authentication and authorization scenarios including cross-domain single sign-on (SSO) and uses security tokens containing assertions to pass information." class="fa fa-info-circle"></span>
                </div>
                <div class="form-group" data-ng-show="protocol == 'openid-connect'">
                    <label class="col-sm-2 control-label" for="accessType">Access Type</label>
--- a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SamlService.java
+++ b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SamlService.java
@ -20,6 +20,7 @@ import org.keycloak.models.utils.KeycloakModelUtils;
 import org.keycloak.protocol.oidc.OIDCLoginProtocolService;
 import org.keycloak.services.managers.AuthenticationManager;
 import org.keycloak.services.managers.ClientSessionCode;
+import org.keycloak.services.managers.HttpAuthenticationManager;
 import org.keycloak.services.resources.RealmsResource;
 import org.keycloak.services.resources.flows.Flows;
 import org.keycloak.util.StreamUtil;
@ -258,9 +259,19 @@ public class SamlService {
            Response response = authManager.checkNonFormAuthentication(session, clientSession, realm, uriInfo, request, clientConnection, headers, event);
            if (response != null) return response;

+            // SPNEGO/Kerberos authentication TODO: This should be somehow pluggable instead of hardcoded this way (Authentication interceptors?)
+            HttpAuthenticationManager httpAuthManager = new HttpAuthenticationManager(session, clientSession, realm, uriInfo, request, clientConnection, event);
+            HttpAuthenticationManager.HttpAuthOutput httpAuthOutput = httpAuthManager.spnegoAuthenticate();
+            if (httpAuthOutput.getResponse() != null) return httpAuthOutput.getResponse();
+
            LoginFormsProvider forms = Flows.forms(session, realm, clientSession.getClient(), uriInfo)
                    .setClientSessionCode(new ClientSessionCode(realm, clientSession).getCode());

+            // Attach state from SPNEGO authentication
+            if (httpAuthOutput.getChallenge() != null) {
+                httpAuthOutput.getChallenge().sendChallenge(forms);
+            }
+
            String rememberMeUsername = AuthenticationManager.getRememberMeUsername(realm, headers);

            if (rememberMeUsername != null) {