more complete
This commit is contained in:
parent
cc9d6d0cf7
commit
1e9c09d23a
31 changed files with 481 additions and 156 deletions
|
@ -11,7 +11,7 @@ import java.util.concurrent.ConcurrentHashMap;
|
|||
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
|
||||
* @version $Revision: 1 $
|
||||
*/
|
||||
public class InMemorySessionIdMapper implements SessionIdMaper {
|
||||
public class InMemorySessionIdMapper implements SessionIdMapper {
|
||||
ConcurrentHashMap<String, String> ssoToSession = new ConcurrentHashMap<>();
|
||||
ConcurrentHashMap<String, String> sessionToSso = new ConcurrentHashMap<>();
|
||||
ConcurrentHashMap<String, Set<String>> principalToSession = new ConcurrentHashMap<>();
|
||||
|
@ -33,8 +33,10 @@ public class InMemorySessionIdMapper implements SessionIdMaper {
|
|||
|
||||
@Override
|
||||
public void map(String sso, String principal, String session) {
|
||||
if (sso != null) {
|
||||
ssoToSession.put(sso, session);
|
||||
sessionToSso.put(session, sso);
|
||||
}
|
||||
Set<String> userSessions = principalToSession.get(principal);
|
||||
if (userSessions == null) {
|
||||
final Set<String> tmp = Collections.synchronizedSet(new HashSet<String>());
|
||||
|
|
|
@ -6,7 +6,7 @@ import java.util.Set;
|
|||
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
|
||||
* @version $Revision: 1 $
|
||||
*/
|
||||
public interface SessionIdMaper {
|
||||
public interface SessionIdMapper {
|
||||
Set<String> getUserSessions(String principal);
|
||||
|
||||
String getSessionFromSSO(String sso);
|
|
@ -3,6 +3,7 @@ package org.keycloak.adapters.saml;
|
|||
import org.keycloak.adapters.saml.SamlDeployment;
|
||||
import org.keycloak.adapters.saml.config.IDP;
|
||||
import org.keycloak.enums.SslRequired;
|
||||
import org.keycloak.saml.SignatureAlgorithm;
|
||||
|
||||
import java.security.KeyPair;
|
||||
import java.security.PrivateKey;
|
||||
|
@ -18,7 +19,6 @@ public class DefaultSamlDeployment implements SamlDeployment {
|
|||
public static class DefaultSingleSignOnService implements IDP.SingleSignOnService {
|
||||
private boolean signRequest;
|
||||
private boolean validateResponseSignature;
|
||||
private String signatureCanonicalizationMethod;
|
||||
private Binding requestBinding;
|
||||
private Binding responseBinding;
|
||||
private String requestBindingUrl;
|
||||
|
@ -33,11 +33,6 @@ public class DefaultSamlDeployment implements SamlDeployment {
|
|||
return validateResponseSignature;
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getSignatureCanonicalizationMethod() {
|
||||
return signatureCanonicalizationMethod;
|
||||
}
|
||||
|
||||
@Override
|
||||
public Binding getRequestBinding() {
|
||||
return requestBinding;
|
||||
|
@ -61,10 +56,6 @@ public class DefaultSamlDeployment implements SamlDeployment {
|
|||
this.validateResponseSignature = validateResponseSignature;
|
||||
}
|
||||
|
||||
public void setSignatureCanonicalizationMethod(String signatureCanonicalizationMethod) {
|
||||
this.signatureCanonicalizationMethod = signatureCanonicalizationMethod;
|
||||
}
|
||||
|
||||
public void setRequestBinding(Binding requestBinding) {
|
||||
this.requestBinding = requestBinding;
|
||||
}
|
||||
|
@ -83,7 +74,6 @@ public class DefaultSamlDeployment implements SamlDeployment {
|
|||
private boolean validateResponseSignature;
|
||||
private boolean signRequest;
|
||||
private boolean signResponse;
|
||||
private String signatureCanonicalizationMethod;
|
||||
private Binding requestBinding;
|
||||
private Binding responseBinding;
|
||||
private String requestBindingUrl;
|
||||
|
@ -109,11 +99,6 @@ public class DefaultSamlDeployment implements SamlDeployment {
|
|||
return signResponse;
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getSignatureCanonicalizationMethod() {
|
||||
return signatureCanonicalizationMethod;
|
||||
}
|
||||
|
||||
@Override
|
||||
public Binding getRequestBinding() {
|
||||
return requestBinding;
|
||||
|
@ -150,10 +135,6 @@ public class DefaultSamlDeployment implements SamlDeployment {
|
|||
this.signResponse = signResponse;
|
||||
}
|
||||
|
||||
public void setSignatureCanonicalizationMethod(String signatureCanonicalizationMethod) {
|
||||
this.signatureCanonicalizationMethod = signatureCanonicalizationMethod;
|
||||
}
|
||||
|
||||
public void setRequestBinding(Binding requestBinding) {
|
||||
this.requestBinding = requestBinding;
|
||||
}
|
||||
|
@ -233,6 +214,8 @@ public class DefaultSamlDeployment implements SamlDeployment {
|
|||
private PrincipalNamePolicy principalNamePolicy = PrincipalNamePolicy.FROM_NAME_ID;
|
||||
private String principalAttributeName;
|
||||
private String logoutPage;
|
||||
private SignatureAlgorithm signatureAlgorithm;
|
||||
private String signatureCanonicalizationMethod;
|
||||
|
||||
|
||||
@Override
|
||||
|
@ -360,4 +343,22 @@ public class DefaultSamlDeployment implements SamlDeployment {
|
|||
public void setLogoutPage(String logoutPage) {
|
||||
this.logoutPage = logoutPage;
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getSignatureCanonicalizationMethod() {
|
||||
return signatureCanonicalizationMethod;
|
||||
}
|
||||
|
||||
public void setSignatureCanonicalizationMethod(String signatureCanonicalizationMethod) {
|
||||
this.signatureCanonicalizationMethod = signatureCanonicalizationMethod;
|
||||
}
|
||||
|
||||
@Override
|
||||
public SignatureAlgorithm getSignatureAlgorithm() {
|
||||
return signatureAlgorithm;
|
||||
}
|
||||
|
||||
public void setSignatureAlgorithm(SignatureAlgorithm signatureAlgorithm) {
|
||||
this.signatureAlgorithm = signatureAlgorithm;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -43,18 +43,21 @@ public class InitiateLogin implements AuthChallenge {
|
|||
nameIDPolicyFormat = JBossSAMLURIConstants.NAMEID_FORMAT_PERSISTENT.get();
|
||||
}
|
||||
|
||||
String protocolBinding = JBossSAMLURIConstants.SAML_HTTP_REDIRECT_BINDING.get();
|
||||
|
||||
if (deployment.getIDP().getSingleSignOnService().getResponseBinding() == SamlDeployment.Binding.POST) {
|
||||
protocolBinding = JBossSAMLURIConstants.SAML_HTTP_POST_BINDING.get();
|
||||
}
|
||||
|
||||
SAML2AuthnRequestBuilder authnRequestBuilder = new SAML2AuthnRequestBuilder()
|
||||
.destination(destinationUrl)
|
||||
.issuer(issuerURL)
|
||||
.forceAuthn(deployment.isForceAuthentication())
|
||||
.protocolBinding(protocolBinding)
|
||||
.nameIdPolicy(SAML2NameIDPolicyBuilder.format(nameIDPolicyFormat));
|
||||
if (deployment.getIDP().getSingleSignOnService().getResponseBinding() != null) {
|
||||
String protocolBinding = JBossSAMLURIConstants.SAML_HTTP_REDIRECT_BINDING.get();
|
||||
if (deployment.getIDP().getSingleSignOnService().getResponseBinding() == SamlDeployment.Binding.POST) {
|
||||
protocolBinding = JBossSAMLURIConstants.SAML_HTTP_POST_BINDING.get();
|
||||
}
|
||||
authnRequestBuilder.protocolBinding(protocolBinding);
|
||||
|
||||
}
|
||||
if (deployment.getAssertionConsumerServiceUrl() != null) {
|
||||
authnRequestBuilder.assertionConsumerUrl(deployment.getAssertionConsumerServiceUrl());
|
||||
}
|
||||
|
@ -67,8 +70,8 @@ public class InitiateLogin implements AuthChallenge {
|
|||
if (keypair == null) {
|
||||
throw new RuntimeException("Signing keys not configured");
|
||||
}
|
||||
if (deployment.getIDP().getSingleSignOnService().getSignatureCanonicalizationMethod() != null) {
|
||||
binding.canonicalizationMethod(deployment.getIDP().getSingleSignOnService().getSignatureCanonicalizationMethod());
|
||||
if (deployment.getSignatureCanonicalizationMethod() != null) {
|
||||
binding.canonicalizationMethod(deployment.getSignatureCanonicalizationMethod());
|
||||
}
|
||||
|
||||
binding.signWith(keypair);
|
||||
|
@ -78,7 +81,7 @@ public class InitiateLogin implements AuthChallenge {
|
|||
|
||||
Document document = authnRequestBuilder.toDocument();
|
||||
SamlDeployment.Binding samlBinding = deployment.getIDP().getSingleSignOnService().getRequestBinding();
|
||||
SamlUtil.sendSaml(httpFacade, actionUrl, binding, document, samlBinding);
|
||||
SamlUtil.sendSaml(true, httpFacade, actionUrl, binding, document, samlBinding);
|
||||
} catch (Exception e) {
|
||||
throw new RuntimeException("Could not create authentication request.", e);
|
||||
}
|
||||
|
|
|
@ -25,11 +25,11 @@ import org.keycloak.saml.common.constants.GeneralConstants;
|
|||
import org.keycloak.saml.common.exceptions.ConfigurationException;
|
||||
import org.keycloak.saml.common.exceptions.ParsingException;
|
||||
import org.keycloak.saml.common.exceptions.ProcessingException;
|
||||
import org.keycloak.saml.common.util.Base64;
|
||||
import org.keycloak.saml.processing.api.saml.v2.sig.SAML2Signature;
|
||||
import org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder;
|
||||
import org.keycloak.saml.processing.core.saml.v2.util.AssertionUtil;
|
||||
import org.keycloak.saml.processing.web.util.PostBindingUtil;
|
||||
import org.keycloak.saml.processing.web.util.RedirectBindingUtil;
|
||||
import org.keycloak.util.KeycloakUriBuilder;
|
||||
import org.keycloak.util.MultivaluedHashMap;
|
||||
import org.w3c.dom.Document;
|
||||
|
@ -103,7 +103,7 @@ public abstract class SamlAuthenticator {
|
|||
binding.relayState("logout");
|
||||
|
||||
try {
|
||||
SamlUtil.sendSaml(facade, deployment.getIDP().getSingleLogoutService().getRequestBindingUrl(), binding, logoutBuilder.buildDocument(), deployment.getIDP().getSingleLogoutService().getRequestBinding());
|
||||
SamlUtil.sendSaml(true, facade, deployment.getIDP().getSingleLogoutService().getRequestBindingUrl(), binding, logoutBuilder.buildDocument(), deployment.getIDP().getSingleLogoutService().getRequestBinding());
|
||||
} catch (ProcessingException e) {
|
||||
throw new RuntimeException(e);
|
||||
} catch (ConfigurationException e) {
|
||||
|
@ -119,15 +119,22 @@ public abstract class SamlAuthenticator {
|
|||
protected AuthOutcome handleSamlRequest(String samlRequest, String relayState) {
|
||||
SAMLDocumentHolder holder = null;
|
||||
boolean postBinding = false;
|
||||
String requestUri = facade.getRequest().getURI();
|
||||
if (facade.getRequest().getMethod().equalsIgnoreCase("GET")) {
|
||||
// strip out query params
|
||||
int index = requestUri.indexOf('?');
|
||||
if (index > -1) {
|
||||
requestUri = requestUri.substring(0, index);
|
||||
}
|
||||
holder = SAMLRequestParser.parseRequestRedirectBinding(samlRequest);
|
||||
} else {
|
||||
postBinding = true;
|
||||
holder = SAMLRequestParser.parseRequestPostBinding(samlRequest);
|
||||
}
|
||||
RequestAbstractType requestAbstractType = (RequestAbstractType) holder.getSamlObject();
|
||||
if (!facade.getRequest().getURI().toString().equals(requestAbstractType.getDestination())) {
|
||||
throw new RuntimeException("destination not equal to request");
|
||||
if (!requestUri.equals(requestAbstractType.getDestination().toString())) {
|
||||
log.error("expected destination '" + requestUri + "' got '" + requestAbstractType.getDestination() + "'");
|
||||
throw new RuntimeException("destination not equal to request.");
|
||||
}
|
||||
|
||||
if (requestAbstractType instanceof LogoutRequestType) {
|
||||
|
@ -156,14 +163,15 @@ public abstract class SamlAuthenticator {
|
|||
builder.issuer(issuerURL);
|
||||
BaseSAML2BindingBuilder binding = new BaseSAML2BindingBuilder().relayState(relayState);
|
||||
if (deployment.getIDP().getSingleLogoutService().signResponse()) {
|
||||
binding.signWith(deployment.getSigningKeyPair())
|
||||
binding.signatureAlgorithm(deployment.getSignatureAlgorithm())
|
||||
.signWith(deployment.getSigningKeyPair())
|
||||
.signDocument();
|
||||
binding.canonicalizationMethod(deployment.getIDP().getSingleLogoutService().getSignatureCanonicalizationMethod());
|
||||
if (deployment.getSignatureCanonicalizationMethod() != null) binding.canonicalizationMethod(deployment.getSignatureCanonicalizationMethod());
|
||||
}
|
||||
|
||||
|
||||
try {
|
||||
SamlUtil.sendSaml(facade, deployment.getIDP().getSingleLogoutService().getResponseBindingUrl(), binding, builder.buildDocument(),
|
||||
SamlUtil.sendSaml(false, facade, deployment.getIDP().getSingleLogoutService().getResponseBindingUrl(), binding, builder.buildDocument(),
|
||||
deployment.getIDP().getSingleLogoutService().getResponseBinding());
|
||||
} catch (ConfigurationException e) {
|
||||
throw new RuntimeException(e);
|
||||
|
@ -180,7 +188,12 @@ public abstract class SamlAuthenticator {
|
|||
protected AuthOutcome handleSamlResponse(String samlResponse, String relayState) {
|
||||
SAMLDocumentHolder holder = null;
|
||||
boolean postBinding = false;
|
||||
String requestUri = facade.getRequest().getURI();
|
||||
if (facade.getRequest().getMethod().equalsIgnoreCase("GET")) {
|
||||
int index = requestUri.indexOf('?');
|
||||
if (index > -1) {
|
||||
requestUri = requestUri.substring(0, index);
|
||||
}
|
||||
holder = extractRedirectBindingResponse(samlResponse);
|
||||
} else {
|
||||
postBinding = true;
|
||||
|
@ -188,18 +201,18 @@ public abstract class SamlAuthenticator {
|
|||
}
|
||||
StatusResponseType statusResponse = (StatusResponseType)holder.getSamlObject();
|
||||
// validate destination
|
||||
if (!facade.getRequest().getURI().toString().equals(statusResponse.getDestination())) {
|
||||
if (!requestUri.equals(statusResponse.getDestination())) {
|
||||
throw new RuntimeException("destination not equal to request");
|
||||
}
|
||||
if (statusResponse instanceof ResponseType) {
|
||||
if (deployment.getIDP().getSingleSignOnService().validateResponseSignature()) {
|
||||
validateSamlSignature(holder, postBinding, GeneralConstants.SAML_REQUEST_KEY);
|
||||
validateSamlSignature(holder, postBinding, GeneralConstants.SAML_RESPONSE_KEY);
|
||||
}
|
||||
return handleLoginResponse((ResponseType)statusResponse);
|
||||
|
||||
} else {
|
||||
if (deployment.getIDP().getSingleLogoutService().validateResponseSignature()) {
|
||||
validateSamlSignature(holder, postBinding, GeneralConstants.SAML_REQUEST_KEY);
|
||||
validateSamlSignature(holder, postBinding, GeneralConstants.SAML_RESPONSE_KEY);
|
||||
}
|
||||
// todo need to check that it is actually a LogoutResponse
|
||||
return handleLogoutResponse(holder, statusResponse, relayState);
|
||||
|
@ -320,10 +333,16 @@ public abstract class SamlAuthenticator {
|
|||
sessionStore.saveAccount(account);
|
||||
completeAuthentication(account);
|
||||
|
||||
|
||||
// redirect to original request, it will be restored
|
||||
facade.getResponse().setHeader("Location", sessionStore.getRedirectUri());
|
||||
String redirectUri = sessionStore.getRedirectUri();
|
||||
if (redirectUri != null) {
|
||||
facade.getResponse().setHeader("Location", redirectUri);
|
||||
facade.getResponse().setStatus(302);
|
||||
facade.getResponse().end();
|
||||
} else {
|
||||
log.debug("IDP initiated invocation");
|
||||
}
|
||||
|
||||
|
||||
return AuthOutcome.AUTHENTICATED;
|
||||
|
@ -400,7 +419,9 @@ public abstract class SamlAuthenticator {
|
|||
String signature = facade.getRequest().getQueryParamValue(GeneralConstants.SAML_SIGNATURE_REQUEST_KEY);
|
||||
String decodedAlgorithm = facade.getRequest().getQueryParamValue(GeneralConstants.SAML_SIG_ALG_REQUEST_KEY);
|
||||
|
||||
if (request == null) throw new VerificationException("SAM was null");
|
||||
if (request == null) {
|
||||
throw new VerificationException("SAML Request was null");
|
||||
}
|
||||
if (algorithm == null) throw new VerificationException("SigAlg was null");
|
||||
if (signature == null) throw new VerificationException("Signature was null");
|
||||
|
||||
|
@ -417,7 +438,8 @@ public abstract class SamlAuthenticator {
|
|||
String rawQuery = builder.build().getRawQuery();
|
||||
|
||||
try {
|
||||
byte[] decodedSignature = RedirectBindingUtil.urlBase64Decode(signature);
|
||||
//byte[] decodedSignature = RedirectBindingUtil.urlBase64Decode(signature);
|
||||
byte[] decodedSignature = Base64.decode(signature);
|
||||
|
||||
SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.getFromXmlMethod(decodedAlgorithm);
|
||||
Signature validator = signatureAlgorithm.createSignature(); // todo plugin signature alg
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
package org.keycloak.adapters.saml;
|
||||
|
||||
import org.keycloak.enums.SslRequired;
|
||||
import org.keycloak.saml.SignatureAlgorithm;
|
||||
|
||||
import java.security.KeyPair;
|
||||
import java.security.PrivateKey;
|
||||
|
@ -32,7 +33,6 @@ public interface SamlDeployment {
|
|||
public interface SingleSignOnService {
|
||||
boolean signRequest();
|
||||
boolean validateResponseSignature();
|
||||
String getSignatureCanonicalizationMethod();
|
||||
Binding getRequestBinding();
|
||||
Binding getResponseBinding();
|
||||
String getRequestBindingUrl();
|
||||
|
@ -42,7 +42,6 @@ public interface SamlDeployment {
|
|||
boolean validateResponseSignature();
|
||||
boolean signRequest();
|
||||
boolean signResponse();
|
||||
String getSignatureCanonicalizationMethod();
|
||||
Binding getRequestBinding();
|
||||
Binding getResponseBinding();
|
||||
String getRequestBindingUrl();
|
||||
|
@ -59,6 +58,8 @@ public interface SamlDeployment {
|
|||
boolean isForceAuthentication();
|
||||
PrivateKey getDecryptionKey();
|
||||
KeyPair getSigningKeyPair();
|
||||
String getSignatureCanonicalizationMethod();
|
||||
SignatureAlgorithm getSignatureAlgorithm();
|
||||
String getAssertionConsumerServiceUrl();
|
||||
String getLogoutPage();
|
||||
|
||||
|
|
|
@ -13,9 +13,11 @@ import java.io.IOException;
|
|||
* @version $Revision: 1 $
|
||||
*/
|
||||
public class SamlUtil {
|
||||
public static void sendSaml(HttpFacade httpFacade, String actionUrl, BaseSAML2BindingBuilder binding, Document document, SamlDeployment.Binding samlBinding) throws ProcessingException, ConfigurationException, IOException {
|
||||
public static void sendSaml(boolean asRequest, HttpFacade httpFacade, String actionUrl,
|
||||
BaseSAML2BindingBuilder binding, Document document,
|
||||
SamlDeployment.Binding samlBinding) throws ProcessingException, ConfigurationException, IOException {
|
||||
if (samlBinding == SamlDeployment.Binding.POST) {
|
||||
String html = binding.postBinding(document).getHtmlRequest(actionUrl);
|
||||
String html = asRequest ? binding.postBinding(document).getHtmlRequest(actionUrl) : binding.postBinding(document).getHtmlResponse(actionUrl) ;
|
||||
httpFacade.getResponse().setStatus(200);
|
||||
httpFacade.getResponse().setHeader("Content-Type", "text/html");
|
||||
httpFacade.getResponse().setHeader("Pragma", "no-cache");
|
||||
|
@ -23,9 +25,11 @@ public class SamlUtil {
|
|||
httpFacade.getResponse().getOutputStream().write(html.getBytes());
|
||||
httpFacade.getResponse().end();
|
||||
} else {
|
||||
String uri = binding.redirectBinding(document).requestURI(actionUrl).toString();
|
||||
String uri = asRequest ? binding.redirectBinding(document).requestURI(actionUrl).toString() : binding.redirectBinding(document).responseURI(actionUrl).toString();
|
||||
httpFacade.getResponse().setStatus(302);
|
||||
httpFacade.getResponse().setHeader("Location", uri);
|
||||
httpFacade.getResponse().end();
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -13,7 +13,6 @@ public class IDP implements Serializable {
|
|||
public static class SingleSignOnService implements Serializable {
|
||||
private boolean signRequest;
|
||||
private boolean validateResponseSignature;
|
||||
private String signatureCanonicalizationMethod;
|
||||
private String requestBinding;
|
||||
private String responseBinding;
|
||||
private String bindingUrl;
|
||||
|
@ -34,14 +33,6 @@ public class IDP implements Serializable {
|
|||
this.validateResponseSignature = validateResponseSignature;
|
||||
}
|
||||
|
||||
public String getSignatureCanonicalizationMethod() {
|
||||
return signatureCanonicalizationMethod;
|
||||
}
|
||||
|
||||
public void setSignatureCanonicalizationMethod(String signatureCanonicalizationMethod) {
|
||||
this.signatureCanonicalizationMethod = signatureCanonicalizationMethod;
|
||||
}
|
||||
|
||||
public String getRequestBinding() {
|
||||
return requestBinding;
|
||||
}
|
||||
|
@ -72,7 +63,6 @@ public class IDP implements Serializable {
|
|||
private boolean signResponse;
|
||||
private boolean validateRequestSignature;
|
||||
private boolean validateResponseSignature;
|
||||
private String signatureCanonicalizationMethod;
|
||||
private String requestBinding;
|
||||
private String responseBinding;
|
||||
private String postBindingUrl;
|
||||
|
@ -110,14 +100,6 @@ public class IDP implements Serializable {
|
|||
this.validateResponseSignature = validateResponseSignature;
|
||||
}
|
||||
|
||||
public String getSignatureCanonicalizationMethod() {
|
||||
return signatureCanonicalizationMethod;
|
||||
}
|
||||
|
||||
public void setSignatureCanonicalizationMethod(String signatureCanonicalizationMethod) {
|
||||
this.signatureCanonicalizationMethod = signatureCanonicalizationMethod;
|
||||
}
|
||||
|
||||
public String getRequestBinding() {
|
||||
return requestBinding;
|
||||
}
|
||||
|
|
|
@ -42,6 +42,8 @@ public class SP implements Serializable {
|
|||
private PrincipalNameMapping principalNameMapping;
|
||||
private Set<String> roleAttributes;
|
||||
private Set<String> roleFriendlyAttributes;
|
||||
private String signatureAlgorithm;
|
||||
private String signatureCanonicalizationMethod;
|
||||
private IDP idp;
|
||||
|
||||
public String getEntityID() {
|
||||
|
@ -123,4 +125,20 @@ public class SP implements Serializable {
|
|||
public void setLogoutPage(String logoutPage) {
|
||||
this.logoutPage = logoutPage;
|
||||
}
|
||||
|
||||
public String getSignatureAlgorithm() {
|
||||
return signatureAlgorithm;
|
||||
}
|
||||
|
||||
public void setSignatureAlgorithm(String signatureAlgorithm) {
|
||||
this.signatureAlgorithm = signatureAlgorithm;
|
||||
}
|
||||
|
||||
public String getSignatureCanonicalizationMethod() {
|
||||
return signatureCanonicalizationMethod;
|
||||
}
|
||||
|
||||
public void setSignatureCanonicalizationMethod(String signatureCanonicalizationMethod) {
|
||||
this.signatureCanonicalizationMethod = signatureCanonicalizationMethod;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -11,6 +11,8 @@ public class ConfigXmlConstants {
|
|||
public static final String SSL_POLICY_ATTR = "sslPolicy";
|
||||
public static final String NAME_ID_POLICY_FORMAT_ATTR = "nameIDPolicyFormat";
|
||||
public static final String FORCE_AUTHENTICATION_ATTR = "forceAuthentication";
|
||||
public static final String SIGNATURE_ALGORITHM_ATTR = "signatureAlgorithm";
|
||||
public static final String SIGNATURE_CANONICALIZATION_METHOD_ATTR = "signatureCanonicalizationMethod";
|
||||
public static final String LOGOUT_PAGE_ATTR = "logoutPage";
|
||||
|
||||
|
||||
|
@ -45,7 +47,6 @@ public class ConfigXmlConstants {
|
|||
public static final String SINGLE_LOGOUT_SERVICE_ELEMENT = "SingleLogoutService";
|
||||
public static final String SIGN_REQUEST_ATTR = "signRequest";
|
||||
public static final String SIGN_RESPONSE_ATTR = "signResponse";
|
||||
public static final String SIGNATURE_CANONICALIZATION_METHOD_ATTR = "signatureCanonicalizationMethod";
|
||||
public static final String REQUEST_BINDING_ATTR = "requestBinding";
|
||||
public static final String RESPONSE_BINDING_ATTR = "responseBinding";
|
||||
public static final String BINDING_URL_ATTR = "bindingUrl";
|
||||
|
|
|
@ -6,6 +6,7 @@ import org.keycloak.adapters.saml.config.Key;
|
|||
import org.keycloak.adapters.saml.config.KeycloakSamlAdapter;
|
||||
import org.keycloak.adapters.saml.config.SP;
|
||||
import org.keycloak.enums.SslRequired;
|
||||
import org.keycloak.saml.SignatureAlgorithm;
|
||||
import org.keycloak.saml.common.exceptions.ParsingException;
|
||||
import org.keycloak.util.PemUtils;
|
||||
|
||||
|
@ -40,6 +41,11 @@ public class DeploymentBuilder {
|
|||
deployment.setForceAuthentication(sp.isForceAuthentication());
|
||||
deployment.setNameIDPolicyFormat(sp.getNameIDPolicyFormat());
|
||||
deployment.setLogoutPage(sp.getLogoutPage());
|
||||
deployment.setSignatureCanonicalizationMethod(sp.getSignatureCanonicalizationMethod());
|
||||
deployment.setSignatureAlgorithm(SignatureAlgorithm.RSA_SHA256);
|
||||
if (sp.getSignatureAlgorithm() != null) {
|
||||
deployment.setSignatureAlgorithm(SignatureAlgorithm.valueOf(sp.getSignatureAlgorithm()));
|
||||
}
|
||||
if (sp.getPrincipalNameMapping() != null) {
|
||||
SamlDeployment.PrincipalNamePolicy policy = SamlDeployment.PrincipalNamePolicy.valueOf(sp.getPrincipalNameMapping().getPolicy());
|
||||
deployment.setPrincipalNamePolicy(policy);
|
||||
|
@ -51,6 +57,7 @@ public class DeploymentBuilder {
|
|||
SslRequired ssl = SslRequired.valueOf(sp.getSslPolicy());
|
||||
deployment.setSslRequired(ssl);
|
||||
}
|
||||
if (sp.getKeys() != null) {
|
||||
for (Key key : sp.getKeys()) {
|
||||
if (key.isSigning()) {
|
||||
PrivateKey privateKey = null;
|
||||
|
@ -60,7 +67,7 @@ public class DeploymentBuilder {
|
|||
Certificate cert = null;
|
||||
try {
|
||||
cert = keyStore.getCertificate(key.getKeystore().getCertificateAlias());
|
||||
privateKey = (PrivateKey)keyStore.getKey(key.getKeystore().getPrivateKeyAlias(), key.getKeystore().getPrivateKeyPassword().toCharArray());
|
||||
privateKey = (PrivateKey) keyStore.getKey(key.getKeystore().getPrivateKeyAlias(), key.getKeystore().getPrivateKeyPassword().toCharArray());
|
||||
} catch (Exception e) {
|
||||
throw new RuntimeException(e);
|
||||
}
|
||||
|
@ -71,7 +78,7 @@ public class DeploymentBuilder {
|
|||
}
|
||||
try {
|
||||
privateKey = PemUtils.decodePrivateKey(key.getPrivateKeyPem().trim());
|
||||
if (key.getPublicKeyPem() == null &&key.getCertificatePem() == null) {
|
||||
if (key.getPublicKeyPem() == null && key.getCertificatePem() == null) {
|
||||
throw new RuntimeException("Sp signing key must have a PublicKey or Certificate defined");
|
||||
}
|
||||
publicKey = getPublicKeyFromPem(key);
|
||||
|
@ -85,20 +92,22 @@ public class DeploymentBuilder {
|
|||
} else if (key.isEncryption()) {
|
||||
KeyStore keyStore = loadKeystore(resourceLoader, key);
|
||||
try {
|
||||
PrivateKey privateKey = (PrivateKey)keyStore.getKey(key.getKeystore().getPrivateKeyAlias(), key.getKeystore().getPrivateKeyPassword().toCharArray());
|
||||
PrivateKey privateKey = (PrivateKey) keyStore.getKey(key.getKeystore().getPrivateKeyAlias(), key.getKeystore().getPrivateKeyPassword().toCharArray());
|
||||
deployment.setDecryptionKey(privateKey);
|
||||
} catch (Exception e) {
|
||||
throw new RuntimeException(e);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
deployment.setIdp(idp);
|
||||
idp.setEntityID(sp.getIdp().getEntityID());
|
||||
sso.setRequestBinding(SamlDeployment.Binding.parseBinding(sp.getIdp().getSingleSignOnService().getRequestBinding()));
|
||||
sso.setRequestBindingUrl(sp.getIdp().getSingleSignOnService().getBindingUrl());
|
||||
if (sp.getIdp().getSingleSignOnService().getResponseBinding() != null) {
|
||||
sso.setResponseBinding(SamlDeployment.Binding.parseBinding(sp.getIdp().getSingleSignOnService().getResponseBinding()));
|
||||
sso.setSignatureCanonicalizationMethod(sp.getIdp().getSingleSignOnService().getSignatureCanonicalizationMethod());
|
||||
}
|
||||
sso.setSignRequest(sp.getIdp().getSingleSignOnService().isSignRequest());
|
||||
sso.setValidateResponseSignature(sp.getIdp().getSingleSignOnService().isValidateResponseSignature());
|
||||
|
||||
|
@ -106,7 +115,6 @@ public class DeploymentBuilder {
|
|||
slo.setSignResponse(sp.getIdp().getSingleLogoutService().isSignResponse());
|
||||
slo.setValidateResponseSignature(sp.getIdp().getSingleLogoutService().isValidateResponseSignature());
|
||||
slo.setValidateRequestSignature(sp.getIdp().getSingleLogoutService().isValidateRequestSignature());
|
||||
slo.setSignatureCanonicalizationMethod(sp.getIdp().getSingleLogoutService().getSignatureCanonicalizationMethod());
|
||||
slo.setRequestBinding(SamlDeployment.Binding.parseBinding(sp.getIdp().getSingleLogoutService().getRequestBinding()));
|
||||
slo.setResponseBinding(SamlDeployment.Binding.parseBinding(sp.getIdp().getSingleLogoutService().getResponseBinding()));
|
||||
if (slo.getRequestBinding() == SamlDeployment.Binding.POST) {
|
||||
|
@ -119,6 +127,7 @@ public class DeploymentBuilder {
|
|||
} else {
|
||||
slo.setResponseBindingUrl(sp.getIdp().getSingleLogoutService().getRedirectBindingUrl());
|
||||
}
|
||||
if (sp.getIdp().getKeys() != null) {
|
||||
for (Key key : sp.getIdp().getKeys()) {
|
||||
if (key.isSigning()) {
|
||||
if (key.getKeystore() != null) {
|
||||
|
@ -143,6 +152,7 @@ public class DeploymentBuilder {
|
|||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
return deployment;
|
||||
|
|
|
@ -72,7 +72,6 @@ public class IDPXmlParser extends AbstractParser {
|
|||
slo.setSignRequest(StaxParserUtil.getBooleanAttributeValue(element, ConfigXmlConstants.SIGN_REQUEST_ATTR));
|
||||
slo.setValidateResponseSignature(StaxParserUtil.getBooleanAttributeValue(element, ConfigXmlConstants.VALIDATE_RESPONSE_SIGNATURE_ATTR));
|
||||
slo.setValidateRequestSignature(StaxParserUtil.getBooleanAttributeValue(element, ConfigXmlConstants.VALIDATE_REQUEST_SIGNATURE_ATTR));
|
||||
slo.setSignatureCanonicalizationMethod(StaxParserUtil.getAttributeValue(element, ConfigXmlConstants.SIGNATURE_CANONICALIZATION_METHOD_ATTR));
|
||||
slo.setRequestBinding(StaxParserUtil.getAttributeValue(element, ConfigXmlConstants.REQUEST_BINDING_ATTR));
|
||||
slo.setResponseBinding(StaxParserUtil.getAttributeValue(element, ConfigXmlConstants.RESPONSE_BINDING_ATTR));
|
||||
slo.setSignResponse(StaxParserUtil.getBooleanAttributeValue(element, ConfigXmlConstants.SIGN_RESPONSE_ATTR));
|
||||
|
@ -86,7 +85,6 @@ public class IDPXmlParser extends AbstractParser {
|
|||
StartElement element = StaxParserUtil.getNextStartElement(xmlEventReader);
|
||||
sso.setSignRequest(StaxParserUtil.getBooleanAttributeValue(element, ConfigXmlConstants.SIGN_REQUEST_ATTR));
|
||||
sso.setValidateResponseSignature(StaxParserUtil.getBooleanAttributeValue(element, ConfigXmlConstants.VALIDATE_RESPONSE_SIGNATURE_ATTR));
|
||||
sso.setSignatureCanonicalizationMethod(StaxParserUtil.getAttributeValue(element, ConfigXmlConstants.SIGNATURE_CANONICALIZATION_METHOD_ATTR));
|
||||
sso.setRequestBinding(StaxParserUtil.getAttributeValue(element, ConfigXmlConstants.REQUEST_BINDING_ATTR));
|
||||
sso.setResponseBinding(StaxParserUtil.getAttributeValue(element, ConfigXmlConstants.RESPONSE_BINDING_ATTR));
|
||||
sso.setBindingUrl(StaxParserUtil.getAttributeValue(element, ConfigXmlConstants.BINDING_URL_ATTR));
|
||||
|
|
|
@ -37,6 +37,8 @@ public class SPXmlParser extends AbstractParser {
|
|||
sp.setSslPolicy(StaxParserUtil.getAttributeValue(startElement, ConfigXmlConstants.SSL_POLICY_ATTR));
|
||||
sp.setLogoutPage(StaxParserUtil.getAttributeValue(startElement, ConfigXmlConstants.LOGOUT_PAGE_ATTR));
|
||||
sp.setNameIDPolicyFormat(StaxParserUtil.getAttributeValue(startElement, ConfigXmlConstants.NAME_ID_POLICY_FORMAT_ATTR));
|
||||
sp.setSignatureCanonicalizationMethod(StaxParserUtil.getAttributeValue(startElement, ConfigXmlConstants.SIGNATURE_CANONICALIZATION_METHOD_ATTR));
|
||||
sp.setSignatureAlgorithm(StaxParserUtil.getAttributeValue(startElement, ConfigXmlConstants.SIGNATURE_ALGORITHM_ATTR));
|
||||
sp.setForceAuthentication(StaxParserUtil.getBooleanAttributeValue(startElement, ConfigXmlConstants.FORCE_AUTHENTICATION_ATTR));
|
||||
while (xmlEventReader.hasNext()) {
|
||||
XMLEvent xmlEvent = StaxParserUtil.peek(xmlEventReader);
|
||||
|
|
|
@ -55,7 +55,6 @@ public class XmlParserTest {
|
|||
Assert.assertEquals("idp", idp.getEntityID());
|
||||
Assert.assertTrue(idp.getSingleSignOnService().isSignRequest());
|
||||
Assert.assertTrue(idp.getSingleSignOnService().isValidateResponseSignature());
|
||||
Assert.assertEquals("canon", idp.getSingleSignOnService().getSignatureCanonicalizationMethod());
|
||||
Assert.assertEquals("post", idp.getSingleSignOnService().getRequestBinding());
|
||||
Assert.assertEquals("url", idp.getSingleSignOnService().getBindingUrl());
|
||||
|
||||
|
@ -63,7 +62,6 @@ public class XmlParserTest {
|
|||
Assert.assertTrue(idp.getSingleLogoutService().isSignResponse());
|
||||
Assert.assertTrue(idp.getSingleLogoutService().isValidateRequestSignature());
|
||||
Assert.assertTrue(idp.getSingleLogoutService().isValidateResponseSignature());
|
||||
Assert.assertEquals("canon", idp.getSingleLogoutService().getSignatureCanonicalizationMethod());
|
||||
Assert.assertEquals("redirect", idp.getSingleLogoutService().getRequestBinding());
|
||||
Assert.assertEquals("post", idp.getSingleLogoutService().getResponseBinding());
|
||||
Assert.assertEquals("posturl", idp.getSingleLogoutService().getPostBindingUrl());
|
||||
|
|
|
@ -2,6 +2,8 @@
|
|||
<SP entityID="sp"
|
||||
sslPolicy="ssl"
|
||||
nameIDPolicyFormat="format"
|
||||
signatureAlgorithm=""
|
||||
sgnatureCanonicalizationMethod=""
|
||||
forceAuthentication="true">
|
||||
<Keys>
|
||||
<Key signing="true" >
|
||||
|
@ -27,7 +29,6 @@
|
|||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
signatureCanonicalizationMethod="canon"
|
||||
requestBinding="post"
|
||||
bindingUrl="url"
|
||||
/>
|
||||
|
@ -37,7 +38,6 @@
|
|||
validateResponseSignature="true"
|
||||
signRequest="true"
|
||||
signResponse="true"
|
||||
signatureCanonicalizationMethod="canon"
|
||||
requestBinding="redirect"
|
||||
responseBinding="post"
|
||||
postBindingUrl="posturl"
|
||||
|
@ -51,11 +51,5 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
</IDP>
|
||||
<Keys>
|
||||
<KeyStore>
|
||||
|
||||
</KeyStore>
|
||||
</Keys>
|
||||
|
||||
</SP>
|
||||
</keycloak-saml-adapter>
|
|
@ -5,6 +5,8 @@ import io.undertow.server.HttpServerExchange;
|
|||
import io.undertow.servlet.handlers.ServletRequestContext;
|
||||
import io.undertow.util.Headers;
|
||||
import org.keycloak.adapters.HttpFacade;
|
||||
import org.keycloak.adapters.InMemorySessionIdMapper;
|
||||
import org.keycloak.adapters.SessionIdMapper;
|
||||
import org.keycloak.adapters.saml.SamlDeployment;
|
||||
import org.keycloak.adapters.saml.SamlDeploymentContext;
|
||||
import org.keycloak.adapters.saml.SamlSessionStore;
|
||||
|
@ -23,13 +25,14 @@ import java.io.IOException;
|
|||
* @version $Revision: 1 $
|
||||
*/
|
||||
public class ServletSamlAuthMech extends AbstractSamlAuthMech {
|
||||
private SessionIdMapper idMapper = new InMemorySessionIdMapper();
|
||||
public ServletSamlAuthMech(SamlDeploymentContext deploymentContext, UndertowUserSessionManagement sessionManagement, String errorPage) {
|
||||
super(deploymentContext, sessionManagement, errorPage);
|
||||
}
|
||||
|
||||
@Override
|
||||
protected SamlSessionStore getTokenStore(HttpServerExchange exchange, HttpFacade facade, SamlDeployment deployment, SecurityContext securityContext) {
|
||||
return new ServletSamlSessionStore(exchange, sessionManagement, securityContext);
|
||||
return new ServletSamlSessionStore(exchange, sessionManagement, securityContext, idMapper);
|
||||
}
|
||||
|
||||
@Override
|
||||
|
|
|
@ -4,11 +4,13 @@ import io.undertow.security.api.SecurityContext;
|
|||
import io.undertow.security.idm.Account;
|
||||
import io.undertow.server.HttpServerExchange;
|
||||
import io.undertow.server.session.Session;
|
||||
import io.undertow.server.session.SessionManager;
|
||||
import io.undertow.servlet.handlers.ServletRequestContext;
|
||||
import io.undertow.servlet.spec.HttpSessionImpl;
|
||||
import io.undertow.servlet.util.SavedRequest;
|
||||
import io.undertow.util.Sessions;
|
||||
import org.jboss.logging.Logger;
|
||||
import org.keycloak.adapters.SessionIdMapper;
|
||||
import org.keycloak.adapters.saml.SamlSession;
|
||||
import org.keycloak.adapters.saml.SamlSessionStore;
|
||||
import org.keycloak.adapters.undertow.UndertowUserSessionManagement;
|
||||
|
@ -17,6 +19,8 @@ import org.keycloak.util.KeycloakUriBuilder;
|
|||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpSession;
|
||||
import java.security.Principal;
|
||||
import java.util.HashSet;
|
||||
import java.util.LinkedList;
|
||||
import java.util.List;
|
||||
import java.util.Set;
|
||||
|
||||
|
@ -31,32 +35,67 @@ public class ServletSamlSessionStore implements SamlSessionStore {
|
|||
private final HttpServerExchange exchange;
|
||||
private final UndertowUserSessionManagement sessionManagement;
|
||||
private final SecurityContext securityContext;
|
||||
private final SessionIdMapper idMapper;
|
||||
|
||||
public ServletSamlSessionStore(HttpServerExchange exchange, UndertowUserSessionManagement sessionManagement,
|
||||
SecurityContext securityContext) {
|
||||
SecurityContext securityContext,
|
||||
SessionIdMapper idMapper) {
|
||||
this.exchange = exchange;
|
||||
this.sessionManagement = sessionManagement;
|
||||
this.securityContext = securityContext;
|
||||
this.idMapper = idMapper;
|
||||
}
|
||||
|
||||
@Override
|
||||
public void logoutAccount() {
|
||||
HttpSession session = getSession(false);
|
||||
if (session != null) {
|
||||
SamlSession samlSession = (SamlSession)session.getAttribute(SamlSession.class.getName());
|
||||
if (samlSession != null) {
|
||||
if (samlSession.getSessionIndex() != null) {
|
||||
idMapper.removeSession(session.getId());
|
||||
}
|
||||
session.removeAttribute(SamlSession.class.getName());
|
||||
}
|
||||
session.removeAttribute(SAML_REDIRECT_URI);
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
public void logoutByPrincipal(String principal) {
|
||||
Set<String> sessions = idMapper.getUserSessions(principal);
|
||||
if (sessions != null) {
|
||||
List<String> ids = new LinkedList<>();
|
||||
ids.addAll(sessions);
|
||||
logoutSessionIds(ids);
|
||||
for (String id : ids) {
|
||||
idMapper.removeSession(id);
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@Override
|
||||
public void logoutBySsoId(List<String> ssoIds) {
|
||||
if (ssoIds == null) return;
|
||||
List<String> sessionIds = new LinkedList<>();
|
||||
for (String id : ssoIds) {
|
||||
String sessionId = idMapper.getSessionFromSSO(id);
|
||||
if (sessionId != null) {
|
||||
sessionIds.add(sessionId);
|
||||
idMapper.removeSession(sessionId);
|
||||
}
|
||||
|
||||
}
|
||||
logoutSessionIds(sessionIds);
|
||||
}
|
||||
|
||||
protected void logoutSessionIds(List<String> sessionIds) {
|
||||
if (sessionIds == null || sessionIds.isEmpty()) return;
|
||||
final ServletRequestContext servletRequestContext = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
|
||||
SessionManager sessionManager = servletRequestContext.getDeployment().getSessionManager();
|
||||
sessionManagement.logoutHttpSessions(sessionManager, sessionIds);
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean isLoggedIn() {
|
||||
|
@ -93,6 +132,7 @@ public class ServletSamlSessionStore implements SamlSessionStore {
|
|||
HttpSession session = getSession(true);
|
||||
session.setAttribute(SamlSession.class.getName(), account);
|
||||
sessionManagement.login(servletRequestContext.getDeployment().getSessionManager());
|
||||
idMapper.map(account.getSessionIndex(), account.getPrincipal().getSamlSubject(), session.getId());
|
||||
|
||||
}
|
||||
|
||||
|
|
|
@ -625,6 +625,7 @@ public class SamlProtocol implements LoginProtocol {
|
|||
SAML2LogoutRequestBuilder logoutBuilder = new SAML2LogoutRequestBuilder()
|
||||
.assertionExpiration(realm.getAccessCodeLifespan())
|
||||
.issuer(getResponseIssuer(realm))
|
||||
.sessionIndex(clientSession.getId())
|
||||
.userPrincipal(clientSession.getNote(SAML_NAME_ID), clientSession.getNote(SAML_NAME_ID_FORMAT))
|
||||
.destination(logoutUrl);
|
||||
return logoutBuilder;
|
||||
|
|
|
@ -68,20 +68,20 @@ public class SamlBindingTest {
|
|||
public void initWars() {
|
||||
ClassLoader classLoader = SamlBindingTest.class.getClassLoader();
|
||||
|
||||
//initializeSamlSecuredWar("/keycloak-saml/simple-post", "/sales-post", "post.war", classLoader);
|
||||
initializeSamlSecuredWar("/keycloak-saml/simple-post", "/sales-post", "post.war", classLoader);
|
||||
initializeSamlSecuredWar("/keycloak-saml/signed-post", "/sales-post-sig", "post-sig.war", classLoader);
|
||||
//initializeSamlSecuredWar("/keycloak-saml/signed-post-email", "/sales-post-sig-email", "post-sig-email.war", classLoader);
|
||||
//initializeSamlSecuredWar("/keycloak-saml/signed-post-transient", "/sales-post-sig-transient", "post-sig-transient.war", classLoader);
|
||||
//initializeSamlSecuredWar("/keycloak-saml/signed-post-persistent", "/sales-post-sig-persistent", "post-sig-persistent.war", classLoader);
|
||||
initializeSamlSecuredWar("/keycloak-saml/signed-post-email", "/sales-post-sig-email", "post-sig-email.war", classLoader);
|
||||
initializeSamlSecuredWar("/keycloak-saml/signed-post-transient", "/sales-post-sig-transient", "post-sig-transient.war", classLoader);
|
||||
initializeSamlSecuredWar("/keycloak-saml/signed-post-persistent", "/sales-post-sig-persistent", "post-sig-persistent.war", classLoader);
|
||||
//initializeSamlSecuredWar("/keycloak-saml/signed-metadata", "/sales-metadata", "post-metadata.war", classLoader);
|
||||
//initializeSamlSecuredWar("/keycloak-saml/signed-get", "/employee-sig", "employee-sig.war", classLoader);
|
||||
initializeSamlSecuredWar("/keycloak-saml/signed-get", "/employee-sig", "employee-sig.war", classLoader);
|
||||
//initializeSamlSecuredWar("/saml/simple-get", "/employee", "employee.war", classLoader);
|
||||
//initializeSamlSecuredWar("/keycloak-saml/signed-front-get", "/employee-sig-front", "employee-sig-front.war", classLoader);
|
||||
initializeSamlSecuredWar("/keycloak-saml/signed-front-get", "/employee-sig-front", "employee-sig-front.war", classLoader);
|
||||
//initializeSamlSecuredWar("/keycloak-saml/bad-client-signed-post", "/bad-client-sales-post-sig", "bad-client-post-sig.war", classLoader);
|
||||
//initializeSamlSecuredWar("/keycloak-saml/bad-realm-signed-post", "/bad-realm-sales-post-sig", "bad-realm-post-sig.war", classLoader);
|
||||
//initializeSamlSecuredWar("/keycloak-saml/encrypted-post", "/sales-post-enc", "post-enc.war", classLoader);
|
||||
//uploadSP();
|
||||
//server.getServer().deploy(createDeploymentInfo("employee.war", "/employee", SamlSPFacade.class));
|
||||
server.getServer().deploy(createDeploymentInfo("employee.war", "/employee", SamlSPFacade.class));
|
||||
|
||||
|
||||
|
||||
|
@ -411,7 +411,8 @@ public class SamlBindingTest {
|
|||
driver.navigate().to("http://localhost:8081/employee-sig?GLO=true");
|
||||
checkLoggedOut("http://localhost:8081/employee-sig/");
|
||||
driver.navigate().to("http://localhost:8081/employee-sig-front/");
|
||||
Assert.assertTrue(driver.getCurrentUrl().startsWith("http://localhost:8081/auth/realms/demo/protocol/saml"));
|
||||
String currentUrl = driver.getCurrentUrl();
|
||||
Assert.assertTrue(currentUrl.startsWith("http://localhost:8081/auth/realms/demo/protocol/saml"));
|
||||
driver.navigate().to("http://localhost:8081/sales-post-sig/");
|
||||
Assert.assertTrue(driver.getCurrentUrl().startsWith("http://localhost:8081/auth/realms/demo/protocol/saml"));
|
||||
|
||||
|
@ -505,6 +506,4 @@ public class SamlBindingTest {
|
|||
response.close();
|
||||
client.close();
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
|
|
|
@ -0,0 +1,44 @@
|
|||
<keycloak-saml-adapter>
|
||||
<SP entityID="http://localhost:8081/employee-sig-front/"
|
||||
sslPolicy="EXTERNAL"
|
||||
logoutPage="/logout.jsp"
|
||||
nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
|
||||
forceAuthentication="false">
|
||||
<Keys>
|
||||
<Key signing="true" >
|
||||
<KeyStore resource="/WEB-INF/keystore.jks" password="store123">
|
||||
<PrivateKey alias="http://localhost:8080/employee-sig/" password="test123"/>
|
||||
<Certificate alias="http://localhost:8080/employee-sig/"/>
|
||||
</KeyStore>
|
||||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
requestBinding="REDIRECT"
|
||||
bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
|
||||
/>
|
||||
|
||||
<SingleLogoutService
|
||||
validateRequestSignature="true"
|
||||
validateResponseSignature="true"
|
||||
signRequest="true"
|
||||
signResponse="true"
|
||||
requestBinding="REDIRECT"
|
||||
responseBinding="REDIRECT"
|
||||
redirectBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
|
||||
/>
|
||||
<Keys>
|
||||
<Key signing="true">
|
||||
<KeyStore resource="/WEB-INF/keystore.jks" password="store123">
|
||||
<Certificate alias="demo"/>
|
||||
</KeyStore>
|
||||
</Key>
|
||||
</Keys>
|
||||
</IDP>
|
||||
</SP>
|
||||
</keycloak-saml-adapter>
|
Binary file not shown.
|
@ -0,0 +1,44 @@
|
|||
<keycloak-saml-adapter>
|
||||
<SP entityID="http://localhost:8081/employee-sig/"
|
||||
sslPolicy="EXTERNAL"
|
||||
logoutPage="/logout.jsp"
|
||||
nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
|
||||
forceAuthentication="false">
|
||||
<Keys>
|
||||
<Key signing="true" >
|
||||
<KeyStore resource="/WEB-INF/keystore.jks" password="store123">
|
||||
<PrivateKey alias="http://localhost:8080/employee-sig/" password="test123"/>
|
||||
<Certificate alias="http://localhost:8080/employee-sig/"/>
|
||||
</KeyStore>
|
||||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
requestBinding="REDIRECT"
|
||||
bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
|
||||
/>
|
||||
|
||||
<SingleLogoutService
|
||||
validateRequestSignature="true"
|
||||
validateResponseSignature="true"
|
||||
signRequest="true"
|
||||
signResponse="true"
|
||||
requestBinding="REDIRECT"
|
||||
responseBinding="REDIRECT"
|
||||
redirectBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
|
||||
/>
|
||||
<Keys>
|
||||
<Key signing="true">
|
||||
<KeyStore resource="/WEB-INF/keystore.jks" password="store123">
|
||||
<Certificate alias="demo"/>
|
||||
</KeyStore>
|
||||
</Key>
|
||||
</Keys>
|
||||
</IDP>
|
||||
</SP>
|
||||
</keycloak-saml-adapter>
|
Binary file not shown.
|
@ -0,0 +1,44 @@
|
|||
<keycloak-saml-adapter>
|
||||
<SP entityID="http://localhost:8081/sales-post-sig-email/"
|
||||
sslPolicy="EXTERNAL"
|
||||
logoutPage="/logout.jsp"
|
||||
forceAuthentication="false">
|
||||
<Keys>
|
||||
<Key signing="true" >
|
||||
<KeyStore resource="/WEB-INF/keystore.jks" password="store123">
|
||||
<PrivateKey alias="http://localhost:8080/sales-post-sig/" password="test123"/>
|
||||
<Certificate alias="http://localhost:8080/sales-post-sig/"/>
|
||||
</KeyStore>
|
||||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
requestBinding="POST"
|
||||
bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
|
||||
/>
|
||||
|
||||
<SingleLogoutService
|
||||
validateRequestSignature="true"
|
||||
validateResponseSignature="true"
|
||||
signRequest="true"
|
||||
signResponse="true"
|
||||
requestBinding="POST"
|
||||
responseBinding="POST"
|
||||
postBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
|
||||
redirectBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
|
||||
/>
|
||||
<Keys>
|
||||
<Key signing="true">
|
||||
<KeyStore resource="/WEB-INF/keystore.jks" password="store123">
|
||||
<Certificate alias="demo"/>
|
||||
</KeyStore>
|
||||
</Key>
|
||||
</Keys>
|
||||
</IDP>
|
||||
</SP>
|
||||
</keycloak-saml-adapter>
|
Binary file not shown.
|
@ -0,0 +1,45 @@
|
|||
<keycloak-saml-adapter>
|
||||
<SP entityID="http://localhost:8081/sales-post-sig-persistent/"
|
||||
sslPolicy="EXTERNAL"
|
||||
nameIDPolicyFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
|
||||
logoutPage="/logout.jsp"
|
||||
forceAuthentication="false">
|
||||
<Keys>
|
||||
<Key signing="true" >
|
||||
<KeyStore resource="/WEB-INF/keystore.jks" password="store123">
|
||||
<PrivateKey alias="http://localhost:8080/sales-post-sig/" password="test123"/>
|
||||
<Certificate alias="http://localhost:8080/sales-post-sig/"/>
|
||||
</KeyStore>
|
||||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
requestBinding="POST"
|
||||
bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
|
||||
/>
|
||||
|
||||
<SingleLogoutService
|
||||
validateRequestSignature="true"
|
||||
validateResponseSignature="true"
|
||||
signRequest="true"
|
||||
signResponse="true"
|
||||
requestBinding="POST"
|
||||
responseBinding="POST"
|
||||
postBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
|
||||
redirectBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
|
||||
/>
|
||||
<Keys>
|
||||
<Key signing="true">
|
||||
<KeyStore resource="/WEB-INF/keystore.jks" password="store123">
|
||||
<Certificate alias="demo"/>
|
||||
</KeyStore>
|
||||
</Key>
|
||||
</Keys>
|
||||
</IDP>
|
||||
</SP>
|
||||
</keycloak-saml-adapter>
|
Binary file not shown.
|
@ -0,0 +1,45 @@
|
|||
<keycloak-saml-adapter>
|
||||
<SP entityID="http://localhost:8081/sales-post-sig-transient/"
|
||||
sslPolicy="EXTERNAL"
|
||||
nameIDPolicyFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
|
||||
logoutPage="/logout.jsp"
|
||||
forceAuthentication="false">
|
||||
<Keys>
|
||||
<Key signing="true" >
|
||||
<KeyStore resource="/WEB-INF/keystore.jks" password="store123">
|
||||
<PrivateKey alias="http://localhost:8080/sales-post-sig/" password="test123"/>
|
||||
<Certificate alias="http://localhost:8080/sales-post-sig/"/>
|
||||
</KeyStore>
|
||||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
requestBinding="POST"
|
||||
bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
|
||||
/>
|
||||
|
||||
<SingleLogoutService
|
||||
validateRequestSignature="true"
|
||||
validateResponseSignature="true"
|
||||
signRequest="true"
|
||||
signResponse="true"
|
||||
requestBinding="POST"
|
||||
responseBinding="POST"
|
||||
postBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
|
||||
redirectBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
|
||||
/>
|
||||
<Keys>
|
||||
<Key signing="true">
|
||||
<KeyStore resource="/WEB-INF/keystore.jks" password="store123">
|
||||
<Certificate alias="demo"/>
|
||||
</KeyStore>
|
||||
</Key>
|
||||
</Keys>
|
||||
</IDP>
|
||||
</SP>
|
||||
</keycloak-saml-adapter>
|
Binary file not shown.
|
@ -0,0 +1,24 @@
|
|||
<keycloak-saml-adapter>
|
||||
<SP entityID="http://localhost:8081/sales-post/"
|
||||
sslPolicy="EXTERNAL"
|
||||
nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
|
||||
logoutPage="/logout.jsp"
|
||||
forceAuthentication="false">
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService requestBinding="POST"
|
||||
bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
|
||||
/>
|
||||
|
||||
<SingleLogoutService
|
||||
requestBinding="POST"
|
||||
responseBinding="POST"
|
||||
postBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
|
||||
redirectBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
|
||||
/>
|
||||
</IDP>
|
||||
</SP>
|
||||
</keycloak-saml-adapter>
|
|
@ -209,7 +209,7 @@
|
|||
"attributes": {
|
||||
"saml.server.signature": "true",
|
||||
"saml.client.signature": "true",
|
||||
"saml.signature.algorithm": "RSA_SHA1",
|
||||
"saml.signature.algorithm": "RSA_SHA256",
|
||||
"saml.authnstatement": "true",
|
||||
"saml.signing.certificate": "MIIB0DCCATkCBgFJH5u0EDANBgkqhkiG9w0BAQsFADAuMSwwKgYDVQQDEyNodHRwOi8vbG9jYWxob3N0OjgwODAvZW1wbG95ZWUtc2lnLzAeFw0xNDEwMTcxOTMzNThaFw0yNDEwMTcxOTM1MzhaMC4xLDAqBgNVBAMTI2h0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9lbXBsb3llZS1zaWcvMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+9kVgPFpshjS2aT2g52lqTv2lqb1jgvXZVk7iFF4LAO6SdCXKXRZI4SuzIRkVNpE1a42V1kQRlaozoFklgvX5sje8tkpa9ylq+bxGXM9RRycqRu2B+oWUV7Aqq7Bs0Xud0WeHQYRcEoCjqsFKGy65qkLRDdT70FTJgpSHts+gDwIDAQABMA0GCSqGSIb3DQEBCwUAA4GBACKyPLGqMX8GsIrCfJU8eVnpaqzTXMglLVo/nTcfAnWe9UAdVe8N3a2PXpDBvuqNA/DEAhVcQgxdlOTWnB6s8/yLTRuH0bZgb3qGdySif+lU+E7zZ/SiDzavAvn+ABqemnzHcHyhYO+hNRGHvUbW5OAii9Vdjhm8BI32YF1NwhKp"
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue