From 21e2fa8784647d2311abe386c477c87bc659eb61 Mon Sep 17 00:00:00 2001 From: Martin Ball Date: Thu, 7 Mar 2019 14:19:16 +0000 Subject: [PATCH] KEYCLOAK-4249 - Make IDP URL in keycloak-saml.xml configurable Added the metadata url as an attribute on the IDP in the keycloak saml configuration which then propagates through to the DefaultSamlDeployment where it is used on the construction of the SamlDescriptorPublicKeyLocator thereby allowing support for ADFS or other IDP which uses a path that is different to the Keycloak IDP. To make this work when testing with ADFS a change was made to SamlDescriptorIDPKeysExtractor because it would not extract keys from metadata which contained the EntityDescriptor as the root element. The solution was to change the xpath expression in SamlDescriptorIDPKeysExtractor so that it does not require a wrapping EntitiesDescriptor but instead loads all EntityDescriptors located in the document. This allows it to handle a single EntityDescriptor or multiple descriptors wrapped in an EntitiesDescriptor in the same xpath expression. A unit test SamlDescriptorIDPKeysExtractorTest has been added which validates that keys can be loaded in both scenarios. --- .../adapters/saml/DefaultSamlDeployment.java | 12 +- .../keycloak/adapters/saml/config/IDP.java | 8 + .../config/parsers/DeploymentBuilder.java | 74 +-- .../saml/config/parsers/IdpParser.java | 2 +- .../parsers/KeycloakSamlAdapterV1QNames.java | 1 + .../SamlDescriptorIDPKeysExtractor.java | 2 +- .../schema/keycloak_saml_adapter_1_10.xsd | 466 ++++++++++++++++++ .../KeycloakSamlAdapterXMLParserTest.java | 17 +- .../SamlDescriptorIDPKeysExtractorTest.java | 39 ++ .../keycloak-saml-with-metadata-url.xml | 77 +++ ...th-entities-descriptor-as-root-element.xml | 43 ++ ...with-entity-descriptor-as-root-element.xml | 47 ++ 12 files changed, 749 insertions(+), 39 deletions(-) create mode 100644 adapters/saml/core/src/main/resources/schema/keycloak_saml_adapter_1_10.xsd create mode 100644 adapters/saml/core/src/test/java/org/keycloak/adapters/saml/descriptor/parsers/SamlDescriptorIDPKeysExtractorTest.java create mode 100644 adapters/saml/core/src/test/resources/org/keycloak/adapters/saml/config/parsers/keycloak-saml-with-metadata-url.xml create mode 100644 adapters/saml/core/src/test/resources/org/keycloak/adapters/saml/descriptor/parsers/saml-idp-metadata-with-entities-descriptor-as-root-element.xml create mode 100644 adapters/saml/core/src/test/resources/org/keycloak/adapters/saml/descriptor/parsers/saml-idp-metadata-with-entity-descriptor-as-root-element.xml diff --git a/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/DefaultSamlDeployment.java b/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/DefaultSamlDeployment.java index 9a6e2880ec..2b2ba061f6 100755 --- a/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/DefaultSamlDeployment.java +++ b/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/DefaultSamlDeployment.java @@ -206,6 +206,7 @@ public class DefaultSamlDeployment implements SamlDeployment { private final List signatureValidationKeys = new LinkedList<>(); private int minTimeBetweenDescriptorRequests; private HttpClient client; + private String metadataUrl; @Override public String getEntityID() { @@ -259,11 +260,10 @@ public class DefaultSamlDeployment implements SamlDeployment { if (! this.signatureValidationKeys.isEmpty()) { this.signatureValidationKeyLocator.add(new HardcodedKeyLocator(this.signatureValidationKeys)); } else if (this.singleSignOnService != null) { - String samlDescriptorUrl = singleSignOnService.getRequestBindingUrl() + "/descriptor"; HttpClient httpClient = getClient(); SamlDescriptorPublicKeyLocator samlDescriptorPublicKeyLocator = new SamlDescriptorPublicKeyLocator( - samlDescriptorUrl, this.minTimeBetweenDescriptorRequests, DEFAULT_CACHE_TTL, httpClient); + getMetadataUrl(), this.minTimeBetweenDescriptorRequests, DEFAULT_CACHE_TTL, httpClient); this.signatureValidationKeyLocator.add(samlDescriptorPublicKeyLocator); } } @@ -276,6 +276,14 @@ public class DefaultSamlDeployment implements SamlDeployment { public void setClient(HttpClient client) { this.client = client; } + + public String getMetadataUrl() { + return metadataUrl == null ? singleSignOnService.getRequestBindingUrl() + "/descriptor" : metadataUrl; + } + + public void setMetadataUrl(String metadataUrl) { + this.metadataUrl = metadataUrl; + } } private IDP idp; diff --git a/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/config/IDP.java b/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/config/IDP.java index a32e122132..25097aa215 100755 --- a/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/config/IDP.java +++ b/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/config/IDP.java @@ -269,6 +269,7 @@ public class IDP implements Serializable { private List keys; private AdapterHttpClientConfig httpClientConfig = new HttpClientConfig(); private boolean signaturesRequired = false; + private String metadataUrl; public String getEntityID() { return entityID; @@ -340,4 +341,11 @@ public class IDP implements Serializable { this.signaturesRequired = signaturesRequired; } + public String getMetadataUrl() { + return metadataUrl; + } + + public void setMetadataUrl(String metadataUrl) { + this.metadataUrl = metadataUrl; + } } diff --git a/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/config/parsers/DeploymentBuilder.java b/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/config/parsers/DeploymentBuilder.java index c5cdb2c9e6..e33f4e768b 100755 --- a/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/config/parsers/DeploymentBuilder.java +++ b/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/config/parsers/DeploymentBuilder.java @@ -20,6 +20,7 @@ package org.keycloak.adapters.saml.config.parsers; import org.jboss.logging.Logger; import org.keycloak.adapters.saml.DefaultSamlDeployment; import org.keycloak.adapters.saml.SamlDeployment; +import org.keycloak.adapters.saml.config.IDP; import org.keycloak.adapters.saml.config.Key; import org.keycloak.adapters.saml.config.KeycloakSamlAdapter; import org.keycloak.adapters.saml.config.SP; @@ -58,11 +59,11 @@ public class DeploymentBuilder { public SamlDeployment build(InputStream xml, ResourceLoader resourceLoader) throws ParsingException { DefaultSamlDeployment deployment = new DefaultSamlDeployment(); - DefaultSamlDeployment.DefaultIDP idp = new DefaultSamlDeployment.DefaultIDP(); + DefaultSamlDeployment.DefaultIDP defaultIDP = new DefaultSamlDeployment.DefaultIDP(); DefaultSamlDeployment.DefaultSingleSignOnService sso = new DefaultSamlDeployment.DefaultSingleSignOnService(); DefaultSamlDeployment.DefaultSingleLogoutService slo = new DefaultSamlDeployment.DefaultSingleLogoutService(); - idp.setSingleSignOnService(sso); - idp.setSingleLogoutService(slo); + defaultIDP.setSingleSignOnService(sso); + defaultIDP.setSingleLogoutService(slo); KeycloakSamlAdapter adapter = (KeycloakSamlAdapter) KeycloakSamlAdapterParser.getInstance().parse(xml); SP sp = adapter.getSps().get(0); @@ -77,11 +78,12 @@ public class DeploymentBuilder { deployment.setIsPassive(sp.isIsPassive()); deployment.setNameIDPolicyFormat(sp.getNameIDPolicyFormat()); deployment.setLogoutPage(sp.getLogoutPage()); - deployment.setSignatureCanonicalizationMethod(sp.getIdp().getSignatureCanonicalizationMethod()); + IDP idp = sp.getIdp(); + deployment.setSignatureCanonicalizationMethod(idp.getSignatureCanonicalizationMethod()); deployment.setAutodetectBearerOnly(sp.isAutodetectBearerOnly()); deployment.setSignatureAlgorithm(SignatureAlgorithm.RSA_SHA256); - if (sp.getIdp().getSignatureAlgorithm() != null) { - deployment.setSignatureAlgorithm(SignatureAlgorithm.valueOf(sp.getIdp().getSignatureAlgorithm())); + if (idp.getSignatureAlgorithm() != null) { + deployment.setSignatureAlgorithm(SignatureAlgorithm.valueOf(idp.getSignatureAlgorithm())); } if (sp.getPrincipalNameMapping() != null) { SamlDeployment.PrincipalNamePolicy policy = SamlDeployment.PrincipalNamePolicy.valueOf(sp.getPrincipalNameMapping().getPolicy()); @@ -161,49 +163,53 @@ public class DeploymentBuilder { } } - deployment.setIdp(idp); - idp.setEntityID(sp.getIdp().getEntityID()); - sso.setRequestBinding(SamlDeployment.Binding.parseBinding(sp.getIdp().getSingleSignOnService().getRequestBinding())); - sso.setRequestBindingUrl(sp.getIdp().getSingleSignOnService().getBindingUrl()); - if (sp.getIdp().getSingleSignOnService().getResponseBinding() != null) { - sso.setResponseBinding(SamlDeployment.Binding.parseBinding(sp.getIdp().getSingleSignOnService().getResponseBinding())); + deployment.setIdp(defaultIDP); + defaultIDP.setEntityID(idp.getEntityID()); + sso.setRequestBinding(SamlDeployment.Binding.parseBinding( + idp.getSingleSignOnService().getRequestBinding())); + sso.setRequestBindingUrl(idp.getSingleSignOnService().getBindingUrl()); + if (idp.getSingleSignOnService().getResponseBinding() != null) { + sso.setResponseBinding(SamlDeployment.Binding.parseBinding( + idp.getSingleSignOnService().getResponseBinding())); } - if (sp.getIdp().getSingleSignOnService().getAssertionConsumerServiceUrl() != null) { - if (! sp.getIdp().getSingleSignOnService().getAssertionConsumerServiceUrl().endsWith("/saml")) { + if (idp.getSingleSignOnService().getAssertionConsumerServiceUrl() != null) { + if (! idp.getSingleSignOnService().getAssertionConsumerServiceUrl().endsWith("/saml")) { throw new RuntimeException("AssertionConsumerServiceUrl must end with \"/saml\"."); } - sso.setAssertionConsumerServiceUrl(URI.create(sp.getIdp().getSingleSignOnService().getAssertionConsumerServiceUrl())); + sso.setAssertionConsumerServiceUrl(URI.create(idp.getSingleSignOnService().getAssertionConsumerServiceUrl())); } - sso.setSignRequest(sp.getIdp().getSingleSignOnService().isSignRequest()); - sso.setValidateResponseSignature(sp.getIdp().getSingleSignOnService().isValidateResponseSignature()); - sso.setValidateAssertionSignature(sp.getIdp().getSingleSignOnService().isValidateAssertionSignature()); + sso.setSignRequest(idp.getSingleSignOnService().isSignRequest()); + sso.setValidateResponseSignature(idp.getSingleSignOnService().isValidateResponseSignature()); + sso.setValidateAssertionSignature(idp.getSingleSignOnService().isValidateAssertionSignature()); - slo.setSignRequest(sp.getIdp().getSingleLogoutService().isSignRequest()); - slo.setSignResponse(sp.getIdp().getSingleLogoutService().isSignResponse()); - slo.setValidateResponseSignature(sp.getIdp().getSingleLogoutService().isValidateResponseSignature()); - slo.setValidateRequestSignature(sp.getIdp().getSingleLogoutService().isValidateRequestSignature()); - slo.setRequestBinding(SamlDeployment.Binding.parseBinding(sp.getIdp().getSingleLogoutService().getRequestBinding())); - slo.setResponseBinding(SamlDeployment.Binding.parseBinding(sp.getIdp().getSingleLogoutService().getResponseBinding())); + slo.setSignRequest(idp.getSingleLogoutService().isSignRequest()); + slo.setSignResponse(idp.getSingleLogoutService().isSignResponse()); + slo.setValidateResponseSignature(idp.getSingleLogoutService().isValidateResponseSignature()); + slo.setValidateRequestSignature(idp.getSingleLogoutService().isValidateRequestSignature()); + slo.setRequestBinding(SamlDeployment.Binding.parseBinding( + idp.getSingleLogoutService().getRequestBinding())); + slo.setResponseBinding(SamlDeployment.Binding.parseBinding( + idp.getSingleLogoutService().getResponseBinding())); if (slo.getRequestBinding() == SamlDeployment.Binding.POST) { - slo.setRequestBindingUrl(sp.getIdp().getSingleLogoutService().getPostBindingUrl()); + slo.setRequestBindingUrl(idp.getSingleLogoutService().getPostBindingUrl()); } else { - slo.setRequestBindingUrl(sp.getIdp().getSingleLogoutService().getRedirectBindingUrl()); + slo.setRequestBindingUrl(idp.getSingleLogoutService().getRedirectBindingUrl()); } if (slo.getResponseBinding() == SamlDeployment.Binding.POST) { - slo.setResponseBindingUrl(sp.getIdp().getSingleLogoutService().getPostBindingUrl()); + slo.setResponseBindingUrl(idp.getSingleLogoutService().getPostBindingUrl()); } else { - slo.setResponseBindingUrl(sp.getIdp().getSingleLogoutService().getRedirectBindingUrl()); + slo.setResponseBindingUrl(idp.getSingleLogoutService().getRedirectBindingUrl()); } - if (sp.getIdp().getKeys() != null) { - for (Key key : sp.getIdp().getKeys()) { + if (idp.getKeys() != null) { + for (Key key : idp.getKeys()) { if (key.isSigning()) { - processSigningKey(idp, key, resourceLoader); + processSigningKey(defaultIDP, key, resourceLoader); } } } - - idp.setClient(new HttpClientBuilder().build(sp.getIdp().getHttpClientConfig())); - idp.refreshKeyLocatorConfiguration(); + defaultIDP.setMetadataUrl(idp.getMetadataUrl()); + defaultIDP.setClient(new HttpClientBuilder().build(idp.getHttpClientConfig())); + defaultIDP.refreshKeyLocatorConfiguration(); return deployment; } diff --git a/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/config/parsers/IdpParser.java b/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/config/parsers/IdpParser.java index f883658888..d759059b8a 100644 --- a/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/config/parsers/IdpParser.java +++ b/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/config/parsers/IdpParser.java @@ -50,7 +50,7 @@ public class IdpParser extends AbstractKeycloakSamlAdapterV1Parser { idp.setSignaturesRequired(signaturesRequired == null ? false : signaturesRequired); idp.setSignatureCanonicalizationMethod(StaxParserUtil.getAttributeValueRP(element, KeycloakSamlAdapterV1QNames.ATTR_SIGNATURE_CANONICALIZATION_METHOD)); idp.setSignatureAlgorithm(StaxParserUtil.getAttributeValueRP(element, KeycloakSamlAdapterV1QNames.ATTR_SIGNATURE_ALGORITHM)); - + idp.setMetadataUrl(StaxParserUtil.getAttributeValueRP(element, KeycloakSamlAdapterV1QNames.ATTR_METADATA_URL)); return idp; } diff --git a/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/config/parsers/KeycloakSamlAdapterV1QNames.java b/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/config/parsers/KeycloakSamlAdapterV1QNames.java index 73e4a71a35..1034417425 100644 --- a/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/config/parsers/KeycloakSamlAdapterV1QNames.java +++ b/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/config/parsers/KeycloakSamlAdapterV1QNames.java @@ -59,6 +59,7 @@ public enum KeycloakSamlAdapterV1QNames implements HasQName { ATTR_FORCE_AUTHENTICATION(null, "forceAuthentication"), ATTR_IS_PASSIVE(null, "isPassive"), ATTR_LOGOUT_PAGE(null, "logoutPage"), + ATTR_METADATA_URL(null, "metadataUrl"), ATTR_NAME(null, "name"), ATTR_NAME_ID_POLICY_FORMAT(null, "nameIDPolicyFormat"), ATTR_PASSWORD(null, "password"), diff --git a/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/descriptor/parsers/SamlDescriptorIDPKeysExtractor.java b/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/descriptor/parsers/SamlDescriptorIDPKeysExtractor.java index cedad34c80..9b57675eff 100644 --- a/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/descriptor/parsers/SamlDescriptorIDPKeysExtractor.java +++ b/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/descriptor/parsers/SamlDescriptorIDPKeysExtractor.java @@ -70,7 +70,7 @@ public class SamlDescriptorIDPKeysExtractor { DocumentBuilder builder = DocumentUtil.getDocumentBuilder(); Document doc = builder.parse(stream); - XPathExpression expr = xpath.compile("/m:EntitiesDescriptor/m:EntityDescriptor/m:IDPSSODescriptor/m:KeyDescriptor"); + XPathExpression expr = xpath.compile("//m:EntityDescriptor/m:IDPSSODescriptor/m:KeyDescriptor"); NodeList keyDescriptors = (NodeList) expr.evaluate(doc, XPathConstants.NODESET); for (int i = 0; i < keyDescriptors.getLength(); i ++) { Node keyDescriptor = keyDescriptors.item(i); diff --git a/adapters/saml/core/src/main/resources/schema/keycloak_saml_adapter_1_10.xsd b/adapters/saml/core/src/main/resources/schema/keycloak_saml_adapter_1_10.xsd new file mode 100644 index 0000000000..5c3b9e1668 --- /dev/null +++ b/adapters/saml/core/src/main/resources/schema/keycloak_saml_adapter_1_10.xsd @@ -0,0 +1,466 @@ + + + + + + + + + + Keycloak SAML Adapter configuration file. + + + + + Describes SAML service provider configuration. + + + + + + + + + + + List of service provider encryption and validation keys. + + If the IDP requires that the client application (SP) sign all of its requests and/or if the IDP will encrypt assertions, you must define the keys used to do this. For client signed documents you must define both the private and public key or certificate that will be used to sign documents. For encryption, you only have to define the private key that will be used to decrypt. + + + + + When creating a Java Principal object that you obtain from methods like HttpServletRequest.getUserPrincipal(), you can define what name that is returned by the Principal.getName() method. + + + + + Defines what SAML attributes within the assertion received from the user should be used as role identifiers within the Java EE Security Context for the user. + By default Role attribute values are converted to Java EE roles. Some IDPs send roles via a member or memberOf attribute assertion. You can define one or more Attribute elements to specify which SAML attributes must be converted into roles. + + + + + Describes configuration of SAML identity provider for this service provider. + + + + + + This is the identifier for this client. The IDP needs this value to determine who the client is that is communicating with it. + + + + + SSL policy the adapter will enforce. + + + + + SAML clients can request a specific NameID Subject format. Fill in this value if you want a specific format. It must be a standard SAML format identifier, i.e. urn:oasis:names:tc:SAML:2.0:nameid-format:transient. By default, no special format is requested. + + + + + URL of the logout page. + + + + + SAML clients can request that a user is re-authenticated even if they are already logged in at the IDP. Default value is false. + + + + + SAML clients can request that a user is never asked to authenticate even if they are not logged in at the IDP. Set this to true if you want this. Do not use together with forceAuthentication as they are opposite. Default value is false. + + + + + The session id is changed by default on a successful login on some platforms to plug a security attack vector. Change this to true to disable this. It is recommended you do not turn it off. Default value is false. + + + + + This should be set to true if your application serves both a web application and web services (e.g. SOAP or REST). It allows you to redirect unauthenticated users of the web application to the Keycloak login page, but send an HTTP 401 status code to unauthenticated SOAP or REST clients instead as they would not understand a redirect to the login page. Keycloak auto-detects SOAP or REST clients based on typical headers like X-Requested-With, SOAPAction or Accept. The default value is false. + + + + + + + + + Describes a single key used for signing or encryption. + + + + + + + + + Java keystore to load keys and certificates from. + + + + + Private key (PEM format) + + + + + Public key (PEM format) + + + + + Certificate key (PEM format) + + + + + + Flag defining whether the key should be used for signing. + + + + + Flag defining whether the key should be used for encryption + + + + + + + + Private key declaration + + + + + Certificate declaration + + + + + + File path to the key store. + + + + + WAR resource path to the key store. This is a path used in method call to ServletContext.getResourceAsStream(). + + + + + The password of the key store. + + + + + + + Alias that points to the key or cert within the keystore. + + + + + Keystores require an additional password to access private keys. In the PrivateKey element you must define this password within a password attribute. + + + + + + + Alias that points to the key or cert within the keystore. + + + + + + + Policy used to populate value of Java Principal object obtained from methods like HttpServletRequest.getUserPrincipal(). + + + + + Name of the SAML assertion attribute to use within. + + + + + + + + This policy just uses whatever the SAML subject value is. This is the default setting + + + + + This will pull the value from one of the attributes declared in the SAML assertion received from the server. You'll need to specify the name of the SAML assertion attribute to use within the attribute XML attribute. + + + + + + + + + All requests must come in via HTTPS. + + + + + Only non-private IP addresses must come over the wire via HTTPS. + + + + + no requests are required to come over via HTTPS. + + + + + + + + + + + + + + + + + + + + + + + Specifies SAML attribute to be converted into roles. + + + + + + + + Specifies name of the SAML attribute to be converted into roles. + + + + + + + + Configuration of the login SAML endpoint of the IDP. + + + + + Configuration of the logout SAML endpoint of the IDP + + + + + The Keys sub element of IDP is only used to define the certificate or public key to use to verify documents signed by the IDP. + + + + + Configuration of HTTP client used for automatic obtaining of certificates containing public keys for IDP signature verification via SAML descriptor of the IDP. + + + + + + issuer ID of the IDP. + + + + + If set to true, the client adapter will sign every document it sends to the IDP. Also, the client will expect that the IDP will be signing any documents sent to it. This switch sets the default for all request and response types. + + + + + Signature algorithm that the IDP expects signed documents to use. Defaults to RSA_SHA256 + + + + + This is the signature canonicalization method that the IDP expects signed documents to use. The default value is https://www.w3.org/2001/10/xml-exc-c14n# and should be good for most IDPs. + + + + + + + + + + The URL used to retrieve the IDP metadata, currently this is only used to pick up signing and encryption keys periodically which allow cycling of these keys on the IDP without manual changes on the SP side. + + + + + + + Should the client sign authn requests? Defaults to whatever the IDP signaturesRequired element value is. + + + + + Should the client expect the IDP to sign the assertion response document sent back from an auhtn request? Defaults to whatever the IDP signaturesRequired element value is. + + + + + Should the client expect the IDP to sign the individual assertions sent back from an auhtn request? Defaults to whatever the IDP signaturesRequired element value is. + + + + + SAML binding type used for communicating with the IDP. The default value is POST, but you can set it to REDIRECT as well. + + + + + SAML allows the client to request what binding type it wants authn responses to use. This value maps to ProtocolBinding attribute in SAML AuthnRequest. The default is that the client will not request a specific binding type for responses. + + + + + This is the URL for the IDP login service that the client will send requests to. + + + + + URL of the assertion consumer service (ACS) where the IDP login service should send responses to. By default it is unset, relying on the IdP settings. When set, it must end in "/saml". This property is typically accompanied by the responseBinding attribute. + + + + + + + + Should the client sign authn requests? Defaults to whatever the IDP signaturesRequired element value is. + + + + + Should the client sign logout responses it sends to the IDP requests? Defaults to whatever the IDP signaturesRequired element value is. + + + + + Should the client expect signed logout request documents from the IDP? Defaults to whatever the IDP signaturesRequired element value is. + + + + + Should the client expect signed logout response documents from the IDP? Defaults to whatever the IDP signaturesRequired element value is. + + + + + This is the SAML binding type used for communicating SAML requests to the IDP. The default value is POST. + + + + + This is the SAML binding type used for communicating SAML responses to the IDP. The default value is POST. + + + + + This is the URL for the IDP's logout service when using the POST binding. This setting is REQUIRED if using the POST binding. + + + + + This is the URL for the IDP's logout service when using the REDIRECT binding. This setting is REQUIRED if using the REDIRECT binding. + + + + + + + + If the the IDP server requires HTTPS and this config option is set to true the IDP's certificate + is validated via the truststore, but host name validation is not done. This setting should only be used during + development and never in production as it will partly disable verification of SSL certificates. + This seting may be useful in test environments. The default value is false. + + + + + This is the file path to a keystore file. This keystore contains client certificate + for two-way SSL when the adapter makes HTTPS requests to the IDP server. + + + + + Password for the client keystore and for the client's key. + + + + + Defines number of pooled connections. + + + + + If the the IDP server requires HTTPS and this config option is set to true you do not have to specify a truststore. + This setting should only be used during development and never in production as it will disable verification of SSL certificates. + The default value is false. + + + + + URL to HTTP proxy to use for HTTP connections. + + + + + The value is the file path to a keystore file. If you prefix the path with classpath:, + then the truststore will be obtained from the deployment's classpath instead. Used for outgoing + HTTPS communications to the IDP server. Client making HTTPS requests need + a way to verify the host of the server they are talking to. This is what the trustore does. + The keystore contains one or more trusted host certificates or certificate authorities. + You can create this truststore by extracting the public certificate of the IDP's SSL keystore. + + + + + + Password for the truststore keystore. + + + + + diff --git a/adapters/saml/core/src/test/java/org/keycloak/adapters/saml/config/parsers/KeycloakSamlAdapterXMLParserTest.java b/adapters/saml/core/src/test/java/org/keycloak/adapters/saml/config/parsers/KeycloakSamlAdapterXMLParserTest.java index 1a287435e6..6a1c174f4a 100755 --- a/adapters/saml/core/src/test/java/org/keycloak/adapters/saml/config/parsers/KeycloakSamlAdapterXMLParserTest.java +++ b/adapters/saml/core/src/test/java/org/keycloak/adapters/saml/config/parsers/KeycloakSamlAdapterXMLParserTest.java @@ -39,7 +39,7 @@ import org.hamcrest.Matchers; */ public class KeycloakSamlAdapterXMLParserTest { - private static final String CURRENT_XSD_LOCATION = "/schema/keycloak_saml_adapter_1_9.xsd"; + private static final String CURRENT_XSD_LOCATION = "/schema/keycloak_saml_adapter_1_10.xsd"; @Rule public ExpectedException expectedException = ExpectedException.none(); @@ -67,6 +67,11 @@ public class KeycloakSamlAdapterXMLParserTest { testValidationValid("keycloak-saml-wth-http-client-settings.xml"); } + @Test + public void testValidationWithMetadataUrl() throws Exception { + testValidationValid("keycloak-saml-with-metadata-url.xml"); + } + @Test public void testValidationKeyInvalid() throws Exception { InputStream schemaIs = KeycloakSamlAdapterV1Parser.class.getResourceAsStream(CURRENT_XSD_LOCATION); @@ -243,4 +248,14 @@ public class KeycloakSamlAdapterXMLParserTest { System.clearProperty("keycloak-saml-properties.signaturesRequired"); } } + + @Test + public void testMetadataUrl() throws Exception { + KeycloakSamlAdapter config = parseKeycloakSamlAdapterConfig("keycloak-saml-with-metadata-url.xml", KeycloakSamlAdapter.class); + assertNotNull(config); + assertThat(config.getSps(), Matchers.contains(instanceOf(SP.class))); + SP sp = config.getSps().get(0); + IDP idp = sp.getIdp(); + assertThat(idp.getMetadataUrl(), is("https:///example.com/metadata.xml")); + } } diff --git a/adapters/saml/core/src/test/java/org/keycloak/adapters/saml/descriptor/parsers/SamlDescriptorIDPKeysExtractorTest.java b/adapters/saml/core/src/test/java/org/keycloak/adapters/saml/descriptor/parsers/SamlDescriptorIDPKeysExtractorTest.java new file mode 100644 index 0000000000..ec6eaa4bc8 --- /dev/null +++ b/adapters/saml/core/src/test/java/org/keycloak/adapters/saml/descriptor/parsers/SamlDescriptorIDPKeysExtractorTest.java @@ -0,0 +1,39 @@ +package org.keycloak.adapters.saml.descriptor.parsers; + +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertTrue; +import static org.junit.Assert.fail; + +import java.io.InputStream; +import org.junit.Test; +import org.keycloak.common.util.MultivaluedHashMap; +import org.keycloak.saml.common.exceptions.ParsingException; + +public class SamlDescriptorIDPKeysExtractorTest { + + @Test + public void testParsingFileContainingEntityDescriptorAsRootElement() { + testParse("saml-idp-metadata-with-entity-descriptor-as-root-element.xml"); + } + + @Test + public void testParsingFileContainingEntitiesDescriptorAsRootElement() { + testParse("saml-idp-metadata-with-entities-descriptor-as-root-element.xml"); + } + + + public void testParse(String fileToParse) { + InputStream stream = getClass().getResourceAsStream(fileToParse); + SamlDescriptorIDPKeysExtractor extractor = new SamlDescriptorIDPKeysExtractor(); + try { + MultivaluedHashMap keyMap = extractor.parse(stream); + assertFalse(keyMap.isEmpty()); + assertTrue(keyMap.containsKey("signing")); + assertTrue(keyMap.containsKey("encryption")); + } catch (ParsingException e) { + fail(e.getMessage()); + } + } + + +} diff --git a/adapters/saml/core/src/test/resources/org/keycloak/adapters/saml/config/parsers/keycloak-saml-with-metadata-url.xml b/adapters/saml/core/src/test/resources/org/keycloak/adapters/saml/config/parsers/keycloak-saml-with-metadata-url.xml new file mode 100644 index 0000000000..57f62075d9 --- /dev/null +++ b/adapters/saml/core/src/test/resources/org/keycloak/adapters/saml/config/parsers/keycloak-saml-with-metadata-url.xml @@ -0,0 +1,77 @@ + + + + + + + + + + + + + + private pem + + + public pem + + + + + + + + + + + + + + + cert pem + + + + + + diff --git a/adapters/saml/core/src/test/resources/org/keycloak/adapters/saml/descriptor/parsers/saml-idp-metadata-with-entities-descriptor-as-root-element.xml b/adapters/saml/core/src/test/resources/org/keycloak/adapters/saml/descriptor/parsers/saml-idp-metadata-with-entities-descriptor-as-root-element.xml new file mode 100644 index 0000000000..850b9cf592 --- /dev/null +++ b/adapters/saml/core/src/test/resources/org/keycloak/adapters/saml/descriptor/parsers/saml-idp-metadata-with-entities-descriptor-as-root-element.xml @@ -0,0 +1,43 @@ + + + + + + rJkJlvowmv1Id74GznieaAC5jU5QQp_ILzuG-GsweTI + + + MIICmzCCAYMCBgFX/9ccIDANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZtYXN0ZXIwHhcNMTYxMDI2MDcxMjUwWhcNMjYxMDI2MDgxNDMwWjARMQ8wDQYDVQQDDAZtYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPjDrM890OoFWLIU5xNT+v8B8EkpOGY1y/9Yi/yQd95uG/p5LaywiPsw+lPy4tSn1pH/2SxNDST2zynKPDd1lYDev43m0sC2FfD2H73q3udQRqSOxW1e8FrTrGDIHxb82UNrCPlu+fH+xYSkigrkOvLvPigTwSIcu8vgs0lk9FqJ81ty3Wj2e9lS7JJGAJ3pC7rp39VLdJSKbfyj/v2RYBeG5Pscncl8cjUOHUq5u19hThjkU2jOBzgIK2JS0bNmzSfH1eBTZMoCQBI1UJ1IbA8tqjQwpOXc+JkPBRU8T/JUQoQlSR6DTcPFvDgH2oGZYFHFfUontZqtz8jrIt2pxBAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAK5VgQp1x1FKgabFI6W/iGuy9ZCRoAixOOEGGkDps6dOEFgTQKTy5D/FZts9KuNxhhiD+NvS0d5BKYa5ITPLVPnGucgYkZhz+/+GhxmbjeQr0eJPaY7ZgLfH3tPA6tfdIkA0iE1En1sKEwt6R6DZjh9jtP9laoUoddTvYaFLJpZ2u1Ik94q6ZqX0fS/RKchaBHjhg6MtqCcHt07CBKHh8XNmKPXVSJC/p0MjyXv+qLaNNqyaAvAw6P6DX1hNjzrdkuaaHGXhu6kkezZUVlDWAm9cd1ppqalSK6ggy7yMW1NWTd/NYOPsFU2TS8DDPzRo14s1Qvw4v+TY6yT0NURJPQA= + + + + + + + BzYc4GwL8HVrAhNyNdp-lTah2DvU9jU03kby9Ynohr4 + + + MIICmzCCAYMCBgFX/9eK7TANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZtYXN0ZXIwHhcNMTYxMDI2MDcxMzE4WhcNMjYxMDI2MDgxNDU4WjARMQ8wDQYDVQQDDAZtYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCDLT+40/BWzWPSVmpaSaZRs5lBMQ9VP9TCoXkby4PHqxIWRecTPM8fcNkPNPE/tiR2tUIpMXPDzgXNFA/EMoB3V1OEVXPecjKtiZczdR6pi75CBx7PJ2fSXg6xpjhZmHu0k7x591GZdP8Iiu2E6b9QA2p5VXgNgfuP07XzgabnSvIrLG60Imus3u6C2qA/QEuY7EYQWrFooriYLW6B8s3xU8R1a92SLMT8JsfMWXi+1CzAhIbVvdwUwkhVDDhAU6pUek88QQgxodd3FAMksoijCGFN1yrCkovlFhKb3j9AC6Icd9eeJuwYddN/nMeMGEDOeCcAGBACiaUisjUvZDw1AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAHAHbBI0CRfdw5ZHxHAjgSQvSj41c/4cfwln4Q7X3I5lMBbW3tcgond6Ku9eU46FzG5VpgXIgvEf4u0O9jUnxLlO50+t2SHwQ1RwHdBWQngVSZCRzscq3KrSzx1hx88qLyqcPrr3QtR92fYipDjENxttT/qJtDMrXlwLZEITlHDoneX319USYB9C4zlrCIsQ5XxQTTyCx886Pz15DSVSRxVp61HGk6ROsX/DG5/xwInlzgMZ0r3JWnAjtAaXqUrcwH9FXxco+xkiqKW79bGhWGQI9sXXvQSSNAaENMIUhxtd9uOi1l5e0EkKHE2fHlYyfdUDnFJWwSMXd/NM+hVI4Lw= + + + + + + + + urn:oasis:names:tc:SAML:2.0:nameid-format:persistent + + + urn:oasis:names:tc:SAML:2.0:nameid-format:transient + + + urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + + + urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + + + + + + + \ No newline at end of file diff --git a/adapters/saml/core/src/test/resources/org/keycloak/adapters/saml/descriptor/parsers/saml-idp-metadata-with-entity-descriptor-as-root-element.xml b/adapters/saml/core/src/test/resources/org/keycloak/adapters/saml/descriptor/parsers/saml-idp-metadata-with-entity-descriptor-as-root-element.xml new file mode 100644 index 0000000000..34ae97cae6 --- /dev/null +++ b/adapters/saml/core/src/test/resources/org/keycloak/adapters/saml/descriptor/parsers/saml-idp-metadata-with-entity-descriptor-as-root-element.xml @@ -0,0 +1,47 @@ + + + + + rJkJlvowmv1Id74GznieaAC5jU5QQp_ILzuG-GsweTI + + + MIICmzCCAYMCBgFX/9ccIDANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZtYXN0ZXIwHhcNMTYxMDI2MDcxMjUwWhcNMjYxMDI2MDgxNDMwWjARMQ8wDQYDVQQDDAZtYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPjDrM890OoFWLIU5xNT+v8B8EkpOGY1y/9Yi/yQd95uG/p5LaywiPsw+lPy4tSn1pH/2SxNDST2zynKPDd1lYDev43m0sC2FfD2H73q3udQRqSOxW1e8FrTrGDIHxb82UNrCPlu+fH+xYSkigrkOvLvPigTwSIcu8vgs0lk9FqJ81ty3Wj2e9lS7JJGAJ3pC7rp39VLdJSKbfyj/v2RYBeG5Pscncl8cjUOHUq5u19hThjkU2jOBzgIK2JS0bNmzSfH1eBTZMoCQBI1UJ1IbA8tqjQwpOXc+JkPBRU8T/JUQoQlSR6DTcPFvDgH2oGZYFHFfUontZqtz8jrIt2pxBAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAK5VgQp1x1FKgabFI6W/iGuy9ZCRoAixOOEGGkDps6dOEFgTQKTy5D/FZts9KuNxhhiD+NvS0d5BKYa5ITPLVPnGucgYkZhz+/+GhxmbjeQr0eJPaY7ZgLfH3tPA6tfdIkA0iE1En1sKEwt6R6DZjh9jtP9laoUoddTvYaFLJpZ2u1Ik94q6ZqX0fS/RKchaBHjhg6MtqCcHt07CBKHh8XNmKPXVSJC/p0MjyXv+qLaNNqyaAvAw6P6DX1hNjzrdkuaaHGXhu6kkezZUVlDWAm9cd1ppqalSK6ggy7yMW1NWTd/NYOPsFU2TS8DDPzRo14s1Qvw4v+TY6yT0NURJPQA= + + + + + + + BzYc4GwL8HVrAhNyNdp-lTah2DvU9jU03kby9Ynohr4 + + + MIICmzCCAYMCBgFX/9eK7TANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZtYXN0ZXIwHhcNMTYxMDI2MDcxMzE4WhcNMjYxMDI2MDgxNDU4WjARMQ8wDQYDVQQDDAZtYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCDLT+40/BWzWPSVmpaSaZRs5lBMQ9VP9TCoXkby4PHqxIWRecTPM8fcNkPNPE/tiR2tUIpMXPDzgXNFA/EMoB3V1OEVXPecjKtiZczdR6pi75CBx7PJ2fSXg6xpjhZmHu0k7x591GZdP8Iiu2E6b9QA2p5VXgNgfuP07XzgabnSvIrLG60Imus3u6C2qA/QEuY7EYQWrFooriYLW6B8s3xU8R1a92SLMT8JsfMWXi+1CzAhIbVvdwUwkhVDDhAU6pUek88QQgxodd3FAMksoijCGFN1yrCkovlFhKb3j9AC6Icd9eeJuwYddN/nMeMGEDOeCcAGBACiaUisjUvZDw1AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAHAHbBI0CRfdw5ZHxHAjgSQvSj41c/4cfwln4Q7X3I5lMBbW3tcgond6Ku9eU46FzG5VpgXIgvEf4u0O9jUnxLlO50+t2SHwQ1RwHdBWQngVSZCRzscq3KrSzx1hx88qLyqcPrr3QtR92fYipDjENxttT/qJtDMrXlwLZEITlHDoneX319USYB9C4zlrCIsQ5XxQTTyCx886Pz15DSVSRxVp61HGk6ROsX/DG5/xwInlzgMZ0r3JWnAjtAaXqUrcwH9FXxco+xkiqKW79bGhWGQI9sXXvQSSNAaENMIUhxtd9uOi1l5e0EkKHE2fHlYyfdUDnFJWwSMXd/NM+hVI4Lw= + + + + + + + + urn:oasis:names:tc:SAML:2.0:nameid-format:persistent + + + urn:oasis:names:tc:SAML:2.0:nameid-format:transient + + + urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + + + urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + + + + + +