From 64e777a4f47ac837d7c5b2d1d61aab3af715505b Mon Sep 17 00:00:00 2001 From: mposolda Date: Tue, 11 Nov 2014 12:58:49 +0100 Subject: [PATCH 1/4] Upgrade to picketlink 2.7.0.CR2 and minor LDAP improvements --- .../federation/ldap/LDAPFederationProvider.java | 7 +++++-- .../idm/LDAPKeycloakCredentialHandler.java | 14 +------------- pom.xml | 4 ++-- testsuite/integration/pom.xml | 2 +- 4 files changed, 9 insertions(+), 18 deletions(-) diff --git a/federation/ldap/src/main/java/org/keycloak/federation/ldap/LDAPFederationProvider.java b/federation/ldap/src/main/java/org/keycloak/federation/ldap/LDAPFederationProvider.java index e6378ce809..a49a989b24 100755 --- a/federation/ldap/src/main/java/org/keycloak/federation/ldap/LDAPFederationProvider.java +++ b/federation/ldap/src/main/java/org/keycloak/federation/ldap/LDAPFederationProvider.java @@ -53,8 +53,11 @@ public class LDAPFederationProvider implements UserFederationProvider { this.model = model; this.partitionManager = partitionManager; String editModeString = model.getConfig().get(EDIT_MODE); - if (editModeString == null) editMode = EditMode.READ_ONLY; - editMode = EditMode.valueOf(editModeString); + if (editModeString == null) { + editMode = EditMode.READ_ONLY; + } else { + editMode = EditMode.valueOf(editModeString); + } } private ModelException convertIDMException(IdentityManagementException ie) { diff --git a/picketlink/keycloak-picketlink-ldap/src/main/java/org/keycloak/picketlink/idm/LDAPKeycloakCredentialHandler.java b/picketlink/keycloak-picketlink-ldap/src/main/java/org/keycloak/picketlink/idm/LDAPKeycloakCredentialHandler.java index 0c82906406..bc5278c316 100755 --- a/picketlink/keycloak-picketlink-ldap/src/main/java/org/keycloak/picketlink/idm/LDAPKeycloakCredentialHandler.java +++ b/picketlink/keycloak-picketlink-ldap/src/main/java/org/keycloak/picketlink/idm/LDAPKeycloakCredentialHandler.java @@ -37,7 +37,7 @@ public class LDAPKeycloakCredentialHandler extends LDAPPlainTextPasswordCredenti protected boolean validateCredential(IdentityContext context, CredentialStorage credentialStorage, UsernamePasswordCredentials credentials, LDAPIdentityStore ldapIdentityStore) { Account account = getAccount(context, credentials.getUsername()); char[] password = credentials.getPassword().getValue(); - String userDN = getDNOfUser(ldapIdentityStore, account); + String userDN = (String) account.getAttribute(LDAPIdentityStore.ENTRY_DN_ATTRIBUTE_NAME).getValue(); if (CREDENTIAL_LOGGER.isDebugEnabled()) { CREDENTIAL_LOGGER.debugf("Using DN [%s] for authentication of user [%s]", userDN, credentials.getUsername()); } @@ -48,16 +48,4 @@ public class LDAPKeycloakCredentialHandler extends LDAPPlainTextPasswordCredenti return false; } - - protected String getDNOfUser(LDAPIdentityStore ldapIdentityStore, Account user) { - LDAPMappingConfiguration userMappingConfig = ldapIdentityStore.getConfig().getMappingConfig(User.class); - SearchResult sr = ldapIdentityStore.getOperationManager().lookupById(userMappingConfig.getBaseDN(), user.getId(), userMappingConfig); - - if (sr != null) { - return sr.getNameInNamespace(); - } else { - // Fallback - return ldapIdentityStore.getBindingDN(user, true); - } - } } diff --git a/pom.xml b/pom.xml index 14ee353381..0070920893 100755 --- a/pom.xml +++ b/pom.xml @@ -20,7 +20,7 @@ 3.0.9.Final 1.0.15.Final - 2.7.0.CR1 + 2.7.0.CR2 1.0.2.Final 2.11.3 3.1.4.GA @@ -252,7 +252,7 @@ org.picketlink - picketlink-wildlfy-common + picketlink-wildfly-common ${picketlink.version} diff --git a/testsuite/integration/pom.xml b/testsuite/integration/pom.xml index 6ca12ba378..e3db10a79d 100755 --- a/testsuite/integration/pom.xml +++ b/testsuite/integration/pom.xml @@ -215,7 +215,7 @@ org.picketlink - picketlink-wildlfy-common + picketlink-wildfly-common test From 2f0498bb7f5972d38e74e1556d31c5aa69458a5f Mon Sep 17 00:00:00 2001 From: mposolda Date: Tue, 11 Nov 2014 13:15:47 +0100 Subject: [PATCH 2/4] KEYCLOAK-827 add entryDN as one of attributes, which can be mapped to username --- .../theme/admin/base/resources/js/controllers/users.js | 2 +- .../theme/admin/base/resources/partials/federated-ldap.html | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/forms/common-themes/src/main/resources/theme/admin/base/resources/js/controllers/users.js b/forms/common-themes/src/main/resources/theme/admin/base/resources/js/controllers/users.js index 8c6154ada8..9855de2216 100755 --- a/forms/common-themes/src/main/resources/theme/admin/base/resources/js/controllers/users.js +++ b/forms/common-themes/src/main/resources/theme/admin/base/resources/js/controllers/users.js @@ -529,7 +529,7 @@ module.controller('LDAPCtrl', function($scope, $location, Notifications, Dialog, ]; $scope.usernameLDAPAttributes = [ - "uid", "cn", "sAMAccountName" + "uid", "cn", "sAMAccountName", "entryDN" ]; $scope.realm = realm; diff --git a/forms/common-themes/src/main/resources/theme/admin/base/resources/partials/federated-ldap.html b/forms/common-themes/src/main/resources/theme/admin/base/resources/partials/federated-ldap.html index d94f8ab7af..69c53e2862 100755 --- a/forms/common-themes/src/main/resources/theme/admin/base/resources/partials/federated-ldap.html +++ b/forms/common-themes/src/main/resources/theme/admin/base/resources/partials/federated-ldap.html @@ -129,7 +129,7 @@
- +
From 279a70bcb842e38195ffb0feb206a2b83ca013f2 Mon Sep 17 00:00:00 2001 From: mposolda Date: Tue, 11 Nov 2014 15:17:32 +0100 Subject: [PATCH 3/4] Fix failing tests --- .../ldap/LDAPFederationProviderFactory.java | 14 ++++++++++---- .../org/keycloak/federation/ldap/LDAPUtils.java | 4 ++++ .../java/org/keycloak/testsuite/rule/LDAPRule.java | 3 ++- 3 files changed, 16 insertions(+), 5 deletions(-) diff --git a/federation/ldap/src/main/java/org/keycloak/federation/ldap/LDAPFederationProviderFactory.java b/federation/ldap/src/main/java/org/keycloak/federation/ldap/LDAPFederationProviderFactory.java index 5472bc7a7f..44987e96f5 100755 --- a/federation/ldap/src/main/java/org/keycloak/federation/ldap/LDAPFederationProviderFactory.java +++ b/federation/ldap/src/main/java/org/keycloak/federation/ldap/LDAPFederationProviderFactory.java @@ -16,7 +16,11 @@ import org.picketlink.idm.IdentityManager; import org.picketlink.idm.PartitionManager; import org.picketlink.idm.model.IdentityType; import org.picketlink.idm.model.basic.User; +import org.picketlink.idm.query.AttributeParameter; +import org.picketlink.idm.query.Condition; import org.picketlink.idm.query.IdentityQuery; +import org.picketlink.idm.query.IdentityQueryBuilder; +import org.picketlink.idm.query.QueryParameter; import java.util.Collections; import java.util.Date; @@ -84,13 +88,15 @@ public class LDAPFederationProviderFactory implements UserFederationProviderFact // Sync newly created users IdentityManager identityManager = partitionMgr.createIdentityManager(); - IdentityQuery userQuery = identityManager.createIdentityQuery(User.class) - .setParameter(IdentityType.CREATED_AFTER, lastSync); + IdentityQueryBuilder queryBuilder = identityManager.getQueryBuilder(); + Condition condition = queryBuilder.greaterThanOrEqualTo(IdentityType.CREATED_DATE, lastSync); + IdentityQuery userQuery = queryBuilder.createIdentityQuery(User.class).where(condition); syncImpl(sessionFactory, userQuery, realmId, model); // Sync updated users - userQuery = identityManager.createIdentityQuery(User.class) - .setParameter(IdentityType.MODIFIED_AFTER, lastSync); + queryBuilder = identityManager.getQueryBuilder(); + condition = queryBuilder.greaterThanOrEqualTo(LDAPUtils.MODIFY_DATE, lastSync); + userQuery = queryBuilder.createIdentityQuery(User.class).where(condition); syncImpl(sessionFactory, userQuery, realmId, model); } diff --git a/federation/ldap/src/main/java/org/keycloak/federation/ldap/LDAPUtils.java b/federation/ldap/src/main/java/org/keycloak/federation/ldap/LDAPUtils.java index e01a5314bc..db0e9b8ab1 100755 --- a/federation/ldap/src/main/java/org/keycloak/federation/ldap/LDAPUtils.java +++ b/federation/ldap/src/main/java/org/keycloak/federation/ldap/LDAPUtils.java @@ -10,6 +10,8 @@ import org.picketlink.idm.credential.UsernamePasswordCredentials; import org.picketlink.idm.model.Attribute; import org.picketlink.idm.model.basic.BasicModel; import org.picketlink.idm.model.basic.User; +import org.picketlink.idm.query.AttributeParameter; +import org.picketlink.idm.query.QueryParameter; import java.util.List; @@ -20,6 +22,8 @@ import java.util.List; */ public class LDAPUtils { + public static QueryParameter MODIFY_DATE = new AttributeParameter("modifyDate"); + public static User addUser(PartitionManager partitionManager, String username, String firstName, String lastName, String email) { IdentityManager identityManager = getIdentityManager(partitionManager); diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/rule/LDAPRule.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/rule/LDAPRule.java index 8cd97934f9..1c631bb9ad 100755 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/rule/LDAPRule.java +++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/rule/LDAPRule.java @@ -25,8 +25,9 @@ public class LDAPRule extends ExternalResource { protected void after() { try { embeddedServer.tearDown(); + embeddedServer = null; } catch (Exception e) { - throw new RuntimeException("Error starting Embedded LDAP server.", e); + throw new RuntimeException("Error tearDown Embedded LDAP server.", e); } } From 24a2773524aa9efc0fb4e51a1a3ec5297fe1fffe Mon Sep 17 00:00:00 2001 From: Eivind Mikkelsen Date: Wed, 12 Nov 2014 01:24:51 +0100 Subject: [PATCH 4/4] Add SAML NameID Formats and include certificate in signature The NameID Format in the AuthnRequest NameIDPolicy is now respected, and support has been added for the following NameID Formats: - urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified - urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress - urn:oasis:names:tc:SAML:2.0:nameid-format:transient The persistent NameID format was previously used in all responses and mapped to the principal's username. Now, unspecified is mapped to the principal's username and used by default if no NameIDPolicy is specified by the SP. The persistent format requires generating a pseudo-random identifier that must be generated by the IdP on first login and stored in the user's profile. Persistent NameID Format is not yet implemented. The certificate is now added to the signature to enable support for integration with Service Providers where only the IdP's certificate fingerprint is configured (e.g. Zendesk). --- .../saml/SALM2LoginResponseBuilder.java | 12 ++++--- .../keycloak/protocol/saml/SamlProtocol.java | 33 ++++++++++++++++--- .../keycloak/protocol/saml/SamlService.java | 26 +++++++++++++++ .../main/resources/idp-metadata-template.xml | 6 ++-- 4 files changed, 65 insertions(+), 12 deletions(-) diff --git a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SALM2LoginResponseBuilder.java b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SALM2LoginResponseBuilder.java index 0b373793bd..2bf82ae6fd 100755 --- a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SALM2LoginResponseBuilder.java +++ b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SALM2LoginResponseBuilder.java @@ -38,7 +38,8 @@ public class SALM2LoginResponseBuilder extends SAML2BindingBuilder roles = new LinkedList(); - protected String userPrincipal; + protected String nameId; + protected String nameIdFormat; protected boolean multiValuedRoles; protected boolean disableAuthnStatement; protected String requestID; @@ -88,8 +89,9 @@ public class SALM2LoginResponseBuilder extends SAML2BindingBuilder - urn:oasis:names:tc:SAML:2.0:nameid-format:transient - + urn:oasis:names:tc:SAML:2.0:nameid-format:transient + urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress +