libre.sh/keycloak-scim
2
0
Fork 0
Code Issues 14 Pull requests Releases Packages Activity Actions 6

saml config

Browse source
This commit is contained in:
Bill Burke 2015-02-11 20:54:01 -05:00
parent 37a8e295bd
commit 3ff423c3ad
5 changed files with 98 additions and 33 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

37
forms/common-themes/src/main/resources/theme/admin/base/resources/js/controllers/applications.js
View file

@ -553,6 +553,12 @@ module.controller('ApplicationDetailCtrl', function($scope, realm, application,
"RSA_SHA512",
"DSA_SHA1"
];
$scope.nameIdFormats = [
"username",
"email",
"transient",
"persistent"
];
$scope.realm = realm;
$scope.create = !application.name;
@ -563,6 +569,7 @@ module.controller('ApplicationDetailCtrl', function($scope, realm, application,
$scope.samlClientSignature = false;
$scope.samlEncrypt = false;
$scope.samlForcePostBinding = false;
$scope.samlForceNameIdFormat = false;
if (!$scope.create) {
if (!application.attributes) {
application.attributes = {};
@ -588,13 +595,25 @@ module.controller('ApplicationDetailCtrl', function($scope, realm, application,
} else if (application.attributes['saml.signature.algorithm'] == 'DSA_SHA1') {
$scope.signatureAlgorithm = $scope.signatureAlgorithms[3];
}
if (application.attributes['saml_name_id_format'] == 'unspecified') {
$scope.nameIdFormat = $scope.nameIdFormats[0];
} else if (application.attributes['saml_name_id_format'] == 'email') {
$scope.nameIdFormat = $scope.nameIdFormats[1];
} else if (application.attributes['saml_name_id_format'] == 'transient') {
$scope.nameIdFormat = $scope.nameIdFormats[2];
} else if (application.attributes['saml_name_id_format'] == 'persistent') {
$scope.nameIdFormat = $scope.nameIdFormats[3];
}
} else {
$scope.application = { enabled: true, attributes: {}};
$scope.application.redirectUris = [];
$scope.accessType = $scope.accessTypes[0];
$scope.protocol = $scope.protocols[0];
$scope.signatureAlgorithm = $scope.signatureAlgorithms[1];
$scope.nameIdFormat = $scope.nameIdFormats[0];
$scope.samlAuthnStatement = true;
$scope.samlForceNameIdFormat = false;
}
if ($scope.application.attributes["saml.server.signature"]) {
@ -633,6 +652,13 @@ module.controller('ApplicationDetailCtrl', function($scope, realm, application,
$scope.samlAuthnStatement = false;
}
}
if ($scope.application.attributes["saml_force_name_id_format"]) {
if ($scope.application.attributes["saml_force_name_id_format"] == "true") {
$scope.samlForceNameIdFormat = true;
} else {
$scope.samlForceNameIdFormat = false;
}
}
if ($scope.application.attributes["saml.multivalued.roles"]) {
if ($scope.application.attributes["saml.multivalued.roles"] == "true") {
$scope.samlMultiValuedRoles = true;
@ -677,6 +703,10 @@ module.controller('ApplicationDetailCtrl', function($scope, realm, application,
$scope.application.attributes['saml.signature.algorithm'] = $scope.signatureAlgorithm;
};
$scope.changeNameIdFormat = function() {
$scope.application.attributes['saml_name_id_format'] = $scope.nameIdFormat;
};
$scope.$watch(function() {
return $location.path();
}, function() {
@ -733,6 +763,12 @@ module.controller('ApplicationDetailCtrl', function($scope, realm, application,
} else {
$scope.application.attributes["saml.authnstatement"] = "false";
}
if ($scope.samlForceNameIdFormat == true) {
$scope.application.attributes["saml_force_name_id_format"] = "true";
} else {
$scope.application.attributes["saml_force_name_id_format"] = "false";
}
if ($scope.samlMultiValuedRoles == true) {
$scope.application.attributes["saml.multivalued.roles"] = "true";
@ -749,6 +785,7 @@ module.controller('ApplicationDetailCtrl', function($scope, realm, application,
$scope.application.protocol = $scope.protocol;
$scope.application.attributes['saml.signature.algorithm'] = $scope.signatureAlgorithm;
$scope.application.attributes['saml_name_id_format'] = $scope.nameIdFormat;
if ($scope.application.protocol != 'saml' && !$scope.application.bearerOnly && (!$scope.application.redirectUris || $scope.application.redirectUris.length == 0)) {
Notifications.error("You must specify at least one redirect uri");

81
forms/common-themes/src/main/resources/theme/admin/base/resources/partials/application-detail.html
View file

@ -56,20 +56,6 @@
</div>
<span tooltip-placement="right" tooltip="'Confidential' applications require a secret to initiate login protocol. 'Public' clients do not require a secret. 'Bearer-only' applications are web services that never initiate a login." class="fa fa-info-circle"></span>
</div>
<div class="form-group clearfix block" data-ng-show="protocol == 'saml'">
<label class="col-sm-2 control-label" for="logoutPostBinding">Assertion Consumer Service POST Binding URL</label>
<div class="col-sm-6">
<input ng-model="application.attributes.saml_assertion_consumer_service_url_post" class="form-control" type="text" name="logoutPostBinding" id="logoutPostBinding" />
</div>
<span tooltip-placement="right" tooltip="SAML POST Binding URL for the application's single logout service (login responses. If you leave this blank then the consumer URL is expected be sent with authn request from the SP. This sent URL must be verified via the redirect URI pattern config option below." class="fa fa-info-circle"></span>
</div>
<div class="form-group clearfix block" data-ng-show="protocol == 'saml'">
<label class="col-sm-2 control-label" for="logoutPostBinding">Assertion Consumer Service Redirect Binding URL</label>
<div class="col-sm-6">
<input ng-model="application.attributes.saml_assertion_consumer_service_url_redirect" class="form-control" type="text" name="logoutRedirectBinding" id="logoutRedirectBinding" />
</div>
<span tooltip-placement="right" tooltip="SAML Redirect Binding URL for the application's assertion consumer service (login responses). If you leave this blank then the consumer URL is expected be sent with authn request from the SP. This sent URL must be verified via the redirect URI pattern config option below." class="fa fa-info-circle"></span>
</div>
<div class="form-group clearfix block" data-ng-show="protocol == 'saml'">
<label class="col-sm-2 control-label" for="samlServerSignature">Include AuthnStatement</label>
<div class="col-sm-6">
@ -99,7 +85,7 @@
<span tooltip-placement="right" tooltip="Should assertions inside SAML documents be signed? This setting isn't needed if document is already being signed." class="fa fa-info-circle"></span>
</div>
<div class="form-group" data-ng-show="(samlAssertionSignature || samlServerSignature) && protocol == 'saml'">
<label class="col-sm-2 control-label" for="protocol">Signature Algorithm</label>
<label class="col-sm-2 control-label" for="signatureAlgorithm">Signature Algorithm</label>
<div class="col-sm-6">
<div class="select-kc">
<select id="signatureAlgorithm"
@ -140,21 +126,27 @@
<span tooltip-placement="right" tooltip="When true, logout requires a browser redirect to application. When false, server performs a background invocation for logout." class="fa fa-info-circle"></span>
</div>
<div class="form-group clearfix block" data-ng-show="protocol == 'saml'">
<label class="col-sm-2 control-label" for="logoutPostBinding">Logout Service POST Binding URL</label>
<label class="col-sm-2 control-label" for="samlForceNameIdFormat">Force Name ID Format</label>
<div class="col-sm-6">
<input ng-model="application.attributes.saml_single_logout_service_url_post" class="form-control" type="text" name="logoutPostBinding" id="logoutPostBinding" />
<input ng-model="samlForceNameIdFormat" ng-click="switchChange()" name="samlForceNameIdFormat" id="samlForceNameIdFormat" onoffswitch />
</div>
<span tooltip-placement="right" tooltip="SAML POST Binding URL for the application's single logout service. You can leave this blank if you are using a differen binding" class="fa fa-info-circle"></span>
<span tooltip-placement="right" tooltip="Ignore requested NameID subject format and use admin console configured one." class="fa fa-info-circle"></span>
</div>
<div class="form-group clearfix block" data-ng-show="protocol == 'saml'">
<label class="col-sm-2 control-label" for="logoutPostBinding">Logout Service Redirect Binding URL</label>
<div class="form-group" data-ng-show="protocol == 'saml'">
<label class="col-sm-2 control-label" for="samlNameIdFormat">Name ID Format</label>
<div class="col-sm-6">
<input ng-model="application.attributes.saml_single_logout_service_url_redirect" class="form-control" type="text" name="logoutRedirectBinding" id="logoutRedirectBinding" />
<div class="select-kc">
<select id="samlNameIdFormat"
ng-change="changeNameIdFormat()"
ng-model="nameIdFormat"
ng-options="format for format in nameIdFormats">
</select>
</div>
</div>
<span tooltip-placement="right" tooltip="SAML Redirect Binding URL for the application's single logout service. You can leave this blank if you are using a different binding." class="fa fa-info-circle"></span>
<span tooltip-placement="right" tooltip="The name ID format to use for the subject." class="fa fa-info-circle"></span>
</div>
<div class="form-group clearfix block" data-ng-show="!application.bearerOnly">
<label class="col-sm-2 control-label" for="newRedirectUri">Redirect URI <span class="required" data-ng-show="create && protocol != 'saml'">*</span></label>
<label class="col-sm-2 control-label" for="newRedirectUri">Valid Redirect URIs <span class="required" data-ng-show="create && protocol != 'saml'">*</span></label>
<div class="col-sm-6 multiple" ng-repeat="redirectUri in application.redirectUris">
<div class="input-group kc-item-deletable">
<input class="form-control" type="text" data-ng-class="{'input-below':!$first}"
@ -175,7 +167,7 @@
</span>
</div>
</div>
<span tooltip-placement="right" tooltip="Valid URI pattern a browser can redirect to after a successful login or logout. Simple wildcards are allowed i.e. 'http://example.com/*'. Relative path can be specified too i.e. /my/relative/path/*. Relative paths will generate a redirect URI using the request's host and port." class="fa fa-info-circle"></span>
<span tooltip-placement="right" tooltip="Valid URI pattern a browser can redirect to after a successful login or logout. Simple wildcards are allowed i.e. 'http://example.com/*'. Relative path can be specified too i.e. /my/relative/path/*. Relative paths will generate a redirect URI using the request's host and port. For SAML, you must set valid URI patterns if you are relying on the consumer service URL embedded with the login request." class="fa fa-info-circle"></span>
</div>
<div class="form-group" data-ng-show="!application.bearerOnly && !create">
<label class="col-sm-2 control-label" for="baseUrl">Default Redirect URL</label>
@ -183,7 +175,7 @@
<input class="form-control" type="text" name="baseUrl" id="baseUrl"
data-ng-model="application.baseUrl">
</div>
<span tooltip-placement="right" tooltip="Default URL to use when no redirect URI is specified. This URL will also be used when the auth server needs to link to the application for any reason." class="fa fa-info-circle"></span>
<span tooltip-placement="right" tooltip="Default URL to use when the auth server needs to redirect back to the application. This URL will also be used when the auth server needs to link to the application for any reason." class="fa fa-info-circle"></span>
</div>
<div class="form-group" data-ng-hide="create || protocol == 'saml'">
<label class="col-sm-2 control-label" for="adminUrl">Admin URL</label>
@ -193,6 +185,14 @@
</div>
<span tooltip-placement="right" tooltip="URL to the admin interface of the application. Set this if the application supports the adapter REST API. This REST API allows the auth server to push revocation policies and other adminstrative tasks. Usually this is set to the base URL of the application." class="fa fa-info-circle"></span>
</div>
<div class="form-group" data-ng-show="protocol == 'saml'">
<label class="col-sm-2 control-label" for="masterSamlUrl">Master SAML Processing URL</label>
<div class="col-sm-6">
<input class="form-control" type="text" name="masterSamlUrl" id="masterSamlUrl"
data-ng-model="application.adminUrl">
</div>
<span tooltip-placement="right" tooltip="If configured, this URL will be used for every binding to both the SP's Assertion Consumer and Single Logout Services. This can be individually overiden for each binding and service in the Fine Grain SAML Endpoint Configuration." class="fa fa-info-circle"></span>
</div>
<div class="form-group" data-ng-show="!application.bearerOnly && !create && protocol == 'openid-connect'">
<label class="col-sm-2 control-label" for="newWebOrigin">Web Origin</label>
<div class="col-sm-6 multiple" ng-repeat="webOrigin in application.webOrigins">
@ -218,6 +218,37 @@
<span tooltip-placement="right" tooltip="Allowed CORS origins. Only useful if the client adapter has CORS processing enabled." class="fa fa-info-circle"></span>
</div>
</fieldset>
<fieldset>
<legend collapsed><span class="text">Fine Grain SAML Endpoint Configuration</span> <span tooltip-placement="right" tooltip="Expand this section to configure exact URLs for Assertion Consumer and Single Logout Service." class="fa fa-info-circle"></span></legend>
<div class="form-group clearfix block" data-ng-show="protocol == 'saml'">
<label class="col-sm-2 control-label" for="logoutPostBinding">Assertion Consumer Service POST Binding URL</label>
<div class="col-sm-6">
<input ng-model="application.attributes.saml_assertion_consumer_service_url_post" class="form-control" type="text" name="logoutPostBinding" id="logoutPostBinding" />
</div>
<span tooltip-placement="right" tooltip="SAML POST Binding URL for the application's assertion consumer service (login responses). You can leave this blank if you do not have a URL for this binding." class="fa fa-info-circle"></span>
</div>
<div class="form-group clearfix block" data-ng-show="protocol == 'saml'">
<label class="col-sm-2 control-label" for="logoutPostBinding">Assertion Consumer Service Redirect Binding URL</label>
<div class="col-sm-6">
<input ng-model="application.attributes.saml_assertion_consumer_service_url_redirect" class="form-control" type="text" name="logoutRedirectBinding" id="logoutRedirectBinding" />
</div>
<span tooltip-placement="right" tooltip="SAML Redirect Binding URL for the application's assertion consumer service (login responses). You can leave this blank if you do not have a URL for this binding." class="fa fa-info-circle"></span>
</div>
<div class="form-group clearfix block" data-ng-show="protocol == 'saml'">
<label class="col-sm-2 control-label" for="logoutPostBinding">Logout Service POST Binding URL</label>
<div class="col-sm-6">
<input ng-model="application.attributes.saml_single_logout_service_url_post" class="form-control" type="text" name="logoutPostBinding" id="logoutPostBinding" />
</div>
<span tooltip-placement="right" tooltip="SAML POST Binding URL for the application's single logout service. You can leave this blank if you are using a different binding" class="fa fa-info-circle"></span>
</div>
<div class="form-group clearfix block" data-ng-show="protocol == 'saml'">
<label class="col-sm-2 control-label" for="logoutPostBinding">Logout Service Redirect Binding URL</label>
<div class="col-sm-6">
<input ng-model="application.attributes.saml_single_logout_service_url_redirect" class="form-control" type="text" name="logoutRedirectBinding" id="logoutRedirectBinding" />
</div>
<span tooltip-placement="right" tooltip="SAML Redirect Binding URL for the application's single logout service. You can leave this blank if you are using a different binding." class="fa fa-info-circle"></span>
</div>
</fieldset>
<div class="pull-right form-actions" data-ng-show="create && access.manageApplications">
<button kc-cancel data-ng-click="cancel()">Cancel</button>

4
pom.xml
View file

@ -15,7 +15,7 @@
<aesh.version>0.33.12</aesh.version>
<base64.version>2.3.8</base64.version>
<bouncycastle.crypto.version>1.50</bouncycastle.crypto.version>
<bouncycastle.mail.version>1.46</bouncycastle.mail.version>
<bouncycastle.mail.version>1.50</bouncycastle.mail.version>
<jackson.version>1.9.9</jackson.version>
<keycloak.apache.httpcomponents.version>4.2.1</keycloak.apache.httpcomponents.version>
<resteasy.version>2.3.7.Final</resteasy.version>
@ -143,7 +143,7 @@
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcmail-jdk16</artifactId>
<artifactId>bcmail-jdk15on</artifactId>
<version>${bouncycastle.mail.version}</version>
</dependency>
<dependency>

5
testsuite/integration/src/test/resources/saml/testsaml.json
View file

@ -205,11 +205,8 @@
"redirectUris": [
"http://localhost:8081/employee-sig/*"
],
"adminUrl": "http://localhost:8081/employee-sig",
"attributes": {
"saml_assertion_consumer_url_post": "http://localhost:8081/employee-sig",
"saml_assertion_consumer_url_redirect": "http://localhost:8081/employee-sig",
"saml_single_logout_service_url_post": "http://localhost:8081/employee-sig",
"saml_single_logout_service_url_redirect": "http://localhost:8081/employee-sig",
"saml.server.signature": "true",
"saml.client.signature": "true",
"saml.signature.algorithm": "RSA_SHA1",

4
testsuite/performance/pom.xml
View file

@ -201,8 +201,8 @@
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk16</artifactId>
<version>${bouncycastle.version}</version>
<artifactId>>bcprov-jdk15on</artifactId>
<version>${bouncycastle.crypto.version}</version>
</dependency>
<!--
<dependency>