saml adapter docs
This commit is contained in:
parent
a1b315adbd
commit
450e031da9
97 changed files with 697 additions and 539 deletions
|
@ -17,11 +17,11 @@
|
|||
<outputDirectory>rest-api</outputDirectory>
|
||||
</fileSet>
|
||||
<fileSet>
|
||||
<directory>../../docbook/target/auth-server-docs/publish/en-US</directory>
|
||||
<directory>../../docbook/auth-server-docs/target/docbook/publish/en-US</directory>
|
||||
<outputDirectory>userguide/keycloak-server</outputDirectory>
|
||||
</fileSet>
|
||||
<fileSet>
|
||||
<directory>../../docbook/target/saml-adapter-docs/publish/en-US</directory>
|
||||
<directory>../../docbook/saml-adapter-docs/target/docbook/publish/en-US</directory>
|
||||
<outputDirectory>userguide/saml-client-adapter</outputDirectory>
|
||||
</fileSet>
|
||||
</fileSets>
|
||||
|
|
|
@ -1,8 +1,11 @@
|
|||
<h1>Keyloak Documentation</h1>
|
||||
<ul>
|
||||
<li><a href="userguide/html/index.html">Userguide HTML</a></li>
|
||||
<li><a href="userguide/html_single/index.html">Userguide HTML Single Page</a></li>
|
||||
<li><a href="userguide/pdf/keycloak-reference-guide-en-US.pdf">Userguide PDF</a></li>
|
||||
<li><a href="userguide/keycloak-server/html/index.html">Server and Keycloak Adapter Userguide HTML</a></li>
|
||||
<li><a href="userguide/keycloak-server/html_single/index.html">Server and Keycloak Adapter Userguide HTML Single Page</a></li>
|
||||
<li><a href="userguide/keycloak-server/pdf/keycloak-reference-guide-en-US.pdf">Server and Keycloak Adapter Userguide PDF</a></li>
|
||||
<li><a href="userguide/saml-client-adapter/html/index.html">SAML Client Adapter Userguide HTML</a></li>
|
||||
<li><a href="userguide/saml-client-adapter/html_single/index.html">>SAML Client Adapter Userguide HTML Single Page</a></li>
|
||||
<li><a href="userguide/saml-client-adapter/pdf/keycloak-reference-guide-en-US.pdf">SAML Client Adapter Userguide PDF</a></li>
|
||||
<li><a href="rest-api/overview-index.html">Admin REST API</a></li>
|
||||
<li><a href="javadocs/index.html">Javadocs</a></li>
|
||||
</ul>
|
|
@ -5,380 +5,471 @@
|
|||
look like:
|
||||
</para>
|
||||
<para>
|
||||
<programlisting><![CDATA[{
|
||||
"realm" : "demo",
|
||||
"resource" : "customer-portal",
|
||||
"realm-public-key" : "MIGfMA0GCSqGSIb3D...31LwIDAQAB",
|
||||
"auth-server-url" : "https://localhost:8443/auth",
|
||||
"ssl-required" : "external",
|
||||
"use-resource-role-mappings" : false,
|
||||
"enable-cors" : true,
|
||||
"cors-max-age" : 1000,
|
||||
"cors-allowed-methods" : "POST, PUT, DELETE, GET",
|
||||
"bearer-only" : false,
|
||||
"enable-basic-auth" : false,
|
||||
"expose-token" : true,
|
||||
"credentials" : {
|
||||
"secret" : "234234-234234-234234"
|
||||
},
|
||||
<programlisting><![CDATA[
|
||||
<keycloak-saml-adapter>
|
||||
<SP entityID="http://localhost:8081/sales-post-sig/"
|
||||
sslPolicy="EXTERNAL"
|
||||
nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
|
||||
logoutPage="/logout.jsp"
|
||||
forceAuthentication="false">
|
||||
<Keys>
|
||||
<Key signing="true" >
|
||||
<KeyStore resource="/WEB-INF/keystore.jks" password="store123">
|
||||
<PrivateKey alias="http://localhost:8080/sales-post-sig/" password="test123"/>
|
||||
<Certificate alias="http://localhost:8080/sales-post-sig/"/>
|
||||
</KeyStore>
|
||||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
<IDP entityID="idp"
|
||||
signaturesRequired="true">
|
||||
<SingleSignOnService requestBinding="POST"
|
||||
bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
|
||||
/>
|
||||
|
||||
"connection-pool-size" : 20,
|
||||
"disable-trust-manager": false,
|
||||
"allow-any-hostname" : false,
|
||||
"truststore" : "path/to/truststore.jks",
|
||||
"truststore-password" : "geheim",
|
||||
"client-keystore" : "path/to/client-keystore.jks",
|
||||
"client-keystore-password" : "geheim",
|
||||
"client-key-password" : "geheim"
|
||||
}]]>
|
||||
<SingleLogoutService
|
||||
requestBinding="POST"
|
||||
responseBinding="POST"
|
||||
postBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
|
||||
redirectBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
|
||||
/>
|
||||
<Keys>
|
||||
<Key signing="true">
|
||||
<KeyStore resource="/WEB-INF/keystore.jks" password="store123">
|
||||
<Certificate alias="demo"/>
|
||||
</KeyStore>
|
||||
</Key>
|
||||
</Keys>
|
||||
</IDP>
|
||||
</SP>
|
||||
</keycloak-saml-adapter>]]>
|
||||
|
||||
</programlisting>
|
||||
</para>
|
||||
<para>
|
||||
Some of these configuration switches may be adapter specific and some are common across all adapters.
|
||||
For Java adapters you can use <literal>${...}</literal> enclosure as System property replacement.
|
||||
For example <literal>${jboss.server.config.dir}</literal>. Also, you can obtain a template
|
||||
for this config file from the admin console. Go to the realm and select the application you want a template for.
|
||||
Go to the <literal>Installation</literal> tab and this will provide you with a template that includes
|
||||
the public key of the realm.
|
||||
For example <literal>${jboss.server.config.dir}</literal>.
|
||||
</para>
|
||||
<section>
|
||||
<title>SP Element</title>
|
||||
<para>
|
||||
Here is a description of each item:
|
||||
Here is the explanation of the SP element attributes
|
||||
</para>
|
||||
<para><![CDATA[
|
||||
<SP entityID="sp"
|
||||
sslPolicy="ssl"
|
||||
nameIDPolicyFormat="format"
|
||||
forceAuthentication="true">
|
||||
...
|
||||
</SP>]]></para>
|
||||
<para>
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>realm</term>
|
||||
<term>entityID</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Name of the realm representing the users of your distributed applications and services.
|
||||
This is
|
||||
This is the identifier for this client. The IDP needs this value to determine
|
||||
who the client is that is communicating with it.
|
||||
<emphasis>REQUIRED.</emphasis>
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>sslPolicy</term>
|
||||
<listitem>
|
||||
<para>
|
||||
This is the SSL policy the adapter will enforce. Valid values are:
|
||||
ALL, EXTERNAL, and NONE. For ALL, all requests must come in via HTTPS. For
|
||||
EXTERNAL, only non-private IP addresses must come over the wire via HTTPS. For
|
||||
NONE, no requests are required to come over via HTTPS. This is
|
||||
<emphasis>OPTIONAL.</emphasis> and defaults to EXTERNAL.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>nameIDPolicyFormat</term>
|
||||
<listitem>
|
||||
<para>
|
||||
SAML clients can request a specific NameID Subject format. Fill in this value
|
||||
if you want a specific format. It must be a standard SAML format identifier, i.e.
|
||||
<literal>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</literal>
|
||||
<emphasis>OPTIONAL.</emphasis>. By default, no special format is requested.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>forceAuthentication</term>
|
||||
<listitem>
|
||||
<para>
|
||||
SAML clients can request that a user is re-authenticated even if
|
||||
they are already logged in at the IDP. Set this to true if you
|
||||
want this.
|
||||
<emphasis>OPTIONAL.</emphasis>. Set to <literal>false</literal> by default.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</para>
|
||||
</section>
|
||||
<section id="sp_keys">
|
||||
<title>SP Keys and Key elements</title>
|
||||
<para>
|
||||
If the IDP requires that the SP sign all of its requests and/or if the IDP will
|
||||
encrypt assertions, you must define the keys used to do this. For client signed
|
||||
documents you must define both the private and public key or certificate that will
|
||||
be used to sign documents. For encryption, you only have to define the private key
|
||||
that will be used to decrypt.
|
||||
</para>
|
||||
<para>
|
||||
There are two ways to describe your keys. Either they are stored within a Java KeyStore
|
||||
or you can cut and paste the keys directly within <literal>keycloak-saml.xml</literal>
|
||||
in the PEM format.
|
||||
</para>
|
||||
<para><![CDATA[
|
||||
<Keys>
|
||||
<Key signing="true" >
|
||||
<KeyStore resource="/WEB-INF/keystore.jks" password="store123">
|
||||
<PrivateKey alias="http://localhost:8080/sales-post-sig/" password="test123"/>
|
||||
<Certificate alias="http://localhost:8080/sales-post-sig/"/>
|
||||
</KeyStore>
|
||||
</Key>
|
||||
</Keys>
|
||||
]]>
|
||||
</para>
|
||||
<para>
|
||||
The <literal>Key</literal> element has two optional attributes <literal>signing</literal>
|
||||
and <literal>encryption</literal>. When set to true these tell the adapter what the
|
||||
key will be used for. If both attributes are set to true, then the key will be used for both
|
||||
signing documents and decrypting encrypted assertions. You must set at least one of these
|
||||
attributes to true.
|
||||
</para>
|
||||
<section id="keystore">
|
||||
<title>KeyStore element</title>
|
||||
<para>
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>file</term>
|
||||
<listitem>
|
||||
<para>
|
||||
File path to the key store.
|
||||
<emphasis>OPTIONAL.</emphasis> The file or resource attribute
|
||||
must be set.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>resource</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Username of the application. Each application has a username that is used when the
|
||||
application connects with the Keycloak server to turn an access code into an access token
|
||||
(part of the OAuth 2.0 protocol). This is
|
||||
WAR resource path to the KeyStore. This is a path used in method call to ServletContext.getResourceAsStream().
|
||||
<emphasis>OPTIONAL.</emphasis> The file or resource attribute
|
||||
must be set.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>password</term>
|
||||
<listitem>
|
||||
<para>
|
||||
The password of the KeyStore
|
||||
<emphasis>REQUIRED.</emphasis>
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>realm-public-key</term>
|
||||
<listitem>
|
||||
<para>
|
||||
PEM format of public key. You can obtain this from the administration console.
|
||||
This is
|
||||
<emphasis>REQUIRED.</emphasis>
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>auth-server-url</term>
|
||||
<listitem>
|
||||
<para>
|
||||
The base URL of the Keycloak Server. All other Keycloak pages and REST services are derived
|
||||
from this. It is usually of the form <literal>https://host:port/auth</literal>
|
||||
This is
|
||||
<emphasis>REQUIRED.</emphasis>
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>ssl-required</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Ensures that all communication to and from the Keycloak server from the adapter is over HTTPS.
|
||||
This is <emphasis>OPTIONAL</emphasis>. The default value is
|
||||
<emphasis>external</emphasis>
|
||||
meaning that HTTPS is required by default for external requests. Valid values are 'all', 'external'
|
||||
and 'none'.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>use-resource-role-mappings</term>
|
||||
<listitem>
|
||||
<para>
|
||||
If set to true, the adapter will look inside the token for application level role mappings for
|
||||
the
|
||||
user. If false, it will look at the realm level for user role mappings.
|
||||
This is <emphasis>OPTIONAL</emphasis>. The default value is <emphasis>false</emphasis>.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>public-client</term>
|
||||
<listitem>
|
||||
<para>
|
||||
If set to true, the adapter will not send credentials for the client to Keycloak.
|
||||
The default value is <emphasis>false</emphasis>.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>enable-cors</term>
|
||||
<listitem>
|
||||
<para>
|
||||
This enables CORS support. It will handle CORS preflight requests. It will also look into
|
||||
the access token to determine valid origins.
|
||||
This is <emphasis>OPTIONAL</emphasis>. The default value is <emphasis>false</emphasis>.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>cors-max-age</term>
|
||||
<listitem>
|
||||
<para>
|
||||
If CORS is enabled, this sets the value of the
|
||||
<literal>Access-Control-Max-Age</literal>
|
||||
header.
|
||||
This is <emphasis>OPTIONAL</emphasis>. If not set, this header is not returned in CORS
|
||||
responses.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>cors-allowed-methods</term>
|
||||
<listitem>
|
||||
<para>
|
||||
If CORS is enabled, this sets the value of the
|
||||
<literal>Access-Control-Allow-Methods</literal>
|
||||
header. This should be a comma-separated string.
|
||||
This is <emphasis>OPTIONAL</emphasis>. If not set, this header is not returned in CORS
|
||||
responses.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>cors-allowed-headers</term>
|
||||
<listitem>
|
||||
<para>
|
||||
If CORS is enabled, this sets the value of the
|
||||
<literal>Access-Control-Allow-Headers</literal>
|
||||
header. This should be a comma-separated string.
|
||||
This is <emphasis>OPTIONAL</emphasis>. If not set, this header is not returned in CORS
|
||||
responses.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>bearer-only</term>
|
||||
<listitem>
|
||||
<para>
|
||||
This tells the adapter to only do bearer token authentication. That is, it will not do
|
||||
OAuth 2.0 redirects, but only accept bearer tokens through the
|
||||
<literal>Authorization</literal>
|
||||
header.
|
||||
This is <emphasis>OPTIONAL</emphasis>. The default value is <emphasis>false</emphasis>.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>enable-basic-auth</term>
|
||||
<listitem>
|
||||
<para>
|
||||
This tells the adapter to also support basic authentication. If this option is enabled,
|
||||
then <emphasis>secret</emphasis> must also be provided.
|
||||
This is <emphasis>OPTIONAL</emphasis>. The default value is <emphasis>false</emphasis>.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>expose-token</term>
|
||||
<listitem>
|
||||
<para>
|
||||
If <literal>true</literal>, an authenticated browser client (via a Javascript HTTP invocation)
|
||||
can obtain the signed access token via the URL <literal>root/k_query_bearer_token</literal>.
|
||||
This is <emphasis>OPTIONAL</emphasis>. The default value is <emphasis>false</emphasis>.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>credentials</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Specify the credentials of the application. This is an object notation where the key
|
||||
is the credential type and the value is the value of the credential type. Currently only
|
||||
<literal>password</literal>
|
||||
is supported.
|
||||
This is <emphasis>REQUIRED</emphasis>.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
</para>
|
||||
<para>
|
||||
You can and must also specify references to your private keys and certificates within
|
||||
the Java KeyStore. The <literal>PrivateKey</literal> and <literal>Certificate</literal>
|
||||
elements do this. The <literal>alias</literal> attribute defines the alias within the
|
||||
KeyStore for the key. For <literal>PrivateKey</literal>, a password is required to access this key
|
||||
specify that value in the <literal>password</literal> attribute.
|
||||
</para>
|
||||
</section>
|
||||
<section id="key_pems">
|
||||
<title>Key PEMS</title>
|
||||
<para>
|
||||
Within the <literal>Key</literal> element you alternatively declare your keys and certificates
|
||||
directly using the sub elements <literal>PrivateKeyPem</literal>, <literal>PublicKeyPem</literal>, and
|
||||
<literal>CertificatePem</literal>. The values contained in these elements must conform to the
|
||||
PEM key format. You usually use this option if you are generating keys using <literal>openssl</literal>
|
||||
</para>
|
||||
</section>
|
||||
</section>
|
||||
<section>
|
||||
<title>SP PrincipalNameMapping element</title>
|
||||
<para>
|
||||
This element is optional. When creating a Java Principal object that you obtain from
|
||||
methods like HttpServletRequest.getUserPrincipal(), you can define what name that is returned
|
||||
by the Principal.getName() method. The <literal>policy</literal> attribute defines the
|
||||
policy used to populate this value. The values are <literal>FROM_NAME_ID</literal>. This policy
|
||||
just grabs whatever the SAML subject value is. The other is <literal>FROM_ATTRIBUTE</literal>. This will
|
||||
pull the value of Principal.getName() from one of the attributes in the SAML assertion received from the server.
|
||||
The default value is <literal>FROM_NAME_ID</literal>.
|
||||
</para>
|
||||
</section>
|
||||
<section>
|
||||
<title>RoleIdentifiers element</title>
|
||||
<para><![CDATA[
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
<Attribute name="member"/>
|
||||
<Attribute name="memberOf"/>
|
||||
</RoleIdentifiers>
|
||||
]]></para>
|
||||
<para>
|
||||
This element is optional. It defines which SAML attribute values in the assertion should be
|
||||
mapped to a Java EE role. By default <literal>Role</literal> attribute values are converted
|
||||
to Java EE roles. Some IDPs send roles via a <literal>member</literal> or <literal>memberOf</literal>
|
||||
attribute assertion. You define one or more <literal>Attribute</literal> elements to specify
|
||||
which SAML attributes must be converted into roles.
|
||||
</para>
|
||||
</section>
|
||||
<section>
|
||||
<title>IDP Element</title>
|
||||
<para>
|
||||
Everything in the IDP element describes the settings for the IDP the SP is communicating
|
||||
with.
|
||||
</para>
|
||||
<para>
|
||||
<![CDATA[
|
||||
<IDP entityID="idp"
|
||||
signaturesRequired="true"
|
||||
signatureAlgorithm="RSA_SHA1"
|
||||
signatureCanonicalizationMethod="http://www.w3.org/2001/10/xml-exc-c14n#">
|
||||
...
|
||||
</IDP>]]>
|
||||
</para>
|
||||
<para>
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>connection-pool-size</term>
|
||||
<term>entityID</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Adapters will make separate HTTP invocations to the Keycloak Server to turn an access code
|
||||
into an access token. This config option defines how many connections to the Keycloak Server
|
||||
should be pooled.
|
||||
This is <emphasis>OPTIONAL</emphasis>. The default value is <literal>20</literal>.
|
||||
This is the issuer ID of the IDP.
|
||||
<emphasis>REQUIRED.</emphasis>.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>disable-trust-manager</term>
|
||||
<term>signaturesRequired</term>
|
||||
<listitem>
|
||||
<para>
|
||||
If the Keycloak Server requires HTTPS and this config option is set to <literal>true</literal>
|
||||
you do not have to specify a truststore. While convenient, this setting is not recommended
|
||||
as you will not be verifying the host name of the Keycloak Server.
|
||||
This is <emphasis>OPTIONAL</emphasis>. The default value is <literal>false</literal>.
|
||||
If set to true, the client adapter will sign every document
|
||||
it sends to the IDP. Also, the client will expect that the IDP
|
||||
will be signing an documents sent to it. This switch sets
|
||||
the default for all request and response types, but you will see
|
||||
later that you have some fine grain control over this.
|
||||
<emphasis>OPTIONAL.</emphasis>
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>allow-any-hostname</term>
|
||||
<term>signatureAlgorithm</term>
|
||||
<listitem>
|
||||
<para>
|
||||
If the Keycloak Server requires HTTPS and this config option is set to <literal>true</literal>
|
||||
the Keycloak Server's certificate is validated via the truststore, but host name validation is
|
||||
not done. This is not a recommended. This seting may be useful in test environments
|
||||
This is <emphasis>OPTIONAL</emphasis>. The default value is <literal>false</literal>.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>truststore</term>
|
||||
<listitem>
|
||||
<para>
|
||||
This setting is for Java adapters. The value is the file path to a Java keystore file. If
|
||||
you prefix the path with <literal>classpath:</literal>, then the truststore will be obtained
|
||||
from the deployment's classpath instead.
|
||||
Used for outgoing HTTPS communications to the Keycloak server. Client making HTTPS
|
||||
requests need a way to verify the host of the server they are talking to. This is
|
||||
what the trustore does. The keystore contains one or more trusted
|
||||
host certificates or certificate authorities. You can
|
||||
create this truststore by extracting the public certificate of the Keycloak server's SSL
|
||||
keystore.
|
||||
This is
|
||||
<emphasis>OPTIONAL</emphasis>
|
||||
if
|
||||
<literal>ssl-required</literal>
|
||||
is
|
||||
<literal>none</literal>
|
||||
or
|
||||
<literal>disable-trust-manager</literal>
|
||||
is <literal>true</literal>.
|
||||
This is the signature algorithm that the IDP expects signed documents
|
||||
to use
|
||||
<emphasis>OPTIONAL.</emphasis>. The default value is RSA_SHA1, but
|
||||
you can also use RSA_256, RSA_512, and DSA_SHA1.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>truststore-password</term>
|
||||
<term>signatureCanonicalizationMethod</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Password for the truststore keystore.
|
||||
This is
|
||||
<emphasis>REQUIRED</emphasis>
|
||||
if
|
||||
<literal>truststore</literal>
|
||||
is set.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>client-keystore</term>
|
||||
<listitem>
|
||||
<para>
|
||||
<emphasis>Not supported yet, but we will support in future versions.</emphasis>
|
||||
|
||||
This setting is for Java adapters. This is the file path to a Java keystore file.
|
||||
This keystore contains client certificate for two-way SSL when the adapter makes
|
||||
HTTPS requests to the Keycloak server.
|
||||
This is <emphasis>OPTIONAL</emphasis>.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>client-keystore-password</term>
|
||||
<listitem>
|
||||
<para>
|
||||
<emphasis>Not supported yet, but we will support in future versions.</emphasis>
|
||||
Password for the client keystore.
|
||||
This is
|
||||
<emphasis>REQUIRED</emphasis>
|
||||
if
|
||||
<literal>client-keystore</literal>
|
||||
is set.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>client-key-password</term>
|
||||
<listitem>
|
||||
<para>
|
||||
<emphasis>Not supported yet, but we will support in future versions.</emphasis>
|
||||
Password for the client's key.
|
||||
This is
|
||||
<emphasis>REQUIRED</emphasis>
|
||||
if
|
||||
<literal>client-keystore</literal>
|
||||
is set.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>auth-server-url-for-backend-requests</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Alternative location of auth-server-url used just for backend requests. It must be absolute URI. Useful
|
||||
especially in cluster (see <link linkend="relative-uri-optimization">Relative URI Optimization</link>) or if you would like to use <emphasis>https</emphasis> for browser requests
|
||||
but stick with <emphasis>http</emphasis> for backend requests etc.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>always-refresh-token</term>
|
||||
<listitem>
|
||||
<para>
|
||||
If <emphasis>true</emphasis>, Keycloak will refresh token in every request. More info in <link linkend="refresh-token-each-req">Refresh token in each request</link> .
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>register-node-at-startup</term>
|
||||
<listitem>
|
||||
<para>
|
||||
If <emphasis>true</emphasis>, then adapter will send registration request to Keycloak. It's <emphasis>false</emphasis>
|
||||
by default and useful just in cluster (See <link linkend="registration-app-nodes">Registration of application nodes to Keycloak</link>)
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>register-node-period</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Period for re-registration adapter to Keycloak. Useful in cluster. See <link linkend="registration-app-nodes">Registration of application nodes to Keycloak</link> for details.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>token-store</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Possible values are <emphasis>session</emphasis> and <emphasis>cookie</emphasis>. Default is <emphasis>session</emphasis>,
|
||||
which means that adapter stores account info in HTTP Session. Alternative <emphasis>cookie</emphasis> means storage of info in cookie.
|
||||
See <link linkend="stateless-token-store">Stateless token store</link> for details.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>principal-attribute</term>
|
||||
<listitem>
|
||||
<para>
|
||||
OpenID Connection ID Token attribute to populate the UserPrincipal name with. If token attribute is null, defaults to <literal>sub</literal>.
|
||||
Possible values are <literal>sub</literal>, <literal>preferred_username</literal>, <literal>email</literal>, <literal>name</literal>, <literal>nickname</literal>, <literal>given_name</literal>, <literal>family_name</literal>.
|
||||
This is the signature canonicalization method that the IDP expects signed documents
|
||||
to use
|
||||
<emphasis>OPTIONAL.</emphasis>. The default value is <literal>http://www.w3.org/2001/10/xml-exc-c14n#</literal>
|
||||
and should be good for most IDPs.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</para>
|
||||
</section>
|
||||
<section>
|
||||
<title>IDP SingleSignOnService sub element</title>
|
||||
<para>
|
||||
The <literal>SignleSignOnService</literal> sub element defines the
|
||||
login SAML endpoint of the IDP.
|
||||
</para>
|
||||
<para><![CDATA[
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
requestBinding="post"
|
||||
bindingUrl="url"/>
|
||||
]]></para>
|
||||
<para>
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>signRequest</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Should the client sign authn requests?
|
||||
<emphasis>OPTIONAL.</emphasis>. Defaults to whatever the
|
||||
IDP <literal>signaturesRequired</literal> element value is.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>validateResponseSignature</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Should the client expect the IDP to sign the assertion response document
|
||||
sent back from an auhtn request?
|
||||
<emphasis>OPTIONAL.</emphasis> Defaults to whatever the
|
||||
IDP <literal>signaturesRequired</literal> element value is.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>requestBinding</term>
|
||||
<listitem>
|
||||
<para>
|
||||
This is the SAML binding type used for communicating with the IDP
|
||||
<emphasis>OPTIONAL.</emphasis>. The default value is POST, but
|
||||
you can set it to REDIRECT as well.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>responseBinding</term>
|
||||
<listitem>
|
||||
<para>
|
||||
SAML allows the client to request what binding type it wants authn responses
|
||||
to use. The values of this can be POST or REDIRECT
|
||||
<emphasis>OPTIONAL.</emphasis>. The default is that the client will not request
|
||||
a specific binding type for responses.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>bindingUrl</term>
|
||||
<listitem>
|
||||
<para>
|
||||
This is the URL for the ID login service that the client will send requests to.
|
||||
<emphasis>REQUIRED.</emphasis>.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</para>
|
||||
</section> <section>
|
||||
<title>IDP SingleSignOnService sub element</title>
|
||||
<para>
|
||||
The <literal>SignleSignOnService</literal> sub element defines the
|
||||
login SAML endpoint of the IDP.
|
||||
</para>
|
||||
<para><![CDATA[
|
||||
<SingleLogoutService validateRequestSignature="true"
|
||||
validateResponseSignature="true"
|
||||
signRequest="true"
|
||||
signResponse="true"
|
||||
requestBinding="redirect"
|
||||
responseBinding="post"
|
||||
postBindingUrl="posturl"
|
||||
redirectBindingUrl="redirecturl">
|
||||
]]></para>
|
||||
<para>
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>signRequest</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Should the client sign logout requests it makes to the IDP?
|
||||
<emphasis>OPTIONAL.</emphasis>. Defaults to whatever the
|
||||
IDP <literal>signaturesRequired</literal> element value is.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>signResponse</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Should the client sign logout responses it sends to the IDP requests?
|
||||
<emphasis>OPTIONAL.</emphasis>. Defaults to whatever the
|
||||
IDP <literal>signaturesRequired</literal> element value is.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>validateRequestSignature</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Should the client expect signed logout request documents from the IDP?
|
||||
<emphasis>OPTIONAL.</emphasis> Defaults to whatever the
|
||||
IDP <literal>signaturesRequired</literal> element value is.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>validateResponseSignature</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Should the client expect signed logout response documents from the IDP?
|
||||
<emphasis>OPTIONAL.</emphasis> Defaults to whatever the
|
||||
IDP <literal>signaturesRequired</literal> element value is.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>requestBinding</term>
|
||||
<listitem>
|
||||
<para>
|
||||
This is the SAML binding type used for communicating SAML requests to the IDP
|
||||
<emphasis>OPTIONAL.</emphasis>. The default value is POST, but
|
||||
you can set it to REDIRECT as well.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>responseBinding</term>
|
||||
<listitem>
|
||||
<para>
|
||||
This is the SAML binding type used for communicating SAML responses to the IDP
|
||||
The values of this can be POST or REDIRECT
|
||||
<emphasis>OPTIONAL.</emphasis>. The default value is POST, but
|
||||
you can set it to REDIRECT as well.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>postBindingUrl</term>
|
||||
<listitem>
|
||||
<para>
|
||||
This is the URL for the IDP's logout service when using the POST binding.
|
||||
<emphasis>REQUIRED</emphasis> if using the POST binding at all.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>redirectBindingUrl</term>
|
||||
<listitem>
|
||||
<para>
|
||||
This is the URL for the IDP's logout service when using the REDIRECT binding.
|
||||
<emphasis>REQUIRED</emphasis> if using the REDIRECT binding at all.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</para>
|
||||
</section>
|
||||
<section>
|
||||
<title>IDP Keys subelement</title>
|
||||
<para>
|
||||
The Keys sub element of IDP is only used to define the certificate or
|
||||
public key to use to verify documents signed by the IDP. It is defined
|
||||
in the same way as the <link linkend="sp_keys">SP's Key's element</link>. But
|
||||
again, you only have to define one certificate or public key reference.
|
||||
</para>
|
||||
|
||||
</section>
|
||||
|
||||
</chapter>
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
42
pom.xml
42
pom.xml
|
@ -1269,6 +1269,48 @@
|
|||
<version>${project.version}</version>
|
||||
<type>zip</type>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.keycloak</groupId>
|
||||
<artifactId>keycloak-saml-tomcat6-adapter-dist</artifactId>
|
||||
<version>${project.version}</version>
|
||||
<type>zip</type>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.keycloak</groupId>
|
||||
<artifactId>keycloak-saml-tomcat7-adapter-dist</artifactId>
|
||||
<version>${project.version}</version>
|
||||
<type>zip</type>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.keycloak</groupId>
|
||||
<artifactId>keycloak-saml-tomcat8-adapter-dist</artifactId>
|
||||
<version>${project.version}</version>
|
||||
<type>zip</type>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.keycloak</groupId>
|
||||
<artifactId>keycloak-saml-jetty81-adapter-dist</artifactId>
|
||||
<version>${project.version}</version>
|
||||
<type>zip</type>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.keycloak</groupId>
|
||||
<artifactId>keycloak-saml-jetty92-adapter-dist</artifactId>
|
||||
<version>${project.version}</version>
|
||||
<type>zip</type>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.keycloak</groupId>
|
||||
<artifactId>keycloak-saml-as7-adapter-dist</artifactId>
|
||||
<version>${project.version}</version>
|
||||
<type>zip</type>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.keycloak</groupId>
|
||||
<artifactId>keycloak-saml-eap6-adapter-dist</artifactId>
|
||||
<version>${project.version}</version>
|
||||
<type>zip</type>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.keycloak</groupId>
|
||||
<artifactId>keycloak-testsuite-integration</artifactId>
|
||||
|
|
|
@ -67,8 +67,7 @@ public interface SamlDeployment {
|
|||
|
||||
enum PrincipalNamePolicy {
|
||||
FROM_NAME_ID,
|
||||
FROM_ATTRIBUTE_NAME,
|
||||
FROM_FRIENDLY_ATTRIBUTE_NAME
|
||||
FROM_ATTRIBUTE
|
||||
}
|
||||
PrincipalNamePolicy getPrincipalNamePolicy();
|
||||
String getPrincipalAttributeName();
|
||||
|
|
|
@ -24,16 +24,16 @@ public class IDPXmlParser extends AbstractParser {
|
|||
StartElement startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
|
||||
StaxParserUtil.validate(startElement, ConfigXmlConstants.IDP_ELEMENT);
|
||||
IDP idp = new IDP();
|
||||
String entityID = StaxParserUtil.getAttributeValue(startElement, ConfigXmlConstants.ENTITY_ID_ATTR);
|
||||
String entityID = SPXmlParser.getAttributeValue(startElement, ConfigXmlConstants.ENTITY_ID_ATTR);
|
||||
if (entityID == null) {
|
||||
throw new ParsingException("entityID must be set on IDP");
|
||||
|
||||
}
|
||||
idp.setEntityID(entityID);
|
||||
|
||||
boolean signaturesRequired = StaxParserUtil.getBooleanAttributeValue(startElement, ConfigXmlConstants.SIGNATURES_REQUIRED_ATTR);
|
||||
idp.setSignatureCanonicalizationMethod(StaxParserUtil.getAttributeValue(startElement, ConfigXmlConstants.SIGNATURE_CANONICALIZATION_METHOD_ATTR));
|
||||
idp.setSignatureAlgorithm(StaxParserUtil.getAttributeValue(startElement, ConfigXmlConstants.SIGNATURE_ALGORITHM_ATTR));
|
||||
boolean signaturesRequired = SPXmlParser.getBooleanAttributeValue(startElement, ConfigXmlConstants.SIGNATURES_REQUIRED_ATTR);
|
||||
idp.setSignatureCanonicalizationMethod(SPXmlParser.getAttributeValue(startElement, ConfigXmlConstants.SIGNATURE_CANONICALIZATION_METHOD_ATTR));
|
||||
idp.setSignatureAlgorithm(SPXmlParser.getAttributeValue(startElement, ConfigXmlConstants.SIGNATURE_ALGORITHM_ATTR));
|
||||
while (xmlEventReader.hasNext()) {
|
||||
XMLEvent xmlEvent = StaxParserUtil.peek(xmlEventReader);
|
||||
if (xmlEvent == null)
|
||||
|
@ -73,25 +73,25 @@ public class IDPXmlParser extends AbstractParser {
|
|||
protected IDP.SingleLogoutService parseSingleLogoutService(XMLEventReader xmlEventReader, boolean signaturesRequired) throws ParsingException {
|
||||
IDP.SingleLogoutService slo = new IDP.SingleLogoutService();
|
||||
StartElement element = StaxParserUtil.getNextStartElement(xmlEventReader);
|
||||
slo.setSignRequest(StaxParserUtil.getBooleanAttributeValue(element, ConfigXmlConstants.SIGN_REQUEST_ATTR, signaturesRequired));
|
||||
slo.setValidateResponseSignature(StaxParserUtil.getBooleanAttributeValue(element, ConfigXmlConstants.VALIDATE_RESPONSE_SIGNATURE_ATTR, signaturesRequired));
|
||||
slo.setValidateRequestSignature(StaxParserUtil.getBooleanAttributeValue(element, ConfigXmlConstants.VALIDATE_REQUEST_SIGNATURE_ATTR, signaturesRequired));
|
||||
slo.setRequestBinding(StaxParserUtil.getAttributeValue(element, ConfigXmlConstants.REQUEST_BINDING_ATTR));
|
||||
slo.setResponseBinding(StaxParserUtil.getAttributeValue(element, ConfigXmlConstants.RESPONSE_BINDING_ATTR));
|
||||
slo.setSignResponse(StaxParserUtil.getBooleanAttributeValue(element, ConfigXmlConstants.SIGN_RESPONSE_ATTR, signaturesRequired));
|
||||
slo.setPostBindingUrl(StaxParserUtil.getAttributeValue(element, ConfigXmlConstants.POST_BINDING_URL_ATTR));
|
||||
slo.setRedirectBindingUrl(StaxParserUtil.getAttributeValue(element, ConfigXmlConstants.REDIRECT_BINDING_URL_ATTR));
|
||||
slo.setSignRequest(SPXmlParser.getBooleanAttributeValue(element, ConfigXmlConstants.SIGN_REQUEST_ATTR, signaturesRequired));
|
||||
slo.setValidateResponseSignature(SPXmlParser.getBooleanAttributeValue(element, ConfigXmlConstants.VALIDATE_RESPONSE_SIGNATURE_ATTR, signaturesRequired));
|
||||
slo.setValidateRequestSignature(SPXmlParser.getBooleanAttributeValue(element, ConfigXmlConstants.VALIDATE_REQUEST_SIGNATURE_ATTR, signaturesRequired));
|
||||
slo.setRequestBinding(SPXmlParser.getAttributeValue(element, ConfigXmlConstants.REQUEST_BINDING_ATTR));
|
||||
slo.setResponseBinding(SPXmlParser.getAttributeValue(element, ConfigXmlConstants.RESPONSE_BINDING_ATTR));
|
||||
slo.setSignResponse(SPXmlParser.getBooleanAttributeValue(element, ConfigXmlConstants.SIGN_RESPONSE_ATTR, signaturesRequired));
|
||||
slo.setPostBindingUrl(SPXmlParser.getAttributeValue(element, ConfigXmlConstants.POST_BINDING_URL_ATTR));
|
||||
slo.setRedirectBindingUrl(SPXmlParser.getAttributeValue(element, ConfigXmlConstants.REDIRECT_BINDING_URL_ATTR));
|
||||
return slo;
|
||||
}
|
||||
|
||||
protected IDP.SingleSignOnService parseSingleSignOnService(XMLEventReader xmlEventReader, boolean signaturesRequired) throws ParsingException {
|
||||
IDP.SingleSignOnService sso = new IDP.SingleSignOnService();
|
||||
StartElement element = StaxParserUtil.getNextStartElement(xmlEventReader);
|
||||
sso.setSignRequest(StaxParserUtil.getBooleanAttributeValue(element, ConfigXmlConstants.SIGN_REQUEST_ATTR, signaturesRequired));
|
||||
sso.setValidateResponseSignature(StaxParserUtil.getBooleanAttributeValue(element, ConfigXmlConstants.VALIDATE_RESPONSE_SIGNATURE_ATTR, signaturesRequired));
|
||||
sso.setRequestBinding(StaxParserUtil.getAttributeValue(element, ConfigXmlConstants.REQUEST_BINDING_ATTR));
|
||||
sso.setResponseBinding(StaxParserUtil.getAttributeValue(element, ConfigXmlConstants.RESPONSE_BINDING_ATTR));
|
||||
sso.setBindingUrl(StaxParserUtil.getAttributeValue(element, ConfigXmlConstants.BINDING_URL_ATTR));
|
||||
sso.setSignRequest(SPXmlParser.getBooleanAttributeValue(element, ConfigXmlConstants.SIGN_REQUEST_ATTR, signaturesRequired));
|
||||
sso.setValidateResponseSignature(SPXmlParser.getBooleanAttributeValue(element, ConfigXmlConstants.VALIDATE_RESPONSE_SIGNATURE_ATTR, signaturesRequired));
|
||||
sso.setRequestBinding(SPXmlParser.getAttributeValue(element, ConfigXmlConstants.REQUEST_BINDING_ATTR));
|
||||
sso.setResponseBinding(SPXmlParser.getAttributeValue(element, ConfigXmlConstants.RESPONSE_BINDING_ATTR));
|
||||
sso.setBindingUrl(SPXmlParser.getAttributeValue(element, ConfigXmlConstants.BINDING_URL_ATTR));
|
||||
return sso;
|
||||
}
|
||||
|
||||
|
|
|
@ -7,8 +7,6 @@ import org.keycloak.saml.common.util.StaxParserUtil;
|
|||
|
||||
import javax.xml.namespace.QName;
|
||||
import javax.xml.stream.XMLEventReader;
|
||||
import javax.xml.stream.XMLStreamException;
|
||||
import javax.xml.stream.events.Characters;
|
||||
import javax.xml.stream.events.EndElement;
|
||||
import javax.xml.stream.events.StartElement;
|
||||
import javax.xml.stream.events.XMLEvent;
|
||||
|
@ -24,8 +22,8 @@ public class KeyXmlParser extends AbstractParser {
|
|||
StartElement startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
|
||||
StaxParserUtil.validate(startElement, ConfigXmlConstants.KEY_ELEMENT);
|
||||
Key key = new Key();
|
||||
key.setSigning(StaxParserUtil.getBooleanAttributeValue(startElement, ConfigXmlConstants.SIGNING_ATTR));
|
||||
key.setEncryption(StaxParserUtil.getBooleanAttributeValue(startElement, ConfigXmlConstants.ENCRYPTION_ATTR));
|
||||
key.setSigning(SPXmlParser.getBooleanAttributeValue(startElement, ConfigXmlConstants.SIGNING_ATTR));
|
||||
key.setEncryption(SPXmlParser.getBooleanAttributeValue(startElement, ConfigXmlConstants.ENCRYPTION_ATTR));
|
||||
while (xmlEventReader.hasNext()) {
|
||||
XMLEvent xmlEvent = StaxParserUtil.peek(xmlEventReader);
|
||||
if (xmlEvent == null)
|
||||
|
@ -46,13 +44,13 @@ public class KeyXmlParser extends AbstractParser {
|
|||
key.setKeystore(parseKeyStore(xmlEventReader));
|
||||
} else if (tag.equals(ConfigXmlConstants.CERTIFICATE_PEM_ELEMENT)) {
|
||||
StartElement element = StaxParserUtil.getNextStartElement(xmlEventReader);
|
||||
key.setCertificatePem(StaxParserUtil.getElementText(xmlEventReader));
|
||||
key.setCertificatePem(SPXmlParser.getElementText(xmlEventReader));
|
||||
} else if (tag.equals(ConfigXmlConstants.PUBLIC_KEY_PEM_ELEMENT)) {
|
||||
StartElement element = StaxParserUtil.getNextStartElement(xmlEventReader);
|
||||
key.setPublicKeyPem(StaxParserUtil.getElementText(xmlEventReader));
|
||||
key.setPublicKeyPem(SPXmlParser.getElementText(xmlEventReader));
|
||||
} else if (tag.equals(ConfigXmlConstants.PRIVATE_KEY_PEM_ELEMENT)) {
|
||||
StartElement element = StaxParserUtil.getNextStartElement(xmlEventReader);
|
||||
key.setPrivateKeyPem(StaxParserUtil.getElementText(xmlEventReader));
|
||||
key.setPrivateKeyPem(SPXmlParser.getElementText(xmlEventReader));
|
||||
} else {
|
||||
StaxParserUtil.bypassElementBlock(xmlEventReader, tag);
|
||||
}
|
||||
|
@ -65,14 +63,14 @@ public class KeyXmlParser extends AbstractParser {
|
|||
StartElement startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
|
||||
StaxParserUtil.validate(startElement, ConfigXmlConstants.KEYS_STORE_ELEMENT);
|
||||
Key.KeyStoreConfig keyStore = new Key.KeyStoreConfig();
|
||||
keyStore.setType(StaxParserUtil.getAttributeValue(startElement, ConfigXmlConstants.TYPE_ATTR));
|
||||
keyStore.setAlias(StaxParserUtil.getAttributeValue(startElement, ConfigXmlConstants.ALIAS_ATTR));
|
||||
keyStore.setFile(StaxParserUtil.getAttributeValue(startElement, ConfigXmlConstants.FILE_ATTR));
|
||||
keyStore.setResource(StaxParserUtil.getAttributeValue(startElement, ConfigXmlConstants.RESOURCE_ATTR));
|
||||
keyStore.setType(SPXmlParser.getAttributeValue(startElement, ConfigXmlConstants.TYPE_ATTR));
|
||||
keyStore.setAlias(SPXmlParser.getAttributeValue(startElement, ConfigXmlConstants.ALIAS_ATTR));
|
||||
keyStore.setFile(SPXmlParser.getAttributeValue(startElement, ConfigXmlConstants.FILE_ATTR));
|
||||
keyStore.setResource(SPXmlParser.getAttributeValue(startElement, ConfigXmlConstants.RESOURCE_ATTR));
|
||||
if (keyStore.getFile() == null && keyStore.getResource() == null) {
|
||||
throw new ParsingException("KeyStore element must have the url or classpath attribute set");
|
||||
}
|
||||
keyStore.setPassword(StaxParserUtil.getAttributeValue(startElement, ConfigXmlConstants.PASSWORD_ATTR));
|
||||
keyStore.setPassword(SPXmlParser.getAttributeValue(startElement, ConfigXmlConstants.PASSWORD_ATTR));
|
||||
if (keyStore.getPassword() == null) {
|
||||
throw new ParsingException("KeyStore element must have the password attribute set");
|
||||
}
|
||||
|
@ -97,19 +95,19 @@ public class KeyXmlParser extends AbstractParser {
|
|||
String tag = StaxParserUtil.getStartElementName(startElement);
|
||||
if (tag.equals(ConfigXmlConstants.CERTIFICATE_ELEMENT)) {
|
||||
StartElement element = StaxParserUtil.getNextStartElement(xmlEventReader);
|
||||
keyStore.setCertificateAlias(StaxParserUtil.getAttributeValue(element, ConfigXmlConstants.ALIAS_ATTR));
|
||||
keyStore.setCertificateAlias(SPXmlParser.getAttributeValue(element, ConfigXmlConstants.ALIAS_ATTR));
|
||||
if (keyStore.getCertificateAlias() == null) {
|
||||
throw new ParsingException("KeyStore Certificate element must have the alias attribute set");
|
||||
|
||||
}
|
||||
} else if (tag.equals(ConfigXmlConstants.PRIVATE_KEY_ELEMENT)) {
|
||||
StartElement element = StaxParserUtil.getNextStartElement(xmlEventReader);
|
||||
keyStore.setPrivateKeyAlias(StaxParserUtil.getAttributeValue(element, ConfigXmlConstants.ALIAS_ATTR));
|
||||
keyStore.setPrivateKeyAlias(SPXmlParser.getAttributeValue(element, ConfigXmlConstants.ALIAS_ATTR));
|
||||
if (keyStore.getPrivateKeyAlias() == null) {
|
||||
throw new ParsingException("KeyStore PrivateKey element must have the alias attribute set");
|
||||
|
||||
}
|
||||
keyStore.setPrivateKeyPassword(StaxParserUtil.getAttributeValue(element, ConfigXmlConstants.PASSWORD_ATTR));
|
||||
keyStore.setPrivateKeyPassword(SPXmlParser.getAttributeValue(element, ConfigXmlConstants.PASSWORD_ATTR));
|
||||
if (keyStore.getPrivateKeyPassword() == null) {
|
||||
throw new ParsingException("KeyStore PrivateKey element must have the password attribute set");
|
||||
|
||||
|
|
|
@ -6,9 +6,11 @@ import org.keycloak.adapters.saml.config.SP;
|
|||
import org.keycloak.saml.common.exceptions.ParsingException;
|
||||
import org.keycloak.saml.common.parsers.AbstractParser;
|
||||
import org.keycloak.saml.common.util.StaxParserUtil;
|
||||
import org.keycloak.util.StringPropertyReplacer;
|
||||
|
||||
import javax.xml.namespace.QName;
|
||||
import javax.xml.stream.XMLEventReader;
|
||||
import javax.xml.stream.events.Attribute;
|
||||
import javax.xml.stream.events.EndElement;
|
||||
import javax.xml.stream.events.StartElement;
|
||||
import javax.xml.stream.events.XMLEvent;
|
||||
|
@ -23,21 +25,44 @@ import java.util.Set;
|
|||
*/
|
||||
public class SPXmlParser extends AbstractParser {
|
||||
|
||||
public static String getAttributeValue(StartElement startElement, String tag) {
|
||||
String str = StaxParserUtil.getAttributeValue(startElement, tag);
|
||||
if (str != null) return StringPropertyReplacer.replaceProperties(str);
|
||||
else return str;
|
||||
}
|
||||
|
||||
public static boolean getBooleanAttributeValue(StartElement startElement, String tag, boolean defaultValue) {
|
||||
String result = getAttributeValue(startElement, tag);
|
||||
if (result == null) return defaultValue;
|
||||
return Boolean.valueOf(result);
|
||||
}
|
||||
|
||||
public static boolean getBooleanAttributeValue(StartElement startElement, String tag) {
|
||||
return getBooleanAttributeValue(startElement, tag, false);
|
||||
}
|
||||
|
||||
public static String getElementText(XMLEventReader xmlEventReader) throws ParsingException {
|
||||
String result = StaxParserUtil.getElementText(xmlEventReader);
|
||||
if (result != null) result = StringPropertyReplacer.replaceProperties(result);
|
||||
return result;
|
||||
}
|
||||
|
||||
|
||||
@Override
|
||||
public Object parse(XMLEventReader xmlEventReader) throws ParsingException {
|
||||
StartElement startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
|
||||
StaxParserUtil.validate(startElement, ConfigXmlConstants.SP_ELEMENT);
|
||||
SP sp = new SP();
|
||||
String entityID = StaxParserUtil.getAttributeValue(startElement, ConfigXmlConstants.ENTITY_ID_ATTR);
|
||||
String entityID = getAttributeValue(startElement, ConfigXmlConstants.ENTITY_ID_ATTR);
|
||||
if (entityID == null) {
|
||||
throw new ParsingException("entityID must be set on SP");
|
||||
|
||||
}
|
||||
sp.setEntityID(entityID);
|
||||
sp.setSslPolicy(StaxParserUtil.getAttributeValue(startElement, ConfigXmlConstants.SSL_POLICY_ATTR));
|
||||
sp.setLogoutPage(StaxParserUtil.getAttributeValue(startElement, ConfigXmlConstants.LOGOUT_PAGE_ATTR));
|
||||
sp.setNameIDPolicyFormat(StaxParserUtil.getAttributeValue(startElement, ConfigXmlConstants.NAME_ID_POLICY_FORMAT_ATTR));
|
||||
sp.setForceAuthentication(StaxParserUtil.getBooleanAttributeValue(startElement, ConfigXmlConstants.FORCE_AUTHENTICATION_ATTR));
|
||||
sp.setSslPolicy(getAttributeValue(startElement, ConfigXmlConstants.SSL_POLICY_ATTR));
|
||||
sp.setLogoutPage(getAttributeValue(startElement, ConfigXmlConstants.LOGOUT_PAGE_ATTR));
|
||||
sp.setNameIDPolicyFormat(getAttributeValue(startElement, ConfigXmlConstants.NAME_ID_POLICY_FORMAT_ATTR));
|
||||
sp.setForceAuthentication(getBooleanAttributeValue(startElement, ConfigXmlConstants.FORCE_AUTHENTICATION_ATTR));
|
||||
while (xmlEventReader.hasNext()) {
|
||||
XMLEvent xmlEvent = StaxParserUtil.peek(xmlEventReader);
|
||||
if (xmlEvent == null)
|
||||
|
@ -60,12 +85,12 @@ public class SPXmlParser extends AbstractParser {
|
|||
sp.setKeys(keys);
|
||||
} else if (tag.equals(ConfigXmlConstants.PRINCIPAL_NAME_MAPPING_ELEMENT)) {
|
||||
StartElement element = StaxParserUtil.getNextStartElement(xmlEventReader);
|
||||
String policy = StaxParserUtil.getAttributeValue(element, ConfigXmlConstants.POLICY_ATTR);
|
||||
String policy = getAttributeValue(element, ConfigXmlConstants.POLICY_ATTR);
|
||||
if (policy == null) {
|
||||
throw new ParsingException("PrincipalNameMapping element must have the policy attribute set");
|
||||
|
||||
}
|
||||
String attribute = StaxParserUtil.getAttributeValue(element, ConfigXmlConstants.ATTRIBUTE_ATTR);
|
||||
String attribute = getAttributeValue(element, ConfigXmlConstants.ATTRIBUTE_ATTR);
|
||||
SP.PrincipalNameMapping mapping = new SP.PrincipalNameMapping();
|
||||
mapping.setPolicy(policy);
|
||||
mapping.setAttributeName(attribute);
|
||||
|
@ -107,7 +132,7 @@ public class SPXmlParser extends AbstractParser {
|
|||
String tag = StaxParserUtil.getStartElementName(startElement);
|
||||
if (tag.equals(ConfigXmlConstants.ATTRIBUTE_ELEMENT)) {
|
||||
StartElement element = StaxParserUtil.getNextStartElement(xmlEventReader);
|
||||
String attributeValue = StaxParserUtil.getAttributeValue(element, ConfigXmlConstants.NAME_ATTR);
|
||||
String attributeValue = getAttributeValue(element, ConfigXmlConstants.NAME_ATTR);
|
||||
if (attributeValue == null) {
|
||||
throw new ParsingException("RoleMapping Attribute element must have the name attribute set");
|
||||
|
||||
|
|
|
@ -25,7 +25,7 @@
|
|||
<xs:all>
|
||||
<xs:element name="Keys" type="keys-type" minOccurs="0" maxOccurs="1"/>
|
||||
<xs:element name="PrincipalNameMapping" type="principal-name-mapping-type" minOccurs="0" maxOccurs="1"/>
|
||||
<xs:element name="RoleMapping" type="role-mapping-type" minOccurs="0" maxOccurs="1"/>
|
||||
<xs:element name="RoleIdentifiers" type="role-identifiers-type" minOccurs="0" maxOccurs="1"/>
|
||||
<xs:element name="IDP" type="idp-type" minOccurs="1" maxOccurs="1"/>
|
||||
</xs:all>
|
||||
<xs:attribute name="entityID" type="xs:string" use="required"/>
|
||||
|
@ -70,7 +70,7 @@
|
|||
<xs:attribute name="policy" type="xs:string" use="required"/>
|
||||
<xs:attribute name="attribute" type="xs:string" use="optional"/>
|
||||
</xs:complexType>
|
||||
<xs:complexType name="role-mapping-type">
|
||||
<xs:complexType name="role-identifiers-type">
|
||||
<xs:choice minOccurs="0" maxOccurs="unbounded">
|
||||
<xs:element name="Attribute" maxOccurs="unbounded" minOccurs="0" type="attribute-type"/>
|
||||
</xs:choice>
|
||||
|
|
|
@ -20,9 +20,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="policy" attribute="attribute"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="member"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp"
|
||||
signatureAlgorithm="RSA"
|
||||
signatureCanonicalizationMethod="canon"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp"
|
||||
signaturesRequired="true">
|
||||
<SingleSignOnService requestBinding="POST"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -5,10 +5,10 @@
|
|||
logoutPage="/logout.jsp"
|
||||
forceAuthentication="false">
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="memberOf"/>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService requestBinding="POST"
|
||||
bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -12,9 +12,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp"
|
||||
signaturesRequired="true">
|
||||
<SingleSignOnService requestBinding="POST"
|
||||
|
|
|
@ -5,9 +5,9 @@
|
|||
logoutPage="/logout.jsp"
|
||||
forceAuthentication="false">
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService requestBinding="POST"
|
||||
bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -5,10 +5,10 @@
|
|||
logoutPage="/logout.jsp"
|
||||
forceAuthentication="false">
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="memberOf"/>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService requestBinding="POST"
|
||||
bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -12,9 +12,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -5,9 +5,9 @@
|
|||
logoutPage="/logout.jsp"
|
||||
forceAuthentication="false">
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService requestBinding="POST"
|
||||
bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -5,10 +5,10 @@
|
|||
logoutPage="/logout.jsp"
|
||||
forceAuthentication="false">
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="memberOf"/>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService requestBinding="POST"
|
||||
bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -12,9 +12,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -5,9 +5,9 @@
|
|||
logoutPage="/logout.jsp"
|
||||
forceAuthentication="false">
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService requestBinding="POST"
|
||||
bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -5,10 +5,10 @@
|
|||
logoutPage="/logout.jsp"
|
||||
forceAuthentication="false">
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="memberOf"/>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService requestBinding="POST"
|
||||
bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -12,9 +12,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -5,9 +5,9 @@
|
|||
logoutPage="/logout.jsp"
|
||||
forceAuthentication="false">
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService requestBinding="POST"
|
||||
bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -5,10 +5,10 @@
|
|||
logoutPage="/logout.jsp"
|
||||
forceAuthentication="false">
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="memberOf"/>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService requestBinding="POST"
|
||||
bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -12,9 +12,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -5,9 +5,9 @@
|
|||
logoutPage="/logout.jsp"
|
||||
forceAuthentication="false">
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService requestBinding="POST"
|
||||
bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -5,10 +5,10 @@
|
|||
logoutPage="/logout.jsp"
|
||||
forceAuthentication="false">
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="memberOf"/>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService requestBinding="POST"
|
||||
bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -12,9 +12,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -5,9 +5,9 @@
|
|||
logoutPage="/logout.jsp"
|
||||
forceAuthentication="false">
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService requestBinding="POST"
|
||||
bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -5,10 +5,10 @@
|
|||
logoutPage="/logout.jsp"
|
||||
forceAuthentication="false">
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="memberOf"/>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService requestBinding="POST"
|
||||
bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -12,9 +12,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -13,9 +13,9 @@
|
|||
</Key>
|
||||
</Keys>
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService signRequest="true"
|
||||
validateResponseSignature="true"
|
||||
|
|
|
@ -5,9 +5,9 @@
|
|||
logoutPage="/logout.jsp"
|
||||
forceAuthentication="false">
|
||||
<PrincipalNameMapping policy="FROM_NAME_ID"/>
|
||||
<RoleMapping>
|
||||
<RoleIdentifiers>
|
||||
<Attribute name="Role"/>
|
||||
</RoleMapping>
|
||||
</RoleIdentifiers>
|
||||
<IDP entityID="idp">
|
||||
<SingleSignOnService requestBinding="POST"
|
||||
bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
|
||||
|
|
Loading…
Reference in a new issue