Merge pull request #969 from patriot1burke/master

more saml config
This commit is contained in:
Bill Burke 2015-02-11 22:13:14 -05:00
commit 4a1397afd8
11 changed files with 213 additions and 47 deletions

View file

@ -96,12 +96,78 @@
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Force Name ID Format</term>
<listitem>
<para>
If the request has a name ID policy, ignore it and used the value configured in the admin console
under Name ID Format
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Name ID Format</term>
<listitem>
<para>
Name ID Format for the subject. If no name ID policy is specified in the request or if the
Force Name ID Format attribute is true, this value is used.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Master SAML Processing URL</term>
<listitem>
<para>
This URL will be used for all SAML requests and responsed directed to the SP. It will be used
as the Assertion Consumer Service URL and the Single Logout Service URL. If a login request
contains the Assertion Consumer Service URL, that will take precedence, but this URL must be valided
by a registered Valid Redirect URI pattern
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Assertion Consumer Service POST Binding URL</term>
<listitem>
<para>
POST Binding URL for the Assertion Consumer Service.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Assertion Consumer Service Redirect Binding URL</term>
<listitem>
<para>
Redirect Binding URL for the Assertion Consumer Service.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Logout Service POST Binding URL</term>
<listitem>
<para>
POST Binding URL for the Logout Service.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Logout Service Redirect Binding URL</term>
<listitem>
<para>
Redirect Binding URL for the Logout Service.
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
<para>
You have to specify an admin URL if you want logout to work. This should be a URL that will except single logout
requests from the Keycloak server. You should also specify a default redirect url. Keycloak will redirect to this
url after single logout is complete.
For login to work, Keycloak needs to be able to resolve the URL for the Assertion Consumer Service of the SP. If
you are relying on the SP to provide this URL in the login request, then you must register valid redirect uri patterns
so that this URL can be validated. You can set the Master SAML Processing URL as well, or alternatively, you can
specify the Assertion Consumer Service URL per binding.
</para>
<para>
For logout to work, you must specify a Master SAML Processing URL, or the Loging Service URL for the binding
you want Keycloak to use.
</para>
<para>
One thing to note is that roles are not treated as a hierarchy. So, any role mappings will just be added

View file

@ -553,6 +553,12 @@ module.controller('ApplicationDetailCtrl', function($scope, realm, application,
"RSA_SHA512",
"DSA_SHA1"
];
$scope.nameIdFormats = [
"username",
"email",
"transient",
"persistent"
];
$scope.realm = realm;
$scope.create = !application.name;
@ -563,6 +569,7 @@ module.controller('ApplicationDetailCtrl', function($scope, realm, application,
$scope.samlClientSignature = false;
$scope.samlEncrypt = false;
$scope.samlForcePostBinding = false;
$scope.samlForceNameIdFormat = false;
if (!$scope.create) {
if (!application.attributes) {
application.attributes = {};
@ -588,13 +595,25 @@ module.controller('ApplicationDetailCtrl', function($scope, realm, application,
} else if (application.attributes['saml.signature.algorithm'] == 'DSA_SHA1') {
$scope.signatureAlgorithm = $scope.signatureAlgorithms[3];
}
if (application.attributes['saml_name_id_format'] == 'unspecified') {
$scope.nameIdFormat = $scope.nameIdFormats[0];
} else if (application.attributes['saml_name_id_format'] == 'email') {
$scope.nameIdFormat = $scope.nameIdFormats[1];
} else if (application.attributes['saml_name_id_format'] == 'transient') {
$scope.nameIdFormat = $scope.nameIdFormats[2];
} else if (application.attributes['saml_name_id_format'] == 'persistent') {
$scope.nameIdFormat = $scope.nameIdFormats[3];
}
} else {
$scope.application = { enabled: true, attributes: {}};
$scope.application.redirectUris = [];
$scope.accessType = $scope.accessTypes[0];
$scope.protocol = $scope.protocols[0];
$scope.signatureAlgorithm = $scope.signatureAlgorithms[1];
$scope.nameIdFormat = $scope.nameIdFormats[0];
$scope.samlAuthnStatement = true;
$scope.samlForceNameIdFormat = false;
}
if ($scope.application.attributes["saml.server.signature"]) {
@ -633,6 +652,13 @@ module.controller('ApplicationDetailCtrl', function($scope, realm, application,
$scope.samlAuthnStatement = false;
}
}
if ($scope.application.attributes["saml_force_name_id_format"]) {
if ($scope.application.attributes["saml_force_name_id_format"] == "true") {
$scope.samlForceNameIdFormat = true;
} else {
$scope.samlForceNameIdFormat = false;
}
}
if ($scope.application.attributes["saml.multivalued.roles"]) {
if ($scope.application.attributes["saml.multivalued.roles"] == "true") {
$scope.samlMultiValuedRoles = true;
@ -677,6 +703,10 @@ module.controller('ApplicationDetailCtrl', function($scope, realm, application,
$scope.application.attributes['saml.signature.algorithm'] = $scope.signatureAlgorithm;
};
$scope.changeNameIdFormat = function() {
$scope.application.attributes['saml_name_id_format'] = $scope.nameIdFormat;
};
$scope.$watch(function() {
return $location.path();
}, function() {
@ -733,6 +763,12 @@ module.controller('ApplicationDetailCtrl', function($scope, realm, application,
} else {
$scope.application.attributes["saml.authnstatement"] = "false";
}
if ($scope.samlForceNameIdFormat == true) {
$scope.application.attributes["saml_force_name_id_format"] = "true";
} else {
$scope.application.attributes["saml_force_name_id_format"] = "false";
}
if ($scope.samlMultiValuedRoles == true) {
$scope.application.attributes["saml.multivalued.roles"] = "true";
@ -749,6 +785,7 @@ module.controller('ApplicationDetailCtrl', function($scope, realm, application,
$scope.application.protocol = $scope.protocol;
$scope.application.attributes['saml.signature.algorithm'] = $scope.signatureAlgorithm;
$scope.application.attributes['saml_name_id_format'] = $scope.nameIdFormat;
if ($scope.application.protocol != 'saml' && !$scope.application.bearerOnly && (!$scope.application.redirectUris || $scope.application.redirectUris.length == 0)) {
Notifications.error("You must specify at least one redirect uri");

View file

@ -56,20 +56,6 @@
</div>
<span tooltip-placement="right" tooltip="'Confidential' applications require a secret to initiate login protocol. 'Public' clients do not require a secret. 'Bearer-only' applications are web services that never initiate a login." class="fa fa-info-circle"></span>
</div>
<div class="form-group clearfix block" data-ng-show="protocol == 'saml'">
<label class="col-sm-2 control-label" for="logoutPostBinding">Assertion Consumer Service POST Binding URL</label>
<div class="col-sm-6">
<input ng-model="application.attributes.saml_assertion_consumer_service_url_post" class="form-control" type="text" name="logoutPostBinding" id="logoutPostBinding" />
</div>
<span tooltip-placement="right" tooltip="SAML POST Binding URL for the application's single logout service (login responses. If you leave this blank then the consumer URL is expected be sent with authn request from the SP. This sent URL must be verified via the redirect URI pattern config option below." class="fa fa-info-circle"></span>
</div>
<div class="form-group clearfix block" data-ng-show="protocol == 'saml'">
<label class="col-sm-2 control-label" for="logoutPostBinding">Assertion Consumer Service Redirect Binding URL</label>
<div class="col-sm-6">
<input ng-model="application.attributes.saml_assertion_consumer_service_url_redirect" class="form-control" type="text" name="logoutRedirectBinding" id="logoutRedirectBinding" />
</div>
<span tooltip-placement="right" tooltip="SAML Redirect Binding URL for the application's assertion consumer service (login responses). If you leave this blank then the consumer URL is expected be sent with authn request from the SP. This sent URL must be verified via the redirect URI pattern config option below." class="fa fa-info-circle"></span>
</div>
<div class="form-group clearfix block" data-ng-show="protocol == 'saml'">
<label class="col-sm-2 control-label" for="samlServerSignature">Include AuthnStatement</label>
<div class="col-sm-6">
@ -99,7 +85,7 @@
<span tooltip-placement="right" tooltip="Should assertions inside SAML documents be signed? This setting isn't needed if document is already being signed." class="fa fa-info-circle"></span>
</div>
<div class="form-group" data-ng-show="(samlAssertionSignature || samlServerSignature) && protocol == 'saml'">
<label class="col-sm-2 control-label" for="protocol">Signature Algorithm</label>
<label class="col-sm-2 control-label" for="signatureAlgorithm">Signature Algorithm</label>
<div class="col-sm-6">
<div class="select-kc">
<select id="signatureAlgorithm"
@ -140,21 +126,27 @@
<span tooltip-placement="right" tooltip="When true, logout requires a browser redirect to application. When false, server performs a background invocation for logout." class="fa fa-info-circle"></span>
</div>
<div class="form-group clearfix block" data-ng-show="protocol == 'saml'">
<label class="col-sm-2 control-label" for="logoutPostBinding">Logout Service POST Binding URL</label>
<label class="col-sm-2 control-label" for="samlForceNameIdFormat">Force Name ID Format</label>
<div class="col-sm-6">
<input ng-model="application.attributes.saml_single_logout_service_url_post" class="form-control" type="text" name="logoutPostBinding" id="logoutPostBinding" />
<input ng-model="samlForceNameIdFormat" ng-click="switchChange()" name="samlForceNameIdFormat" id="samlForceNameIdFormat" onoffswitch />
</div>
<span tooltip-placement="right" tooltip="SAML POST Binding URL for the application's single logout service. You can leave this blank if you are using a differen binding" class="fa fa-info-circle"></span>
<span tooltip-placement="right" tooltip="Ignore requested NameID subject format and use admin console configured one." class="fa fa-info-circle"></span>
</div>
<div class="form-group clearfix block" data-ng-show="protocol == 'saml'">
<label class="col-sm-2 control-label" for="logoutPostBinding">Logout Service Redirect Binding URL</label>
<div class="form-group" data-ng-show="protocol == 'saml'">
<label class="col-sm-2 control-label" for="samlNameIdFormat">Name ID Format</label>
<div class="col-sm-6">
<input ng-model="application.attributes.saml_single_logout_service_url_redirect" class="form-control" type="text" name="logoutRedirectBinding" id="logoutRedirectBinding" />
<div class="select-kc">
<select id="samlNameIdFormat"
ng-change="changeNameIdFormat()"
ng-model="nameIdFormat"
ng-options="format for format in nameIdFormats">
</select>
</div>
<span tooltip-placement="right" tooltip="SAML Redirect Binding URL for the application's single logout service. You can leave this blank if you are using a different binding." class="fa fa-info-circle"></span>
</div>
<span tooltip-placement="right" tooltip="The name ID format to use for the subject." class="fa fa-info-circle"></span>
</div>
<div class="form-group clearfix block" data-ng-show="!application.bearerOnly">
<label class="col-sm-2 control-label" for="newRedirectUri">Redirect URI <span class="required" data-ng-show="create && protocol != 'saml'">*</span></label>
<label class="col-sm-2 control-label" for="newRedirectUri">Valid Redirect URIs <span class="required" data-ng-show="create && protocol != 'saml'">*</span></label>
<div class="col-sm-6 multiple" ng-repeat="redirectUri in application.redirectUris">
<div class="input-group kc-item-deletable">
<input class="form-control" type="text" data-ng-class="{'input-below':!$first}"
@ -175,7 +167,7 @@
</span>
</div>
</div>
<span tooltip-placement="right" tooltip="Valid URI pattern a browser can redirect to after a successful login or logout. Simple wildcards are allowed i.e. 'http://example.com/*'. Relative path can be specified too i.e. /my/relative/path/*. Relative paths will generate a redirect URI using the request's host and port." class="fa fa-info-circle"></span>
<span tooltip-placement="right" tooltip="Valid URI pattern a browser can redirect to after a successful login or logout. Simple wildcards are allowed i.e. 'http://example.com/*'. Relative path can be specified too i.e. /my/relative/path/*. Relative paths will generate a redirect URI using the request's host and port. For SAML, you must set valid URI patterns if you are relying on the consumer service URL embedded with the login request." class="fa fa-info-circle"></span>
</div>
<div class="form-group" data-ng-show="!application.bearerOnly && !create">
<label class="col-sm-2 control-label" for="baseUrl">Default Redirect URL</label>
@ -183,7 +175,7 @@
<input class="form-control" type="text" name="baseUrl" id="baseUrl"
data-ng-model="application.baseUrl">
</div>
<span tooltip-placement="right" tooltip="Default URL to use when no redirect URI is specified. This URL will also be used when the auth server needs to link to the application for any reason." class="fa fa-info-circle"></span>
<span tooltip-placement="right" tooltip="Default URL to use when the auth server needs to redirect back to the application. This URL will also be used when the auth server needs to link to the application for any reason." class="fa fa-info-circle"></span>
</div>
<div class="form-group" data-ng-hide="create || protocol == 'saml'">
<label class="col-sm-2 control-label" for="adminUrl">Admin URL</label>
@ -193,6 +185,14 @@
</div>
<span tooltip-placement="right" tooltip="URL to the admin interface of the application. Set this if the application supports the adapter REST API. This REST API allows the auth server to push revocation policies and other adminstrative tasks. Usually this is set to the base URL of the application." class="fa fa-info-circle"></span>
</div>
<div class="form-group" data-ng-show="protocol == 'saml'">
<label class="col-sm-2 control-label" for="masterSamlUrl">Master SAML Processing URL</label>
<div class="col-sm-6">
<input class="form-control" type="text" name="masterSamlUrl" id="masterSamlUrl"
data-ng-model="application.adminUrl">
</div>
<span tooltip-placement="right" tooltip="If configured, this URL will be used for every binding to both the SP's Assertion Consumer and Single Logout Services. This can be individually overiden for each binding and service in the Fine Grain SAML Endpoint Configuration." class="fa fa-info-circle"></span>
</div>
<div class="form-group" data-ng-show="!application.bearerOnly && !create && protocol == 'openid-connect'">
<label class="col-sm-2 control-label" for="newWebOrigin">Web Origin</label>
<div class="col-sm-6 multiple" ng-repeat="webOrigin in application.webOrigins">
@ -218,6 +218,37 @@
<span tooltip-placement="right" tooltip="Allowed CORS origins. Only useful if the client adapter has CORS processing enabled." class="fa fa-info-circle"></span>
</div>
</fieldset>
<fieldset>
<legend collapsed><span class="text">Fine Grain SAML Endpoint Configuration</span> <span tooltip-placement="right" tooltip="Expand this section to configure exact URLs for Assertion Consumer and Single Logout Service." class="fa fa-info-circle"></span></legend>
<div class="form-group clearfix block" data-ng-show="protocol == 'saml'">
<label class="col-sm-2 control-label" for="consumerServicePost">Assertion Consumer Service POST Binding URL</label>
<div class="col-sm-6">
<input ng-model="application.attributes.saml_assertion_consumer_url_post" class="form-control" type="text" name="consumerServicePost" id="consumerServicePost" />
</div>
<span tooltip-placement="right" tooltip="SAML POST Binding URL for the application's assertion consumer service (login responses). You can leave this blank if you do not have a URL for this binding." class="fa fa-info-circle"></span>
</div>
<div class="form-group clearfix block" data-ng-show="protocol == 'saml'">
<label class="col-sm-2 control-label" for="consumerServiceRedirect">Assertion Consumer Service Redirect Binding URL</label>
<div class="col-sm-6">
<input ng-model="application.attributes.saml_assertion_consumer_url_redirect" class="form-control" type="text" name="consumerServiceRedirect" id="consumerServiceRedirect" />
</div>
<span tooltip-placement="right" tooltip="SAML Redirect Binding URL for the application's assertion consumer service (login responses). You can leave this blank if you do not have a URL for this binding." class="fa fa-info-circle"></span>
</div>
<div class="form-group clearfix block" data-ng-show="protocol == 'saml'">
<label class="col-sm-2 control-label" for="logoutPostBinding">Logout Service POST Binding URL</label>
<div class="col-sm-6">
<input ng-model="application.attributes.saml_single_logout_service_url_post" class="form-control" type="text" name="logoutPostBinding" id="logoutPostBinding" />
</div>
<span tooltip-placement="right" tooltip="SAML POST Binding URL for the application's single logout service. You can leave this blank if you are using a different binding" class="fa fa-info-circle"></span>
</div>
<div class="form-group clearfix block" data-ng-show="protocol == 'saml'">
<label class="col-sm-2 control-label" for="logoutPostBinding">Logout Service Redirect Binding URL</label>
<div class="col-sm-6">
<input ng-model="application.attributes.saml_single_logout_service_url_redirect" class="form-control" type="text" name="logoutRedirectBinding" id="logoutRedirectBinding" />
</div>
<span tooltip-placement="right" tooltip="SAML Redirect Binding URL for the application's single logout service. You can leave this blank if you are using a different binding." class="fa fa-info-circle"></span>
</div>
</fieldset>
<div class="pull-right form-actions" data-ng-show="create && access.manageApplications">
<button kc-cancel data-ng-click="cancel()">Cancel</button>

View file

@ -15,7 +15,7 @@
<aesh.version>0.33.12</aesh.version>
<base64.version>2.3.8</base64.version>
<bouncycastle.crypto.version>1.50</bouncycastle.crypto.version>
<bouncycastle.mail.version>1.46</bouncycastle.mail.version>
<bouncycastle.mail.version>1.50</bouncycastle.mail.version>
<jackson.version>1.9.9</jackson.version>
<keycloak.apache.httpcomponents.version>4.2.1</keycloak.apache.httpcomponents.version>
<resteasy.version>2.3.7.Final</resteasy.version>
@ -143,7 +143,7 @@
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcmail-jdk16</artifactId>
<artifactId>bcmail-jdk15on</artifactId>
<version>${bouncycastle.mail.version}</version>
</dependency>
<dependency>

View file

@ -89,15 +89,20 @@ public class EntityDescriptorImporterService {
if (spDescriptorType.isWantAssertionsSigned()) {
app.setAttribute(SamlProtocol.SAML_ASSERTION_SIGNATURE, SamlProtocol.ATTRIBUTE_TRUE_VALUE);
}
String adminUrl = getLogoutLocation(spDescriptorType, JBossSAMLURIConstants.SAML_HTTP_POST_BINDING.get());
if (adminUrl != null) app.setManagementUrl(adminUrl);
String logoutPost = getLogoutLocation(spDescriptorType, JBossSAMLURIConstants.SAML_HTTP_POST_BINDING.get());
if (logoutPost != null) app.setAttribute(SamlProtocol.SAML_SINGLE_LOGOUT_SERVICE_URL_POST_ATTRIBUTE, logoutPost);
String logoutRedirect = getLogoutLocation(spDescriptorType, JBossSAMLURIConstants.SAML_HTTP_REDIRECT_BINDING.get());
if (logoutPost != null) app.setAttribute(SamlProtocol.SAML_SINGLE_LOGOUT_SERVICE_URL_REDIRECT_ATTRIBUTE, logoutRedirect);
String urlPattern = CoreConfigUtil.getServiceURL(spDescriptorType, JBossSAMLURIConstants.SAML_HTTP_POST_BINDING.get());
if (urlPattern == null) {
urlPattern = CoreConfigUtil.getServiceURL(spDescriptorType, JBossSAMLURIConstants.SAML_HTTP_REDIRECT_BINDING.get());
String assertionConsumerServicePostBinding = CoreConfigUtil.getServiceURL(spDescriptorType, JBossSAMLURIConstants.SAML_HTTP_POST_BINDING.get());
if (assertionConsumerServicePostBinding != null) {
app.setAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_POST_ATTRIBUTE, assertionConsumerServicePostBinding);
app.addRedirectUri(assertionConsumerServicePostBinding);
}
if (urlPattern != null) {
app.addRedirectUri(urlPattern);
String assertionConsumerServiceRedirectBinding = CoreConfigUtil.getServiceURL(spDescriptorType, JBossSAMLURIConstants.SAML_HTTP_REDIRECT_BINDING.get());
if (assertionConsumerServiceRedirectBinding != null) {
app.setAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_REDIRECT_ATTRIBUTE, assertionConsumerServiceRedirectBinding);
app.addRedirectUri(assertionConsumerServiceRedirectBinding);
}
for (KeyDescriptorType keyDescriptor : spDescriptorType.getKeyDescriptor()) {

View file

@ -51,6 +51,8 @@ public class SamlProtocol implements LoginProtocol {
public static final String SAML_ASSERTION_CONSUMER_URL_REDIRECT_ATTRIBUTE = "saml_assertion_consumer_url_redirect";
public static final String SAML_SINGLE_LOGOUT_SERVICE_URL_POST_ATTRIBUTE = "saml_single_logout_service_url_post";
public static final String SAML_SINGLE_LOGOUT_SERVICE_URL_REDIRECT_ATTRIBUTE = "saml_single_logout_service_url_redirect";
public static final String SAML_FORCE_NAME_ID_FORMAT_ATTRIBUTE = "saml_force_name_id_format";
public static final String SAML_NAME_ID_FORMAT_ATTRIBUTE = "saml_name_id_format";
public static final String LOGIN_PROTOCOL = "saml";
public static final String SAML_BINDING = "saml_binding";
public static final String SAML_POST_BINDING = "post";
@ -175,10 +177,30 @@ public class SamlProtocol implements LoginProtocol {
protected String getNameIdFormat(ClientSessionModel clientSession) {
String nameIdFormat = clientSession.getNote(GeneralConstants.NAMEID_FORMAT);
ClientModel client = clientSession.getClient();
boolean forceFormat = forceNameIdFormat(client);
String configuredNameIdFormat = client.getAttribute(SAML_NAME_ID_FORMAT_ATTRIBUTE);
if ((nameIdFormat == null || forceFormat) && configuredNameIdFormat != null) {
if (configuredNameIdFormat.equals("email")) {
nameIdFormat = JBossSAMLURIConstants.NAMEID_FORMAT_EMAIL.get();
} else if (configuredNameIdFormat.equals("persistent")) {
nameIdFormat = JBossSAMLURIConstants.NAMEID_FORMAT_PERSISTENT.get();
} else if (configuredNameIdFormat.equals("transient")) {
nameIdFormat = JBossSAMLURIConstants.NAMEID_FORMAT_TRANSIENT.get();
} else if (configuredNameIdFormat.equals("username")) {
nameIdFormat = JBossSAMLURIConstants.NAMEID_FORMAT_UNSPECIFIED.get();
} else {
nameIdFormat = JBossSAMLURIConstants.NAMEID_FORMAT_UNSPECIFIED.get();
}
}
if(nameIdFormat == null) return SAML_DEFAULT_NAMEID_FORMAT;
return nameIdFormat;
}
public static boolean forceNameIdFormat(ClientModel client) {
return "true".equals(client.getAttribute(SAML_FORCE_NAME_ID_FORMAT_ATTRIBUTE));
}
protected String getNameId(String nameIdFormat, ClientSessionModel clientSession, UserSessionModel userSession) {
if (nameIdFormat.equals(JBossSAMLURIConstants.NAMEID_FORMAT_EMAIL.get())) {
return userSession.getUser().getEmail();

View file

@ -245,7 +245,7 @@ public class SamlService {
// Handle NameIDPolicy from SP
NameIDPolicyType nameIdPolicy = requestAbstractType.getNameIDPolicy();
if(nameIdPolicy != null) {
if(nameIdPolicy != null && !SamlProtocol.forceNameIdFormat(client)) {
String nameIdFormat = nameIdPolicy.getFormat().toString();
// TODO: Handle AllowCreate too, relevant for persistent NameID.
if(isSupportedNameIdFormat(nameIdFormat)) {
@ -254,8 +254,6 @@ public class SamlService {
event.error(Errors.INVALID_TOKEN);
return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Unsupported NameIDFormat.");
}
} else {
clientSession.setNote(GeneralConstants.NAMEID_FORMAT, JBossSAMLURIConstants.NAMEID_FORMAT_UNSPECIFIED.get());
}
Response response = authManager.checkNonFormAuthentication(session, clientSession, realm, uriInfo, request, clientConnection, headers, event);

View file

@ -24,6 +24,14 @@
</dependencyManagement>
<dependencies>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk15on</artifactId>
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcpkix-jdk15on</artifactId>
</dependency>
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-dependencies-server-all</artifactId>

View file

@ -21,7 +21,7 @@
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler"/>
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler">
<Option Key="NAMEID_FORMAT" Value="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/>
<!-- <Option Key="NAMEID_FORMAT" Value="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/> -->
</Handler>
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler"/>

View file

@ -123,6 +123,8 @@
"http://localhost:8081/sales-post-sig-email/*"
],
"attributes": {
"saml_force_name_id_format": "true",
"saml_name_id_format": "email",
"saml_assertion_consumer_url_post": "http://localhost:8081/sales-post-sig-email",
"saml_assertion_consumer_url_redirect": "http://localhost:8081/sales-post-sig-email",
"saml_single_logout_service_url_post": "http://localhost:8081/sales-post-sig-email",
@ -205,11 +207,8 @@
"redirectUris": [
"http://localhost:8081/employee-sig/*"
],
"adminUrl": "http://localhost:8081/employee-sig",
"attributes": {
"saml_assertion_consumer_url_post": "http://localhost:8081/employee-sig",
"saml_assertion_consumer_url_redirect": "http://localhost:8081/employee-sig",
"saml_single_logout_service_url_post": "http://localhost:8081/employee-sig",
"saml_single_logout_service_url_redirect": "http://localhost:8081/employee-sig",
"saml.server.signature": "true",
"saml.client.signature": "true",
"saml.signature.algorithm": "RSA_SHA1",

View file

@ -201,8 +201,8 @@
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk16</artifactId>
<version>${bouncycastle.version}</version>
<artifactId>>bcprov-jdk15on</artifactId>
<version>${bouncycastle.crypto.version}</version>
</dependency>
<!--
<dependency>