libre.sh/keycloak-scim
2
0
Fork 0
Code Issues 14 Pull requests Releases Packages Activity Actions 6

Merge pull request #1665 from patriot1burke/master

Browse source 
saml wildfly sp/dist
This commit is contained in:
Bill Burke 2015-09-30 17:41:41 -04:00
commit 5b5f99fdfe
112 changed files with 550 additions and 2436 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
distribution/demo-dist/assembly.xml
View file

@ -39,6 +39,13 @@
<exclude>standalone/configuration/standalone-keycloak.xml</exclude>
</excludes>
</fileSet>
<fileSet>
<directory>${project.build.directory}/unpacked/keycloak-saml-wf9-adapter-${project.version}</directory>
<outputDirectory>keycloak</outputDirectory>
<excludes>
<exclude>standalone/configuration/standalone-keycloak.xml</exclude>
</excludes>
</fileSet>
<fileSet>
<directory>${project.build.directory}/unpacked/keycloak-docs-${project.version}</directory>
<outputDirectory>docs</outputDirectory>

22
distribution/demo-dist/pom.xml
View file

@ -24,6 +24,11 @@
<artifactId>keycloak-wf9-adapter-dist</artifactId>
<type>zip</type>
</dependency>
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-saml-wf9-adapter-dist</artifactId>
<type>zip</type>
</dependency>
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-examples-dist</artifactId>
@ -101,6 +106,23 @@
</artifactItems>
</configuration>
</execution>
<execution>
<id>unpack-saml-adapter</id>
<phase>prepare-package</phase>
<goals>
<goal>unpack</goal>
</goals>
<configuration>
<artifactItems>
<artifactItem>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-saml-wf9-adapter-dist</artifactId>
<type>zip</type>
<outputDirectory>${project.build.directory}/unpacked/keycloak-saml-wf9-adapter-${project.version}</outputDirectory>
</artifactItem>
</artifactItems>
</configuration>
</execution>
<execution>
<id>unpack-docs</id>
<phase>prepare-package</phase>

2
distribution/demo-dist/src/main/xslt/standalone.xsl
View file

@ -18,6 +18,7 @@
<xsl:apply-templates select="node()|@*"/>
<extension module="org.keycloak.keycloak-server-subsystem"/>
<extension module="org.keycloak.keycloak-adapter-subsystem"/>
<extension module="org.keycloak.keycloak-saml-adapter-subsystem"/>
</xsl:copy>
</xsl:template>
@ -43,6 +44,7 @@
<web-context>auth</web-context>
</subsystem>
<subsystem xmlns="urn:jboss:domain:keycloak:1.1"/>
<subsystem xmlns="urn:jboss:domain:keycloak-saml:1.6"/>
</xsl:copy>
</xsl:template>

1
distribution/feature-packs/server-feature-pack/src/main/resources/modules/system/layers/base/org/keycloak/keycloak-saml-core/main/module.xml Normal file → Executable file
View file

@ -8,6 +8,7 @@
</resources>
<dependencies>
<module name="org.jboss.logging"/>
<module name="org.keycloak.keycloak-core"/>
<module name="org.apache.santuario.xmlsec">
<imports>
<exclude path="javax/*"/>

1
distribution/pom.xml
View file

@ -16,6 +16,7 @@
<modules>
<module>adapters</module>
<module>saml-adapters</module>
<module>demo-dist</module>
<module>docs-dist</module>
<module>examples-dist</module>

14
distribution/saml-adapters/pom.xml
View file

@ -7,24 +7,14 @@
<relativePath>../../pom.xml</relativePath>
</parent>
<name>Adapters Distribution Parent</name>
<name>SAML Adapters Distribution Parent</name>
<description/>
<modelVersion>4.0.0</modelVersion>
<artifactId>keycloak-adapters-distribution-parent</artifactId>
<artifactId>keycloak-saml-adapters-distribution-parent</artifactId>
<packaging>pom</packaging>
<modules>
<module>as7-eap6-adapter</module>
<module>jetty81-adapter-zip</module>
<module>jetty91-adapter-zip</module>
<module>jetty92-adapter-zip</module>
<module>js-adapter-zip</module>
<module>osgi</module>
<module>tomcat6-adapter-zip</module>
<module>tomcat7-adapter-zip</module>
<module>tomcat8-adapter-zip</module>
<module>wf8-adapter</module>
<module>wf9-adapter</module>
</modules>
</project>

1
distribution/saml-adapters/wf9-adapter/wf9-adapter-zip/assembly.xml
View file

@ -12,6 +12,7 @@
<directory>${project.build.directory}/unpacked</directory>
<includes>
<include>org/keycloak/keycloak-core/**</include>
<include>org/keycloak/keycloak-saml-core/**</include>
<include>org/keycloak/keycloak-saml-adapter-core/**</include>
<include>org/keycloak/keycloak-adapter-spi/**</include>
<include>org/keycloak/keycloak-jboss-adapter-core/**</include>

2
distribution/saml-adapters/wf9-adapter/wf9-adapter-zip/pom.xml
View file

@ -10,7 +10,7 @@
<artifactId>keycloak-saml-wf9-adapter-dist</artifactId>
<packaging>pom</packaging>
<name>Keycloak Wildfly 9 SAML Adapter Distro</name>
<name>Keycloak SAML Wildfly 9 Adapter Distro</name>
<description/>
<dependencies>

6
distribution/saml-adapters/wf9-adapter/wf9-modules/build.xml
View file

@ -50,6 +50,10 @@
<maven-resource group="org.keycloak" artifact="keycloak-undertow-adapter-spi"/>
</module-def>
<module-def name="org.keycloak.keycloak-saml-core">
<maven-resource group="org.keycloak" artifact="keycloak-saml-core"/>
</module-def>
<module-def name="org.keycloak.keycloak-saml-adapter-core">
<maven-resource group="org.keycloak" artifact="keycloak-saml-adapter-core"/>
</module-def>
@ -66,7 +70,7 @@
<maven-resource group="org.keycloak" artifact="keycloak-saml-wildfly-adapter"/>
</module-def>
<module-def name="org.keycloak.keycloak-wf9-subsystem">
<module-def name="org.keycloak.keycloak-saml-wf9-subsystem">
<maven-resource group="org.keycloak" artifact="keycloak-saml-wf9-subsystem"/>
</module-def>

6
distribution/saml-adapters/wf9-adapter/wf9-modules/pom.xml
View file

@ -14,7 +14,7 @@
<artifactId>keycloak-saml-wf9-modules</artifactId>
<name>Keycloak Wildfly 9 Modules</name>
<name>Keycloak SAML Wildfly 9 Modules</name>
<packaging>pom</packaging>
<dependencies>
<dependency>
@ -29,6 +29,10 @@
<groupId>org.keycloak</groupId>
<artifactId>keycloak-undertow-adapter-spi</artifactId>
</dependency>
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-saml-core</artifactId>
</dependency>
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-saml-adapter-core</artifactId>

1
distribution/saml-adapters/wf9-adapter/wf9-modules/src/main/resources/modules/org/keycloak/keycloak-saml-adapter-core/main/module.xml
View file

@ -10,6 +10,7 @@
<module name="javax.api"/>
<module name="org.jboss.logging"/>
<module name="org.keycloak.keycloak-adapter-spi"/>
<module name="org.keycloak.keycloak-saml-core"/>
<module name="org.keycloak.keycloak-core"/>
</dependencies>

20
distribution/saml-adapters/wf9-adapter/wf9-modules/src/main/resources/modules/org/keycloak/keycloak-saml-core/main/module.xml Executable file
View file

@ -0,0 +1,20 @@
<?xml version="1.0" encoding="UTF-8"?>
<module xmlns="urn:jboss:module:1.1" name="org.keycloak.keycloak-saml-core">
<resources>
<!-- Insert resources here -->
</resources>
<dependencies>
<module name="org.jboss.logging"/>
<module name="org.keycloak.keycloak-core"/>
<module name="org.apache.santuario.xmlsec">
<imports>
<exclude path="javax/*"/>
</imports>
</module>
<module name="javax.api"/>
</dependencies>
</module>

9
distribution/saml-adapters/wf9-adapter/wf9-modules/src/main/resources/modules/org/keycloak/keycloak-saml-undertow-adapter/main/module.xml
View file

@ -2,24 +2,21 @@
<module xmlns="urn:jboss:module:1.1" name="org.keycloak.keycloak-undertow-adapter">
<module xmlns="urn:jboss:module:1.1" name="org.keycloak.keycloak-saml-undertow-adapter">
<resources>
<!-- Insert resources here -->
</resources>
<dependencies>
<module name="javax.api"/>
<module name="org.bouncycastle" />
<module name="org.codehaus.jackson.jackson-core-asl"/>
<module name="org.codehaus.jackson.jackson-mapper-asl"/>
<module name="org.codehaus.jackson.jackson-xc"/>
<module name="org.apache.httpcomponents"/>
<module name="javax.servlet.api"/>
<module name="org.jboss.logging"/>
<module name="org.jboss.xnio"/>
<module name="io.undertow.core"/>
<module name="io.undertow.servlet"/>
<module name="org.keycloak.keycloak-adapter-spi"/>
<module name="org.keycloak.keycloak-adapter-core"/>
<module name="org.keycloak.keycloak-saml-core"/>
<module name="org.keycloak.keycloak-saml-adapter-core"/>
<module name="org.keycloak.keycloak-core"/>
</dependencies>

1
distribution/saml-adapters/wf9-adapter/wf9-modules/src/main/resources/modules/org/keycloak/keycloak-saml-wildfly-adapter/main/module.xml
View file

@ -16,6 +16,7 @@
<module name="org.picketbox"/>
<module name="org.keycloak.keycloak-saml-undertow-adapter"/>
<module name="org.keycloak.keycloak-adapter-spi"/>
<module name="org.keycloak.keycloak-saml-core"/>
<module name="org.keycloak.keycloak-saml-adapter-core"/>
<module name="org.keycloak.keycloak-core"/>
</dependencies>

1
distribution/server-overlay/eap6/eap6-server-modules/src/main/resources/modules/org/keycloak/keycloak-saml-core/main/module.xml
View file

@ -8,6 +8,7 @@
</resources>
<dependencies>
<module name="org.jboss.logging"/>
<module name="org.keycloak.keycloak-core"/>
<module name="org.apache.santuario.xmlsec">
<imports>
<exclude path="javax/*"/>

126
examples/saml/README.md Normal file → Executable file
View file

@ -1,123 +1,29 @@
# Keycloak SAML Quickstarts
# Keycloak SAML
## Introduction
These quickstarts run on JBoss Enterprise Application Platform 6 or WildFly.
These examples show using Keycloak Server's SAML support with Keycloak's SAML client adapter. These examples run on JBoss Enterprise Application Platform 6 or WildFly.
We recommend using the Keycloak Appliance Distribution to test the quickstarts as it has already some things pre-set for you.
There is individual README.md file specific for each quickstart in the particular subdirectory with the quickstart. Here are just some general info about the requirements for your OS etc.
We recommend using the Keycloak Demo Distribution to test the examples as it has already some things pre-set for you.
There is individual README.md file specific for each example. Here are just some general info about the requirements for running the examples.
## System Requirements
## Start the Demo Distribution
To run these quickstarts with the provided build scripts, you need the following:
See the documentation for more details.
1. Java 1.6 or Java 1.7, depending if you're using JBoss EAP or WildFly to run the quickstarts. You can choose from the following:
* OpenJDK
* Oracle Java SE
* Oracle JRockit
## Import the test realm
2. Maven 3.0.0 or newer, to build and deploy the examples
* If you have not yet installed Maven, see the [Maven Getting Started Guide](http://maven.apache.org/guides/getting-started/index.html) for details.
* If you have installed Maven, you can check the version by typing the following in a command line:
Next thing you have to do is import the test realm for these examples. Clicking on the below link will bring you to the
create realm page in the Admin UI. The username/password is admin/admin to login in. Keycloak will ask you to
create a new admin password before you can go to the create realm page.
mvn --version
[http://localhost:8080/auth/admin/master/console/#/create/realm](http://localhost:8080/auth/admin/master/console/#/create/realm)
3. The JBoss Enterprise Application Platform 6 distribution ZIP or the WildFly distribution ZIP.
* For information on how to install and run those servers, refer to the their documentation.
Import the testsaml.json file that is in the saml/ example directory.
## Build and Deploy
## Run the Quickstarts
```
$ mvn clean install wildfly:deploy
```
The root folder of each individual quickstart contains a README file with specific details on how to build and run the example. In most cases you do the following:
* [Start the JBoss server](#start-the-jboss-server)
* [Build and deploy the quickstarts](#build-and-deploy-the-quickstarts)
## About the Keycloak SAML Quickstarts
The *Keycloak SAML Quickstarts* provide a lot of examples about how to use *Keycloak SAML Support* to enable SSO for your applications.
Before running them you need to understand how they are related with each other. Basically, Keycloak server is used as SAML Identity Provider and each individual WAR is used as SAML Service Provider.
Keycloak actually uses *Picketlink Federation* library as base implementation of SAML support.
### Using SAML Tracer Firefox Add-On to Debug the SAML SSO Flow
If you want to understand even better how IdPs and SPs communicate with each other, you may want to configure the [SAML Tracer Add-On](https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/) to your Mozilla Firefox.
This is a nice way to debug and view SAML Messages, so you can take a look on how the IdP and SP exchange messages when establishing a SSO session.
### Start the JBoss Server
Before you deploy a quickstart, in most cases you need a running JBoss Enterprise Application Platform 6 or WildFly server. A few of the Arquillian tests do not require a running server. This will be noted in the README for that quickstart.
The JBoss server can be started a few different ways.
* [Start the JBoss Server With the _web_ profile](#start-the-jboss-server-with-the-web-profile): This is the default configuration. It defines minimal subsystems and services.
* [Start the JBoss Server with the _full_ profile](#start-the-jboss-server-with-the-full-profile): This profile configures many of the commonly used subsystems and services.
* [Start the JBoss Server with a custom configuration](#start-the-jboss-server-with-custom-configuration-options): Custom configuration parameters can be specified on the command line when starting the server.
The README for each quickstart will specify which configuration is required to run the example.
#### Start the JBoss Server with the Web Profile
To start JBoss Enterprise Application Platform 6 or WildFly with the Web Profile:
1. Open a command line and navigate to the root of the JBoss server directory.
2. The following shows the command line to start the JBoss server with the web profile:
For Linux: JBOSS_HOME/bin/standalone.sh
For Windows: JBOSS_HOME\bin\standalone.bat
#### Start the JBoss Server with the Full Profile
To start JBoss Enterprise Application Platform 6 or WildFly with the Full Profile:
1. Open a command line and navigate to the root of the JBoss server directory.
2. The following shows the command line to start the JBoss server with the full profile:
For Linux: JBOSS_HOME/bin/standalone.sh -c standalone-full.xml
For Windows: JBOSS_HOME\bin\standalone.bat -c standalone-full.xml
#### Start the JBoss Server with Custom Configuration Options
To start JBoss Enterprise Application Platform 6 or WildFly with custom configuration options:
1. Open a command line and navigate to the root of the JBoss server directory.
2. The following shows the command line to start the JBoss server. Replace the CUSTOM_OPTIONS with the custom optional parameters specified in the quickstart.
For Linux: JBOSS_HOME/bin/standalone.sh CUSTOM_OPTIONS
For Windows: JBOSS_HOME\bin\standalone.bat CUSTOM_OPTIONS
### Build and Deploy the Quickstarts
See the README file in each individual quickstart folder for specific details and information on how to run and access the example.
#### Build the Quickstart Archive
In some cases, you may want to build the application to test for compile errors or view the contents of the archive.
1. Open a command line and navigate to the root directory of the quickstart you want to build.
2. Use this command if you only want to build the archive, but not deploy it:
For EAP 6: mvn clean package
For WildFly: mvn -Pwildfly clean package
#### Build and Deploy the Quickstart Archive
1. Make sure you [start the JBoss server](#start-the-jboss-server) as described in the README.
2. Open a command line and navigate to the root directory of the quickstart you want to run.
3. Use this command to build and deploy the archive:
For EAP 6: mvn clean package jboss-as:deploy
For WildFly: mvn -Pwildfly clean package wildfly:deploy
#### Undeploy an Archive
The command to undeploy the quickstart is simply:
For EAP 6: mvn jboss-as:undeploy
For WildFly: mvn -Pwildfly wildfly:undeploy
Keycloak Documentation
------------
The documentation is available from the following [link](https://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/saml.html).

2
examples/saml/pom.xml
View file

@ -25,10 +25,8 @@
</plugins>
</build>
<modules>
<module>post-basic</module>
<module>post-with-signature</module>
<module>post-with-encryption</module>
<module>redirect-basic</module>
<module>redirect-with-signature</module>
</modules>
</project>

254
examples/saml/post-basic/README.md
View file

@ -1,254 +0,0 @@
picketlink-federation-saml-sp-post-basic: PicketLink Service Provider With a Basic Configuration using SAML HTTP POST Binding
===============================
Author: Pedro Igor
Level: Intermediate
Technologies: PicketLink Federation, SAML v2.0
Summary: Basic example that demonstrates how to setup an application as a SAML v2.0 Service Provider using SAML HTTP POST Binding.
Source: <https://github.com/jboss-developer/jboss-picketlink-quickstarts/>
What is it?
-----------
This example demonstrates Keycloak SAML 2.0 support in conjunction with a servlet secured by Picketlink's SAML SP client.
WARNING: This example doesn't use signed SAML request and response messages. It's used just for demonstration purpose, but in production
you should always use signed SAML messages as shown in "post-with-signature" or "post-with-encryption" examples.
Make sure you've set up the Keycloak Server
--------------------------------------
The Keycloak Appliance Distribution comes with a preconfigured Keycloak server (based on Wildfly). You can use it out of
the box to run these demos. So, if you're using this, you can head to Step 2.
Alternatively, you can install the Keycloak Server onto any EAP 6.x, or Wildfly 8.x server, but there is
a few steps you must follow.
Obtain latest keycloak-war-dist-all.zip. This distro is used to install Keycloak onto an existing JBoss installation.
This installs the server.
$ cd ${wildfly.jboss.home}/standalone
$ cp -r ${keycloak-war-dist-all}/deployments .
To be able to run the demos you also need to install the Keycloak client adapter. For Wildfly:
$ cd ${wildfly.home}
$ unzip ${keycloak-war-dist-all}/adapters/keycloak-wildfly-adapter-dist.zip
For JBoss EAP 6.x
$ cd ${eap.home}
$ unzip ${keycloak-war-dist-all}/adapters/keycloak-eap6-adapter-dist.zip
For JBoss AS 7.1.1:
$ cd ${as7.home}
$ unzip ${keycloak-war-dist-all}/adapters/keycloak-as7-adapter-dist.zip
Unzipping the adapter ZIP only installs the JAR files. You must also add the Keycloak Subsystem to the server's
configuration (standalone/configuration/standalone.xml).
<server xmlns="urn:jboss:domain:1.4">
<extensions>
<extension module="org.keycloak.keycloak-subsystem"/>
...
</extensions>
<profile>
<subsystem xmlns="urn:jboss:domain:keycloak:1.0"/>
...
</profile>
Boot Keycloak Server
---------------------------------------
Where you go to start up the Keycloak Server depends on which distro you installed.
From appliance:
```
$ cd keycloak/bin
$ ./standalone.sh
```
From existing Wildfly/EAP6/AS7 distro
```
$ cd ${wildfly.jboss.home}/bin
$ ./standalone.sh
```
Import the Test Realm
---------------------------------------
Next thing you have to do is import the test realm for the demo. Clicking on the below link will bring you to the
create realm page in the Admin UI. The username/password is admin/admin to login in. Keycloak will ask you to
create a new admin password before you can go to the create realm page.
[http://localhost:8080/auth/admin/master/console/#/create/realm](http://localhost:8080/auth/admin/master/console/#/create/realm)
Import the testsaml.json file that is in the saml/ example directory.
Install Picketlink Modules into App server
------------------------------------------
If you are running this example with the Keycloak application distribution, you can skip this step.
You may have to upgrade your picketlink modules in your JBoss EAP or Wildfly distribution. See Picketlink docs for more details.
Create the Security Domain for JBoss EAP
---------------
If you are running this example with the Keycloak application distribution, you can skip this step.
These steps assume you are running the server in standalone mode and using the default standalone.xml supplied with the distribution.
You configure the security domain by running JBoss CLI commands. For your convenience, this quickstart batches the commands into a `configure-security-domain-eap.cli` script provided in the root directory of this quickstart.
1. Before you begin, back up your server configuration file
* If it is running, stop the JBoss server.
* Backup the file: `JBOSS_HOME/standalone/configuration/standalone.xml`
* After you have completed testing this quickstart, you can replace this file to restore the server to its original configuration.
2. Start the JBoss server by typing the following:
For Linux: JBOSS_HOME/bin/standalone.sh
For Windows: JBOSS_HOME\bin\standalone.bat
3. Review the `configure-security-domain-eap.cli` file in the root of this quickstart directory. This script adds the `sp` domain to the `security` subsystem in the server configuration and configures authentication access. Comments in the script describe the purpose of each block of commands.
4. Open a new command prompt, navigate to the root directory of this quickstart, and run the following command, replacing JBOSS_HOME with the path to your server:
JBOSS_HOME/bin/jboss-cli.sh --connect --file=configure-security-domain-eap.cli
You should see the following result when you run the script:
The batch executed successfully
{
"outcome" => "success",
}
Create the Security Domain for WildFly
---------------
If you are running this example with the Keycloak application distribution, you can skip this step.
These steps assume you are running the server in standalone mode and using the default standalone.xml supplied with the distribution.
You configure the security domain by running JBoss CLI commands. For your convenience, this quickstart batches the commands into a `configure-security-domain-wildfly.cli` script provided in the root directory of this quickstart.
1. Before you begin, back up your server configuration file
* If it is running, stop the JBoss server.
* Backup the file: `JBOSS_HOME/standalone/configuration/standalone.xml`
* After you have completed testing this quickstart, you can replace this file to restore the server to its original configuration.
2. Start the JBoss server by typing the following:
For Linux: JBOSS_HOME/bin/standalone.sh
For Windows: JBOSS_HOME\bin\standalone.bat
3. Review the `configure-security-domain-wildfly.cli` file in the root of this quickstart directory. This script adds the `sp` domain to the `security` subsystem in the server configuration and configures authentication access. Comments in the script describe the purpose of each block of commands.
4. Open a new command prompt, navigate to the root directory of this quickstart, and run the following command, replacing JBOSS_HOME with the path to your server:
JBOSS_HOME/bin/jboss-cli.sh --connect --file=configure-security-domain-wildfly.cli
You should see the following result when you run the script:
The batch executed successfully
{
"outcome" => "success",
}
Review the Modified Server Configuration for EAP
-----------------------------------
If you are running this example with the Keycloak application distribution, you can skip this step.
If you want to review and understand newly added XML configuration, stop the JBoss server and open the `JBOSS_HOME/standalone/configuration/standalone.xml` file.
The following `sp` security-domain was added to the `security` subsystem.
<security-domain name="sp" cache-type="default">
<authentication>
<login-module code="org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule" flag="required"/>
</authentication>
</security-domain>
The configuration above defines a security-domain which will be used by the SP to authenticate users based on a SAML Assertion previously issued by a Identity Provider.
Review the Modified Server Configuration for WildFly
-----------------------------------
If you are running this example with the Keycloak application distribution, you can skip this step.
If you are using Wildfly, the security-domain should have the following configuration:
<security-domain name="sp" cache-type="default">
<authentication>
<login-module code="org.picketlink.identity.federation.bindings.wildfly.SAML2LoginModule" flag="required"/>
</authentication>
</security-domain>
SAML SP-Initiated Single Sign-On
-----------------------------------
The SAML v2.0 specification defines a specific SSO mode called *SP-Initiated SSO*. In this mode, the SSO flow starts at the Service Provider side.
Please, take a look at the following documentation for more details:
1. [SAML v2.0 SP-Initiated SSO](https://docs.jboss.org/author/display/PLINK/SP-Initiated+SSO)
Start JBoss Enterprise Application Platform 6 or WildFly with the Web Profile
-------------------------
1. Open a command line and navigate to the root of the JBoss server directory.
2. The following shows the command line to start the server with the web profile:
For Linux: JBOSS_HOME/bin/standalone.sh
For Windows: JBOSS_HOME\bin\standalone.bat
Build and Deploy the Quickstart
-------------------------
_NOTE: The following build command assumes you have configured your Maven user settings. If you have not, you must include Maven setting arguments on the command line. See [Build and Deploy the Quickstarts](../README.md#build-and-deploy-the-quickstarts) for complete instructions and additional options._
1. Make sure you have started the JBoss Server as described above.
2. Open a command line and navigate to the root directory of this quickstart.
3. Type this command to build and deploy the archive:
For EAP 6: mvn clean package jboss-as:deploy
For WildFly: mvn -Pwildfly clean package wildfly:deploy
4. This will deploy `target/picketlink-federation-saml-sp-post-basic.war` to the running instance of the server.
Access the application
---------------------
The application will be running at the following URL: <http://localhost:8080/sales-post>.
*Note: A Service Provider alone is not very useful without an Identity Provider to authenticate users and issue SAML Assertions. Once you get this application deployed, please take a look at [About the PicketLink Federation Quickstarts](../README.md#about-the-keycloak-saml-quickstarts).*
Undeploy the Archive
--------------------
1. Make sure you have started the JBoss Server as described above.
2. Open a command line and navigate to the root directory of this quickstart.
3. When you are finished testing, type this command to undeploy the archive:
For EAP 6: mvn jboss-as:undeploy
For WildFly: mvn -Pwildfly wildfly:undeploy
Debug the Application
------------------------------------
If you want to debug the source code or look at the Javadocs of any library in the project, run either of the following commands to pull them into your local repository. The IDE should then detect them.
mvn dependency:sources
mvn dependency:resolve -Dclassifier=javadoc

10
examples/saml/post-basic/conf/jboss-eap/META-INF/jboss-deployment-structure.xml
View file

@ -1,10 +0,0 @@
<jboss-deployment-structure>
<deployment>
<!-- You must configure the PicketLink dependency to your deployment. The dependency above is a reference to a static module
from JBoss EAP modules directory. -->
<dependencies>
<module name="org.picketlink"/>
</dependencies>
</deployment>
</jboss-deployment-structure>

16
examples/saml/post-basic/conf/jboss-eap/WEB-INF/jboss-web.xml
View file

@ -1,16 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<!-- You must have a security-domain configured in your JBoss EAP instance. The security-domain is necessary to provide user
authentication and roles mappings. In this case,we need a specific JAAS LoginModule that knows how to extract user's information from a SAML Assertion previously
issued by the Identity Provider. -->
<security-domain>sp</security-domain>
<!-- Here we just define the context path of the deployment. -->
<context-root>sales-post</context-root>
<!-- You must configure one of the PicketLink Authenticators to get enable SAML-based SSO. Identity Providers and Service Providers
have different authenticators. In this case we're configuring an Service Provider, so we authenticator above is required. -->
<valve>
<class-name>org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator</class-name>
</valve>
</jboss-web>

10
examples/saml/post-basic/conf/wildfly/META-INF/jboss-deployment-structure.xml
View file

@ -1,10 +0,0 @@
<jboss-deployment-structure>
<deployment>
<!-- You must configure the PicketLink dependency to your deployment. The dependency above is a reference to a static module
from JBoss EAP modules directory. -->
<dependencies>
<module name="org.picketlink"/>
</dependencies>
</deployment>
</jboss-deployment-structure>

1
examples/saml/post-basic/conf/wildfly/WEB-INF/classes/META-INF/services/io.undertow.servlet.ServletExtension
View file

@ -1 +0,0 @@
org.picketlink.identity.federation.bindings.wildfly.sp.SPServletExtension

10
examples/saml/post-basic/conf/wildfly/WEB-INF/jboss-web.xml
View file

@ -1,10 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<!-- You must have a security-domain configured in your JBoss EAP instance. The security-domain is necessary to provide user
authentication and roles mappings. In this case,we need a specific JAAS LoginModule that knows how to extract user's information from a SAML Assertion previously
issued by the Identity Provider. -->
<security-domain>sp</security-domain>
<!-- Here we just define the context path of the deployment. -->
<context-root>sales-post</context-root>
</jboss-web>

16
examples/saml/post-basic/configure-security-domain-eap.cli
View file

@ -1,16 +0,0 @@
# Batch script to add and configure the quickstart-domain security domain in the JBoss server
# Start batching commands
batch
# Add and configure the security domain, then add the PicketLink SAML2LoginModule. Which wil be used to extract user's information from the SAML Assertion and authenticate the user.
/subsystem=security/security-domain=sp:add(cache-type=default)
/subsystem=security/security-domain=sp/authentication=classic:add
/subsystem=security/security-domain=sp/authentication=classic/login-module=org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule:add(code=org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule,flag=required)
# Run the batch commands
run-batch
# Reload the server configuration
:reload

16
examples/saml/post-basic/configure-security-domain-wildfly.cli
View file

@ -1,16 +0,0 @@
# Batch script to add and configure the quickstart-domain security domain in the JBoss server
# Start batching commands
batch
# Add and configure the security domain, then add the PicketLink SAML2LoginModule. Which wil be used to extract user's information from the SAML Assertion and authenticate the user.
/subsystem=security/security-domain=sp:add(cache-type=default)
/subsystem=security/security-domain=sp/authentication=classic:add
/subsystem=security/security-domain=sp/authentication=classic/login-module=org.picketlink.identity.federation.bindings.wildfly.SAML2LoginModule:add(code=org.picketlink.identity.federation.bindings.wildfly.SAML2LoginModule,flag=required)
# Run the batch commands
run-batch
# Reload the server configuration
:reload

107
examples/saml/post-basic/pom.xml
View file

@ -1,107 +0,0 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>org.picketlink.quickstarts</groupId>
<artifactId>picketlink-federation-saml-sp-post-basic</artifactId>
<version>2.7.0.Beta2</version>
<packaging>war</packaging>
<name>PicketLink Quickstart: picketlink-federation-saml-sp-post-basic</name>
<description>PicketLink Quickstart: PicketLink Service Provider With a Basic Configuration using SAML HTTP POST Binding</description>
<url>http://www.picketlink.org</url>
<licenses>
<license>
<name>Apache License, Version 2.0</name>
<distribution>repo</distribution>
<url>http://www.apache.org/licenses/LICENSE-2.0.html</url>
</license>
</licenses>
<properties>
<!-- PicketLink dependency versions -->
<version.picketlink.javaee.bom>2.7.0.Beta2</version.picketlink.javaee.bom>
<!-- Default target container. -->
<target.container>jboss-eap</target.container>
<!-- maven-compiler-plugin -->
<version.compiler.plugin>3.1</version.compiler.plugin>
<!-- maven-deploy-plugin -->
<version.deploy.plugin>2.8.1</version.deploy.plugin>
<!-- JBoss AS dependency versions -->
<version.jboss.maven.plugin>7.4.Final</version.jboss.maven.plugin>
<!-- maven-war-plugin -->
<version.war.plugin>2.1.1</version.war.plugin>
<!-- WildFly dependency versions -->
<version.wildfly.maven.plugin>1.0.1.Final</version.wildfly.maven.plugin>
<maven.compiler.target>1.6</maven.compiler.target>
<maven.compiler.source>1.6</maven.compiler.source>
</properties>
<build>
<!-- Set the name of the war, used as the context root when the app is deployed -->
<finalName>${project.artifactId}</finalName>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-deploy-plugin</artifactId>
<version>${version.deploy.plugin}</version>
<configuration>
<skip>true</skip>
</configuration>
</plugin>
<plugin>
<artifactId>maven-war-plugin</artifactId>
<version>${version.war.plugin}</version>
<configuration>
<!-- Java EE 6 doesn't require web.xml, Maven needs to catch up! -->
<failOnMissingWebXml>false</failOnMissingWebXml>
<!-- We need to get the configuration resources for the provided target container. -->
<classifier>${target.container}</classifier>
<webResources>
<resource>
<directory>${basedir}/conf/${target.container}</directory>
</resource>
</webResources>
</configuration>
</plugin>
<!-- JBoss AS plugin to deploy war -->
<plugin>
<groupId>org.jboss.as.plugins</groupId>
<artifactId>jboss-as-maven-plugin</artifactId>
<version>${version.jboss.maven.plugin}</version>
<configuration>
<filename>${project.build.finalName}-${target.container}.${project.packaging}</filename>
</configuration>
</plugin>
</plugins>
</build>
<profiles>
<profile>
<id>wildfly</id>
<properties>
<target.container>wildfly</target.container>
</properties>
<build>
<plugins>
<plugin>
<groupId>org.wildfly.plugins</groupId>
<artifactId>wildfly-maven-plugin</artifactId>
<version>${version.wildfly.maven.plugin}</version>
<configuration>
<filename>${project.build.finalName}-${target.container}.${project.packaging}</filename>
</configuration>
</plugin>
</plugins>
</build>
</profile>
</profiles>
</project>

13
examples/saml/post-basic/remove-security-domain.cli
View file

@ -1,13 +0,0 @@
# Batch script to remove the quickstart-domain security domain from the JBoss server
# Start batching commands
batch
# Remove the security domain
/subsystem=security/security-domain=sp:remove
# Run the batch commands
run-batch
# Reload the server configuration
:reload

20
examples/saml/post-basic/src/main/webapp/WEB-INF/picketlink.xml
View file

@ -1,20 +0,0 @@
<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
<PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1"
ServerEnvironment="tomcat" BindingType="POST">
<IdentityURL>${idp.url::http://localhost:8080/auth/realms/saml-demo/protocol/saml}</IdentityURL>
<ServiceURL>${sales-post.url::http://localhost:8080/sales-post/}</ServiceURL>
<Trust>
<Domains>localhost,jboss.com,jboss.org,amazonaws.com</Domains>
</Trust>
</PicketLinkSP>
<Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler" />
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
</Handlers>
</PicketLink>

BIN
examples/saml/post-basic/src/main/webapp/images/picketlink-banner-1180px.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 102 KiB

241
examples/saml/post-with-encryption/README.md
View file

@ -1,85 +1,12 @@
picketlink-federation-saml-sp-with-encryption: PicketLink Service Provider With a Basic Configuration using SAML HTTP POST Binding With Encryption Support
===============================
Author: Pedro Igor
Level: Intermediate
Technologies: PicketLink Federation, SAML v2.0
Summary: Basic example that demonstrates how to setup an application as a SAML v2.0 Service Provider using SAML HTTP POST Binding with Signature Support.
Source: <https://github.com/jboss-developer/jboss-picketlink-quickstarts/>
# Keycloak SAML Client Adapter using HTTP POST Binding With Encrypted Assertions
## Introduction
What is it?
-----------
Basic example that demonstrates how to setup an application as a SAML v2.0 Service Provider using SAML HTTP POST Binding with Signature Support.
This example demonstrates Keycloak SAML 2.0 support in conjunction with a servlet secured by Picketlink's SAML SP client.
## Import the test realm
Make sure you've set up the Keycloak Server
--------------------------------------
The Keycloak Appliance Distribution comes with a preconfigured Keycloak server (based on Wildfly). You can use it out of
the box to run these demos. So, if you're using this, you can head to Step 2.
Alternatively, you can install the Keycloak Server onto any EAP 6.x, or Wildfly 8.x server, but there is
a few steps you must follow.
Obtain latest keycloak-war-dist-all.zip. This distro is used to install Keycloak onto an existing JBoss installation.
This installs the server.
$ cd ${wildfly.jboss.home}/standalone
$ cp -r ${keycloak-war-dist-all}/deployments .
To be able to run the demos you also need to install the Keycloak client adapter. For Wildfly:
$ cd ${wildfly.home}
$ unzip ${keycloak-war-dist-all}/adapters/keycloak-wildfly-adapter-dist.zip
For JBoss EAP 6.x
$ cd ${eap.home}
$ unzip ${keycloak-war-dist-all}/adapters/keycloak-eap6-adapter-dist.zip
For JBoss AS 7.1.1:
$ cd ${as7.home}
$ unzip ${keycloak-war-dist-all}/adapters/keycloak-as7-adapter-dist.zip
Unzipping the adapter ZIP only installs the JAR files. You must also add the Keycloak Subsystem to the server's
configuration (standalone/configuration/standalone.xml).
<server xmlns="urn:jboss:domain:1.4">
<extensions>
<extension module="org.keycloak.keycloak-subsystem"/>
...
</extensions>
<profile>
<subsystem xmlns="urn:jboss:domain:keycloak:1.0"/>
...
</profile>
Boot Keycloak Server
---------------------------------------
Where you go to start up the Keycloak Server depends on which distro you installed.
From appliance:
```
$ cd keycloak/bin
$ ./standalone.sh
```
From existing Wildfly/EAP6/AS7 distro
```
$ cd ${wildfly.jboss.home}/bin
$ ./standalone.sh
```
Import the Test Realm
---------------------------------------
Next thing you have to do is import the test realm for the demo. Clicking on the below link will bring you to the
If you haven't already done so, you need to import the test realm for this examples. Clicking on the below link will bring you to the
create realm page in the Admin UI. The username/password is admin/admin to login in. Keycloak will ask you to
create a new admin password before you can go to the create realm page.
@ -87,161 +14,13 @@ create a new admin password before you can go to the create realm page.
Import the testsaml.json file that is in the saml/ example directory.
Install Picketlink Modules into App server
------------------------------------------
## Build and Deploy
If you are running this example with the Keycloak application distribution, you can skip this step.
```
$ mvn clean install wildfly:deploy
```
You may have to upgrade your picketlink modules in your JBoss EAP or Wildfly distribution. See Picketlink docs for more details.
Create the Security Domain for JBoss EAP
---------------
If you are running this example with the Keycloak application distribution, you can skip this step.
These steps assume you are running the server in standalone mode and using the default standalone.xml supplied with the distribution.
You configure the security domain by running JBoss CLI commands. For your convenience, this quickstart batches the commands into a `configure-security-domain-eap.cli` script provided in the root directory of this quickstart.
1. Before you begin, back up your server configuration file
* If it is running, stop the JBoss server.
* Backup the file: `JBOSS_HOME/standalone/configuration/standalone.xml`
* After you have completed testing this quickstart, you can replace this file to restore the server to its original configuration.
2. Start the JBoss server by typing the following:
For Linux: JBOSS_HOME/bin/standalone.sh
For Windows: JBOSS_HOME\bin\standalone.bat
3. Review the `configure-security-domain-eap.cli` file in the root of this quickstart directory. This script adds the `sp` domain to the `security` subsystem in the server configuration and configures authentication access. Comments in the script describe the purpose of each block of commands.
4. Open a new command prompt, navigate to the root directory of this quickstart, and run the following command, replacing JBOSS_HOME with the path to your server:
JBOSS_HOME/bin/jboss-cli.sh --connect --file=configure-security-domain-eap.cli
You should see the following result when you run the script:
The batch executed successfully
{
"outcome" => "success",
}
Create the Security Domain for WildFly
---------------
If you are running this example with the Keycloak application distribution, you can skip this step.
These steps assume you are running the server in standalone mode and using the default standalone.xml supplied with the distribution.
You configure the security domain by running JBoss CLI commands. For your convenience, this quickstart batches the commands into a `configure-security-domain-wildfly.cli` script provided in the root directory of this quickstart.
1. Before you begin, back up your server configuration file
* If it is running, stop the JBoss server.
* Backup the file: `JBOSS_HOME/standalone/configuration/standalone.xml`
* After you have completed testing this quickstart, you can replace this file to restore the server to its original configuration.
2. Start the JBoss server by typing the following:
For Linux: JBOSS_HOME/bin/standalone.sh
For Windows: JBOSS_HOME\bin\standalone.bat
3. Review the `configure-security-domain-wildfly.cli` file in the root of this quickstart directory. This script adds the `sp` domain to the `security` subsystem in the server configuration and configures authentication access. Comments in the script describe the purpose of each block of commands.
4. Open a new command prompt, navigate to the root directory of this quickstart, and run the following command, replacing JBOSS_HOME with the path to your server:
JBOSS_HOME/bin/jboss-cli.sh --connect --file=configure-security-domain-wildfly.cli
You should see the following result when you run the script:
The batch executed successfully
{
"outcome" => "success",
}
Review the Modified Server Configuration for EAP
-----------------------------------
If you are running this example with the Keycloak application distribution, you can skip this step.
If you want to review and understand newly added XML configuration, stop the JBoss server and open the `JBOSS_HOME/standalone/configuration/standalone.xml` file.
The following `sp` security-domain was added to the `security` subsystem.
<security-domain name="sp" cache-type="default">
<authentication>
<login-module code="org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule" flag="required"/>
</authentication>
</security-domain>
The configuration above defines a security-domain which will be used by the SP to authenticate users based on a SAML Assertion previously issued by a Identity Provider.
Review the Modified Server Configuration for WildFly
-----------------------------------
If you are running this example with the Keycloak application distribution, you can skip this step.
If you are using Wildfly, the security-domain should have the following configuration:
<security-domain name="sp" cache-type="default">
<authentication>
<login-module code="org.picketlink.identity.federation.bindings.wildfly.SAML2LoginModule" flag="required"/>
</authentication>
</security-domain>
SAML SP-Initiated Single Sign-On
-----------------------------------
The SAML v2.0 specification defines a specific SSO mode called *SP-Initiated SSO*. In this mode, the SSO flow starts at the Service Provider side.
Please, take a look at the following documentation for more details:
1. [SAML v2.0 SP-Initiated SSO](https://docs.jboss.org/author/display/PLINK/SP-Initiated+SSO)
Start JBoss Enterprise Application Platform 6 or WildFly with the Web Profile
-------------------------
1. Open a command line and navigate to the root of the JBoss server directory.
2. The following shows the command line to start the server with the web profile:
For Linux: JBOSS_HOME/bin/standalone.sh
For Windows: JBOSS_HOME\bin\standalone.bat
Build and Deploy the Quickstart
-------------------------
_NOTE: The following build command assumes you have configured your Maven user settings. If you have not, you must include Maven setting arguments on the command line. See [Build and Deploy the Quickstarts](../README.md#build-and-deploy-the-quickstarts) for complete instructions and additional options._
1. Make sure you have started the JBoss Server as described above.
2. Open a command line and navigate to the root directory of this quickstart.
3. Type this command to build and deploy the archive:
For EAP 6: mvn clean package jboss-as:deploy
For WildFly: mvn -Pwildfly clean package wildfly:deploy
4. This will deploy `target/picketlink-federation-saml-sp-with-encryption.war` to the running instance of the server.
Access the application
---------------------
## Access the application
The application will be running at the following URL: <http://localhost:8080/sales-post-enc>.
*Note: A Service Provider alone is not very useful without an Identity Provider to authenticate users and issue SAML Assertions. Once you get this application deployed, please take a look at [About the PicketLink Federation Quickstarts](../README.md#about-the-keycloak-saml-quickstarts).*
Undeploy the Archive
--------------------
1. Make sure you have started the JBoss Server as described above.
2. Open a command line and navigate to the root directory of this quickstart.
3. When you are finished testing, type this command to undeploy the archive:
For EAP 6: mvn jboss-as:undeploy
For WildFly: mvn -Pwildfly wildfly:undeploy
Debug the Application
------------------------------------
If you want to debug the source code or look at the Javadocs of any library in the project, run either of the following commands to pull them into your local repository. The IDE should then detect them.
mvn dependency:sources
mvn dependency:resolve -Dclassifier=javadoc

10
examples/saml/post-with-encryption/conf/jboss-eap/META-INF/jboss-deployment-structure.xml
View file

@ -1,10 +0,0 @@
<jboss-deployment-structure>
<deployment>
<!-- You must configure the PicketLink dependency to your deployment. The dependency above is a reference to a static module
from JBoss EAP modules directory. -->
<dependencies>
<module name="org.picketlink"/>
</dependencies>
</deployment>
</jboss-deployment-structure>

16
examples/saml/post-with-encryption/conf/jboss-eap/WEB-INF/jboss-web.xml
View file

@ -1,16 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<!-- You must have a security-domain configured in your JBoss EAP instance. The security-domain is necessary to provide user
authentication and roles mappings. In this case,we need a specific JAAS LoginModule that knows how to extract user's information from a SAML Assertion previously
issued by the Identity Provider. -->
<security-domain>sp</security-domain>
<!-- Here we just define the context path of the deployment. -->
<context-root>sales-post-enc</context-root>
<!-- You must configure one of the PicketLink Authenticators to get enable SAML-based SSO. Identity Providers and Service Providers
have different authenticators. In this case we're configuring an Service Provider, so we authenticator above is required. -->
<valve>
<class-name>org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator</class-name>
</valve>
</jboss-web>

10
examples/saml/post-with-encryption/conf/wildfly/META-INF/jboss-deployment-structure.xml
View file

@ -1,10 +0,0 @@
<jboss-deployment-structure>
<deployment>
<!-- You must configure the PicketLink dependency to your deployment. The dependency above is a reference to a static module
from JBoss EAP modules directory. -->
<dependencies>
<module name="org.picketlink"/>
</dependencies>
</deployment>
</jboss-deployment-structure>

1
examples/saml/post-with-encryption/conf/wildfly/WEB-INF/classes/META-INF/services/io.undertow.servlet.ServletExtension
View file

@ -1 +0,0 @@
org.picketlink.identity.federation.bindings.wildfly.sp.SPServletExtension

10
examples/saml/post-with-encryption/conf/wildfly/WEB-INF/jboss-web.xml
View file

@ -1,10 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<!-- You must have a security-domain configured in your JBoss EAP instance. The security-domain is necessary to provide user
authentication and roles mappings. In this case,we need a specific JAAS LoginModule that knows how to extract user's information from a SAML Assertion previously
issued by the Identity Provider. -->
<security-domain>sp</security-domain>
<!-- Here we just define the context path of the deployment. -->
<context-root>sales-post-enc</context-root>
</jboss-web>

16
examples/saml/post-with-encryption/configure-security-domain-eap.cli
View file

@ -1,16 +0,0 @@
# Batch script to add and configure the quickstart-domain security domain in the JBoss server
# Start batching commands
batch
# Add and configure the security domain, then add the PicketLink SAML2LoginModule. Which wil be used to extract user's information from the SAML Assertion and authenticate the user.
/subsystem=security/security-domain=sp:add(cache-type=default)
/subsystem=security/security-domain=sp/authentication=classic:add
/subsystem=security/security-domain=sp/authentication=classic/login-module=org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule:add(code=org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule,flag=required)
# Run the batch commands
run-batch
# Reload the server configuration
:reload

16
examples/saml/post-with-encryption/configure-security-domain-wildfly.cli
View file

@ -1,16 +0,0 @@
# Batch script to add and configure the quickstart-domain security domain in the JBoss server
# Start batching commands
batch
# Add and configure the security domain, then add the PicketLink SAML2LoginModule. Which wil be used to extract user's information from the SAML Assertion and authenticate the user.
/subsystem=security/security-domain=sp:add(cache-type=default)
/subsystem=security/security-domain=sp/authentication=classic:add
/subsystem=security/security-domain=sp/authentication=classic/login-module=org.picketlink.identity.federation.bindings.wildfly.SAML2LoginModule:add(code=org.picketlink.identity.federation.bindings.wildfly.SAML2LoginModule,flag=required)
# Run the batch commands
run-batch
# Reload the server configuration
:reload

106
examples/saml/post-with-encryption/pom.xml
View file

@ -2,16 +2,13 @@
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>org.picketlink.quickstarts</groupId>
<artifactId>picketlink-federation-saml-sp-with-encryption</artifactId>
<version>2.7.0.Beta2</version>
<groupId>org.keycloak.examples</groupId>
<artifactId>saml-post-encryption</artifactId>
<version>1.6.0.Final-SNAPSHOT</version>
<packaging>war</packaging>
<name>PicketLink Quickstart: picketlink-federation-saml-sp-with-encryption</name>
<description>PicketLink Quickstart: PicketLink Service Provider With a Basic Configuration using SAML HTTP POST Binding With Encryption Support</description>
<url>http://www.picketlink.org</url>
<name>Keycloak SAML Adapter Example POST Binding and Assertion Encryption</name>
<licenses>
<license>
@ -21,104 +18,25 @@
</license>
</licenses>
<properties>
<!-- PicketLink dependency versions -->
<version.picketlink.javaee.bom>2.7.0.Beta2</version.picketlink.javaee.bom>
<!-- Default target container. -->
<target.container>jboss-eap</target.container>
<!-- maven-compiler-plugin -->
<version.compiler.plugin>3.1</version.compiler.plugin>
<!-- maven-deploy-plugin -->
<version.deploy.plugin>2.8.1</version.deploy.plugin>
<!-- JBoss AS dependency versions -->
<version.jboss.maven.plugin>7.4.Final</version.jboss.maven.plugin>
<!-- maven-war-plugin -->
<version.war.plugin>2.1.1</version.war.plugin>
<!-- WildFly dependency versions -->
<version.wildfly.maven.plugin>1.0.1.Final</version.wildfly.maven.plugin>
<maven.compiler.target>1.6</maven.compiler.target>
<maven.compiler.source>1.6</maven.compiler.source>
</properties>
<build>
<!-- Set the name of the war, used as the context root when the app is deployed -->
<finalName>${project.artifactId}</finalName>
<resources>
<resource>
<directory>src/main/resources</directory>
</resource>
<resource>
<directory>../post-basic/src/main/resources</directory>
</resource>
</resources>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-deploy-plugin</artifactId>
<version>${version.deploy.plugin}</version>
<configuration>
<skip>true</skip>
</configuration>
</plugin>
<plugin>
<artifactId>maven-war-plugin</artifactId>
<version>${version.war.plugin}</version>
<configuration>
<!-- Java EE 6 doesn't require web.xml, Maven needs to catch up! -->
<failOnMissingWebXml>false</failOnMissingWebXml>
<!-- We need to get the configuration resources for the provided target container. -->
<classifier>${target.container}</classifier>
<!-- Instead of duplicating resources for each example application, we just reuse all resources from the
base application. -->
<webResources>
<resource>
<directory>src/main/webapp</directory>
</resource>
<resource>
<directory>../post-basic/src/main/webapp</directory>
</resource>
<resource>
<directory>${basedir}/conf/${target.container}</directory>
</resource>
</webResources>
</configuration>
</plugin>
<!-- JBoss AS plugin to deploy war -->
<plugin>
<groupId>org.jboss.as.plugins</groupId>
<artifactId>jboss-as-maven-plugin</artifactId>
<version>${version.jboss.maven.plugin}</version>
<configuration>
<filename>${project.build.finalName}-${target.container}.${project.packaging}</filename>
<skip>false</skip>
</configuration>
</plugin>
<plugin>
<groupId>org.wildfly.plugins</groupId>
<artifactId>wildfly-maven-plugin</artifactId>
<configuration>
<skip>false</skip>
</configuration>
</plugin>
</plugins>
</build>
<profiles>
<profile>
<id>wildfly</id>
<properties>
<target.container>wildfly</target.container>
</properties>
<build>
<plugins>
<plugin>
<groupId>org.wildfly.plugins</groupId>
<artifactId>wildfly-maven-plugin</artifactId>
<version>${version.wildfly.maven.plugin}</version>
<configuration>
<filename>${project.build.finalName}-${target.container}.${project.packaging}</filename>
</configuration>
</plugin>
</plugins>
</build>
</profile>
</profiles>
</project>

13
examples/saml/post-with-encryption/remove-security-domain.cli
View file

@ -1,13 +0,0 @@
# Batch script to remove the quickstart-domain security domain from the JBoss server
# Start batching commands
batch
# Remove the security domain
/subsystem=security/security-domain=sp:remove
# Run the batch commands
run-batch
# Reload the server configuration
:reload

45
examples/saml/post-with-encryption/src/main/webapp/WEB-INF/keycloak-saml.xml Executable file
View file

@ -0,0 +1,45 @@
<keycloak-saml-adapter>
<SP entityID="http://localhost:8080/sales-post-enc/"
sslPolicy="EXTERNAL"
nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
logoutPage="/logout.jsp"
forceAuthentication="false">
<Keys>
<Key signing="true" encryption="true">
<KeyStore resource="/WEB-INF/keystore.jks" password="store123">
<PrivateKey alias="http://localhost:8080/sales-post-enc/" password="test123"/>
<Certificate alias="http://localhost:8080/sales-post-enc/"/>
</KeyStore>
</Key>
</Keys>
<PrincipalNameMapping policy="FROM_NAME_ID"/>
<RoleMapping>
<Attribute name="Role"/>
</RoleMapping>
<IDP entityID="idp">
<SingleSignOnService signRequest="true"
validateResponseSignature="true"
requestBinding="POST"
bindingUrl="http://localhost:8080/auth/realms/saml-demo/protocol/saml"
/>
<SingleLogoutService
validateRequestSignature="true"
validateResponseSignature="true"
signRequest="true"
signResponse="true"
requestBinding="POST"
responseBinding="POST"
postBindingUrl="http://localhost:8080/auth/realms/saml-demo/protocol/saml"
redirectBindingUrl="http://localhost:8080/auth/realms/saml-demo/protocol/saml"
/>
<Keys>
<Key signing="true" >
<KeyStore resource="/WEB-INF/keystore.jks" password="store123">
<Certificate alias="saml-demo"/>
</KeyStore>
</Key>
</Keys>
</IDP>
</SP>
</keycloak-saml-adapter>

0
examples/saml/post-with-encryption/src/main/resources/keystore.jks → examples/saml/post-with-encryption/src/main/webapp/WEB-INF/keystore.jks
View file

12
examples/saml/post-basic/src/main/webapp/WEB-INF/web.xml → examples/saml/post-with-encryption/src/main/webapp/WEB-INF/web.xml Normal file → Executable file
View file

@ -1,13 +1,11 @@
<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<display-name>PicketLink Sales Service Provider</display-name>
<module-name>sales-post-enc</module-name>
<description>PicketLink Service Provider With a Basic Configuration using SAML HTTP POST Binding</description>
<!-- Define a Security Constraint on this Application -->
<!-- Define a Security Constraint on this Application -->
<security-constraint>
<web-resource-collection>
<web-resource-name>SALES Application</web-resource-name>
@ -36,7 +34,7 @@
<!-- Define the Login Configuration for this Application -->
<login-config>
<auth-method>FORM</auth-method>
<auth-method>KEYCLOAK-SAML</auth-method>
<realm-name>Tomcat SALES Application</realm-name>
<form-login-config>
<form-login-page>/jsp/login.jsp</form-login-page>

0
examples/saml/post-basic/src/main/webapp/css/idp.css → examples/saml/post-with-encryption/src/main/webapp/css/idp.css Normal file → Executable file
View file

0
examples/saml/post-basic/src/main/webapp/error.jsp → examples/saml/post-with-encryption/src/main/webapp/error.jsp Normal file → Executable file
View file

0
examples/saml/post-basic/src/main/webapp/favicon.ico → examples/saml/post-with-encryption/src/main/webapp/favicon.ico Normal file → Executable file
View file

Side by side Swipe Overlay

Before

Width:  |  Height:  |  Size: 1.3 KiB

After

Width:  |  Height:  |  Size: 1.3 KiB

0
examples/saml/post-basic/src/main/webapp/images/bkg.gif → examples/saml/post-with-encryption/src/main/webapp/images/bkg.gif Normal file → Executable file
View file

Side by side Swipe Overlay

Before

Width:  |  Height:  |  Size: 50 KiB

After

Width:  |  Height:  |  Size: 50 KiB

BIN
examples/saml/post-with-encryption/src/main/webapp/images/keycloak_default_banner-1180px.png Executable file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 81 KiB

0
examples/saml/post-basic/src/main/webapp/images/rh_bg.png → examples/saml/post-with-encryption/src/main/webapp/images/rh_bg.png Normal file → Executable file
View file

Side by side Swipe Overlay

Before

Width:  |  Height:  |  Size: 577 B

After

Width:  |  Height:  |  Size: 577 B

7
examples/saml/post-basic/src/main/webapp/index.jsp → examples/saml/post-with-encryption/src/main/webapp/index.jsp Normal file → Executable file
View file

@ -2,13 +2,14 @@
<h1>SalesTool</h1>
<br/>
Welcome to the Sales Tool, <%=request.getUserPrincipal().getName()%>
<br/>
<br/>
<a href="?GLO=true">Click to LogOut</a>
<br/>
<br/>
Here is your sales chart:
<br/>
<img src="piechart.gif"/>
<br/>
<a href="?GLO=true">Click to LogOut</a>
</div>

43
examples/saml/post-with-encryption/src/main/webapp/logout.jsp Executable file
View file

@ -0,0 +1,43 @@
<!--
~ JBoss, Home of Professional Open Source.
~ Copyright (c) 2011, Red Hat, Inc., and individual contributors
~ as indicated by the @author tags. See the copyright.txt file in the
~ distribution for a full listing of individual contributors.
~
~ This is free software; you can redistribute it and/or modify it
~ under the terms of the GNU Lesser General Public License as
~ published by the Free Software Foundation; either version 2.1 of
~ the License, or (at your option) any later version.
~
~ This software is distributed in the hope that it will be useful,
~ but WITHOUT ANY WARRANTY; without even the implied warranty of
~ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
~ Lesser General Public License for more details.
~
~ You should have received a copy of the GNU Lesser General Public
~ License along with this software; if not, write to the Free
~ Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
~ 02110-1301 USA, or see the FSF site: http://www.fsf.org.
-->
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Keycloak SAML Client Adapter Example Application</title>
<link rel="shortcut icon" href="favicon.ico" type="image/x-icon">
<link rel="StyleSheet" href="css/idp.css" type="text/css">
</head>
<body>
<img src="images/keycloak_default_banner-1180px.png"
style="margin-top: -10px; margin-left: -10px; opacity: 0.4; filter: alpha(opacity = 40);" />
<div class="loginBox"
style="margin-bottom: 80px; border: 1px solid #000000; width: 440px; background-color: #F8F8F8; align: center;">
<center>
<p>
<b>Logged out. <a href="<%= request.getContextPath() %>">Login</a> again.</b>
</p>
</center>
</div>
</body>
</html>

0
examples/saml/post-basic/src/main/webapp/piechart.gif → examples/saml/post-with-encryption/src/main/webapp/piechart.gif Normal file → Executable file
View file

Side by side Swipe Overlay

Before

Width:  |  Height:  |  Size: 20 KiB

After

Width:  |  Height:  |  Size: 20 KiB

243
examples/saml/post-with-signature/README.md
View file

@ -1,86 +1,12 @@
picketlink-federation-saml-sp-post-with-signature: PicketLink Service Provider With a Basic Configuration using SAML HTTP POST Binding With Signature Support
===============================
Author: Pedro Igor
Level: Intermediate
Technologies: PicketLink Federation, SAML v2.0
Summary: Basic example that demonstrates how to setup an application as a SAML v2.0 Service Provider using SAML HTTP POST Binding with Signature Support.
Source: <https://github.com/jboss-developer/jboss-picketlink-quickstarts/>
# Keycloak SAML Client Adapter using HTTP POST Binding With Signatures
## Introduction
What is it?
-----------
Basic example that demonstrates how to setup an application as a SAML v2.0 Service Provider using SAML HTTP POST Binding with Signature Support.
This example demonstrates Keycloak SAML 2.0 support in conjunction with a servlet secured by Picketlink's SAML SP client.
## Import the test realm
Make sure you've set up the Keycloak Server
--------------------------------------
The Keycloak Appliance Distribution comes with a preconfigured Keycloak server (based on Wildfly). You can use it out of
the box to run these demos. So, if you're using this, you can head to Step 2.
Alternatively, you can install the Keycloak Server onto any EAP 6.x, or Wildfly 8.x server, but there is
a few steps you must follow.
Obtain latest keycloak-war-dist-all.zip. This distro is used to install Keycloak onto an existing JBoss installation.
This installs the server.
$ cd ${wildfly.jboss.home}/standalone
$ cp -r ${keycloak-war-dist-all}/deployments .
To be able to run the demos you also need to install the Keycloak client adapter. For Wildfly:
$ cd ${wildfly.home}
$ unzip ${keycloak-war-dist-all}/adapters/keycloak-wildfly-adapter-dist.zip
For JBoss EAP 6.x
$ cd ${eap.home}
$ unzip ${keycloak-war-dist-all}/adapters/keycloak-eap6-adapter-dist.zip
For JBoss AS 7.1.1:
$ cd ${as7.home}
$ unzip ${keycloak-war-dist-all}/adapters/keycloak-as7-adapter-dist.zip
Unzipping the adapter ZIP only installs the JAR files. You must also add the Keycloak Subsystem to the server's
configuration (standalone/configuration/standalone.xml).
<server xmlns="urn:jboss:domain:1.4">
<extensions>
<extension module="org.keycloak.keycloak-subsystem"/>
...
</extensions>
<profile>
<subsystem xmlns="urn:jboss:domain:keycloak:1.0"/>
...
</profile>
Boot Keycloak Server
---------------------------------------
Where you go to start up the Keycloak Server depends on which distro you installed.
From appliance:
```
$ cd keycloak/bin
$ ./standalone.sh
```
From existing Wildfly/EAP6/AS7 distro
```
$ cd ${wildfly.jboss.home}/bin
$ ./standalone.sh
```
Import the Test Realm
---------------------------------------
Next thing you have to do is import the test realm for the demo. Clicking on the below link will bring you to the
If you haven't already done so, you need to import the test realm for this examples. Clicking on the below link will bring you to the
create realm page in the Admin UI. The username/password is admin/admin to login in. Keycloak will ask you to
create a new admin password before you can go to the create realm page.
@ -88,162 +14,13 @@ create a new admin password before you can go to the create realm page.
Import the testsaml.json file that is in the saml/ example directory.
Install Picketlink Modules into App server
------------------------------------------
## Build and Deploy
If you are running this example with the Keycloak application distribution, you can skip this step.
```
$ mvn clean install wildfly:deploy
```
You may have to upgrade your picketlink modules in your JBoss EAP or Wildfly distribution. See Picketlink docs for more details.
Create the Security Domain for JBoss EAP
---------------
If you are running this example with the Keycloak application distribution, you can skip this step.
These steps assume you are running the server in standalone mode and using the default standalone.xml supplied with the distribution.
You configure the security domain by running JBoss CLI commands. For your convenience, this quickstart batches the commands into a `configure-security-domain-eap.cli` script provided in the root directory of this quickstart.
1. Before you begin, back up your server configuration file
* If it is running, stop the JBoss server.
* Backup the file: `JBOSS_HOME/standalone/configuration/standalone.xml`
* After you have completed testing this quickstart, you can replace this file to restore the server to its original configuration.
2. Start the JBoss server by typing the following:
For Linux: JBOSS_HOME/bin/standalone.sh
For Windows: JBOSS_HOME\bin\standalone.bat
3. Review the `configure-security-domain-eap.cli` file in the root of this quickstart directory. This script adds the `sp` domain to the `security` subsystem in the server configuration and configures authentication access. Comments in the script describe the purpose of each block of commands.
4. Open a new command prompt, navigate to the root directory of this quickstart, and run the following command, replacing JBOSS_HOME with the path to your server:
JBOSS_HOME/bin/jboss-cli.sh --connect --file=configure-security-domain-eap.cli
You should see the following result when you run the script:
The batch executed successfully
{
"outcome" => "success",
}
Create the Security Domain for WildFly
---------------
If you are running this example with the Keycloak application distribution, you can skip this step.
These steps assume you are running the server in standalone mode and using the default standalone.xml supplied with the distribution.
You configure the security domain by running JBoss CLI commands. For your convenience, this quickstart batches the commands into a `configure-security-domain-wildfly.cli` script provided in the root directory of this quickstart.
1. Before you begin, back up your server configuration file
* If it is running, stop the JBoss server.
* Backup the file: `JBOSS_HOME/standalone/configuration/standalone.xml`
* After you have completed testing this quickstart, you can replace this file to restore the server to its original configuration.
2. Start the JBoss server by typing the following:
For Linux: JBOSS_HOME/bin/standalone.sh
For Windows: JBOSS_HOME\bin\standalone.bat
3. Review the `configure-security-domain-wildfly.cli` file in the root of this quickstart directory. This script adds the `sp` domain to the `security` subsystem in the server configuration and configures authentication access. Comments in the script describe the purpose of each block of commands.
4. Open a new command prompt, navigate to the root directory of this quickstart, and run the following command, replacing JBOSS_HOME with the path to your server:
JBOSS_HOME/bin/jboss-cli.sh --connect --file=configure-security-domain-wildfly.cli
You should see the following result when you run the script:
The batch executed successfully
{
"outcome" => "success",
}
Review the Modified Server Configuration for EAP
-----------------------------------
If you are running this example with the Keycloak application distribution, you can skip this step.
If you want to review and understand newly added XML configuration, stop the JBoss server and open the `JBOSS_HOME/standalone/configuration/standalone.xml` file.
The following `sp` security-domain was added to the `security` subsystem.
<security-domain name="sp" cache-type="default">
<authentication>
<login-module code="org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule" flag="required"/>
</authentication>
</security-domain>
The configuration above defines a security-domain which will be used by the SP to authenticate users based on a SAML Assertion previously issued by a Identity Provider.
Review the Modified Server Configuration for WildFly
-----------------------------------
If you are running this example with the Keycloak application distribution, you can skip this step.
If you are using Wildfly, the security-domain should have the following configuration:
<security-domain name="sp" cache-type="default">
<authentication>
<login-module code="org.picketlink.identity.federation.bindings.wildfly.SAML2LoginModule" flag="required"/>
</authentication>
</security-domain>
SAML SP-Initiated Single Sign-On
-----------------------------------
The SAML v2.0 specification defines a specific SSO mode called *SP-Initiated SSO*. In this mode, the SSO flow starts at the Service Provider side.
Please, take a look at the following documentation for more details:
1. [SAML v2.0 SP-Initiated SSO](https://docs.jboss.org/author/display/PLINK/SP-Initiated+SSO)
Start JBoss Enterprise Application Platform 6 or WildFly with the Web Profile
-------------------------
1. Open a command line and navigate to the root of the JBoss server directory.
2. The following shows the command line to start the server with the web profile:
For Linux: JBOSS_HOME/bin/standalone.sh
For Windows: JBOSS_HOME\bin\standalone.bat
Build and Deploy the Quickstart
-------------------------
_NOTE: The following build command assumes you have configured your Maven user settings. If you have not, you must include Maven setting arguments on the command line. See [Build and Deploy the Quickstarts](../README.md#build-and-deploy-the-quickstarts) for complete instructions and additional options._
1. Make sure you have started the JBoss Server as described above.
2. Open a command line and navigate to the root directory of this quickstart.
3. Type this command to build and deploy the archive:
For EAP 6: mvn clean package jboss-as:deploy
For WildFly: mvn -Pwildfly clean package wildfly:deploy
4. This will deploy `target/picketlink-federation-saml-sp-post-with-signature.war` to the running instance of the server.
Access the application
---------------------
## Access the application
The application will be running at the following URL: <http://localhost:8080/sales-post-sig>.
*Note: A Service Provider alone is not very useful without an Identity Provider to authenticate users and issue SAML Assertions. Once you get this application deployed, please take a look at [About the PicketLink Federation Quickstarts](../README.md#about-the-keycloak-saml-quickstarts).*
Undeploy the Archive
--------------------
1. Make sure you have started the JBoss Server as described above.
2. Open a command line and navigate to the root directory of this quickstart.
3. When you are finished testing, type this command to undeploy the archive:
For EAP 6: mvn jboss-as:undeploy
For WildFly: mvn -Pwildfly wildfly:undeploy
Debug the Application
------------------------------------
If you want to debug the source code or look at the Javadocs of any library in the project, run either of the following commands to pull them into your local repository. The IDE should then detect them.
mvn dependency:sources
mvn dependency:resolve -Dclassifier=javadoc

10
examples/saml/post-with-signature/conf/jboss-eap/META-INF/jboss-deployment-structure.xml
View file

@ -1,10 +0,0 @@
<jboss-deployment-structure>
<deployment>
<!-- You must configure the PicketLink dependency to your deployment. The dependency above is a reference to a static module
from JBoss EAP modules directory. -->
<dependencies>
<module name="org.picketlink"/>
</dependencies>
</deployment>
</jboss-deployment-structure>

16
examples/saml/post-with-signature/conf/jboss-eap/WEB-INF/jboss-web.xml
View file

@ -1,16 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<!-- You must have a security-domain configured in your JBoss EAP instance. The security-domain is necessary to provide user
authentication and roles mappings. In this case,we need a specific JAAS LoginModule that knows how to extract user's information from a SAML Assertion previously
issued by the Identity Provider. -->
<security-domain>sp</security-domain>
<!-- Here we just define the context path of the deployment. -->
<context-root>sales-post-sig</context-root>
<!-- You must configure one of the PicketLink Authenticators to get enable SAML-based SSO. Identity Providers and Service Providers
have different authenticators. In this case we're configuring an Service Provider, so we authenticator above is required. -->
<valve>
<class-name>org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator</class-name>
</valve>
</jboss-web>

10
examples/saml/post-with-signature/conf/wildfly/META-INF/jboss-deployment-structure.xml
View file

@ -1,10 +0,0 @@
<jboss-deployment-structure>
<deployment>
<!-- You must configure the PicketLink dependency to your deployment. The dependency above is a reference to a static module
from JBoss EAP modules directory. -->
<dependencies>
<module name="org.picketlink"/>
</dependencies>
</deployment>
</jboss-deployment-structure>

1
examples/saml/post-with-signature/conf/wildfly/WEB-INF/classes/META-INF/services/io.undertow.servlet.ServletExtension
View file

@ -1 +0,0 @@
org.picketlink.identity.federation.bindings.wildfly.sp.SPServletExtension

10
examples/saml/post-with-signature/conf/wildfly/WEB-INF/jboss-web.xml
View file

@ -1,10 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<!-- You must have a security-domain configured in your JBoss EAP instance. The security-domain is necessary to provide user
authentication and roles mappings. In this case,we need a specific JAAS LoginModule that knows how to extract user's information from a SAML Assertion previously
issued by the Identity Provider. -->
<security-domain>sp</security-domain>
<!-- Here we just define the context path of the deployment. -->
<context-root>sales-post-sig</context-root>
</jboss-web>

16
examples/saml/post-with-signature/configure-security-domain-eap.cli
View file

@ -1,16 +0,0 @@
# Batch script to add and configure the quickstart-domain security domain in the JBoss server
# Start batching commands
batch
# Add and configure the security domain, then add the PicketLink SAML2LoginModule. Which wil be used to extract user's information from the SAML Assertion and authenticate the user.
/subsystem=security/security-domain=sp:add(cache-type=default)
/subsystem=security/security-domain=sp/authentication=classic:add
/subsystem=security/security-domain=sp/authentication=classic/login-module=org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule:add(code=org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule,flag=required)
# Run the batch commands
run-batch
# Reload the server configuration
:reload

16
examples/saml/post-with-signature/configure-security-domain-wildfly.cli
View file

@ -1,16 +0,0 @@
# Batch script to add and configure the quickstart-domain security domain in the JBoss server
# Start batching commands
batch
# Add and configure the security domain, then add the PicketLink SAML2LoginModule. Which wil be used to extract user's information from the SAML Assertion and authenticate the user.
/subsystem=security/security-domain=sp:add(cache-type=default)
/subsystem=security/security-domain=sp/authentication=classic:add
/subsystem=security/security-domain=sp/authentication=classic/login-module=org.picketlink.identity.federation.bindings.wildfly.SAML2LoginModule:add(code=org.picketlink.identity.federation.bindings.wildfly.SAML2LoginModule,flag=required)
# Run the batch commands
run-batch
# Reload the server configuration
:reload

107
examples/saml/post-with-signature/pom.xml
View file

@ -2,16 +2,13 @@
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>org.picketlink.quickstarts</groupId>
<artifactId>picketlink-federation-saml-sp-post-with-signature</artifactId>
<version>2.7.0.Beta2</version>
<groupId>org.keycloak.examples</groupId>
<artifactId>saml-post-signatures</artifactId>
<version>1.6.0.Final-SNAPSHOT</version>
<packaging>war</packaging>
<name>PicketLink Quickstart: picketlink-federation-saml-sp-post-with-signature</name>
<description>PicketLink Quickstart: PicketLink Service Provider With a Basic Configuration using SAML HTTP POST Binding With Signature Support</description>
<url>http://www.picketlink.org</url>
<name>Keycloak SAML Adapter Example POST Binding and Signatures</name>
<licenses>
<license>
@ -21,104 +18,24 @@
</license>
</licenses>
<properties>
<!-- PicketLink dependency versions -->
<version.picketlink.javaee.bom>2.7.0.Beta2</version.picketlink.javaee.bom>
<!-- Default target container. -->
<target.container>jboss-eap</target.container>
<!-- maven-compiler-plugin -->
<version.compiler.plugin>3.1</version.compiler.plugin>
<!-- maven-deploy-plugin -->
<version.deploy.plugin>2.8.1</version.deploy.plugin>
<!-- JBoss AS dependency versions -->
<version.jboss.maven.plugin>7.4.Final</version.jboss.maven.plugin>
<!-- maven-war-plugin -->
<version.war.plugin>2.1.1</version.war.plugin>
<!-- WildFly dependency versions -->
<version.wildfly.maven.plugin>1.0.1.Final</version.wildfly.maven.plugin>
<maven.compiler.target>1.6</maven.compiler.target>
<maven.compiler.source>1.6</maven.compiler.source>
</properties>
<build>
<!-- Set the name of the war, used as the context root when the app is deployed -->
<finalName>${project.artifactId}</finalName>
<resources>
<resource>
<directory>src/main/resources</directory>
</resource>
<resource>
<directory>../post-basic/src/main/resources</directory>
</resource>
</resources>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-deploy-plugin</artifactId>
<version>${version.deploy.plugin}</version>
<configuration>
<skip>true</skip>
</configuration>
</plugin>
<plugin>
<artifactId>maven-war-plugin</artifactId>
<version>${version.war.plugin}</version>
<configuration>
<!-- Java EE 6 doesn't require web.xml, Maven needs to catch up! -->
<failOnMissingWebXml>false</failOnMissingWebXml>
<!-- We need to get the configuration resources for the provided target container. -->
<classifier>${target.container}</classifier>
<!-- Instead of duplicating resources for each example application, we just reuse all resources from the
base application. -->
<webResources>
<resource>
<directory>src/main/webapp</directory>
</resource>
<resource>
<directory>../post-basic/src/main/webapp</directory>
</resource>
<resource>
<directory>${basedir}/conf/${target.container}</directory>
</resource>
</webResources>
</configuration>
</plugin>
<!-- JBoss AS plugin to deploy war -->
<plugin>
<groupId>org.jboss.as.plugins</groupId>
<artifactId>jboss-as-maven-plugin</artifactId>
<version>${version.jboss.maven.plugin}</version>
<configuration>
<filename>${project.build.finalName}-${target.container}.${project.packaging}</filename>
<skip>false</skip>
</configuration>
</plugin>
<plugin>
<groupId>org.wildfly.plugins</groupId>
<artifactId>wildfly-maven-plugin</artifactId>
<configuration>
<skip>false</skip>
</configuration>
</plugin>
</plugins>
</build>
<profiles>
<profile>
<id>wildfly</id>
<properties>
<target.container>wildfly</target.container>
</properties>
<build>
<plugins>
<plugin>
<groupId>org.wildfly.plugins</groupId>
<artifactId>wildfly-maven-plugin</artifactId>
<version>${version.wildfly.maven.plugin}</version>
<configuration>
<filename>${project.build.finalName}-${target.container}.${project.packaging}</filename>
</configuration>
</plugin>
</plugins>
</build>
</profile>
</profiles>
</project>

13
examples/saml/post-with-signature/remove-security-domain.cli
View file

@ -1,13 +0,0 @@
# Batch script to remove the quickstart-domain security domain from the JBoss server
# Start batching commands
batch
# Remove the security domain
/subsystem=security/security-domain=sp:remove
# Run the batch commands
run-batch
# Reload the server configuration
:reload

45
examples/saml/post-with-signature/src/main/webapp/WEB-INF/keycloak-saml.xml Executable file
View file

@ -0,0 +1,45 @@
<keycloak-saml-adapter>
<SP entityID="http://localhost:8080/sales-post-sig/"
sslPolicy="EXTERNAL"
nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
logoutPage="/logout.jsp"
forceAuthentication="false">
<Keys>
<Key signing="true" >
<KeyStore resource="/WEB-INF/keystore.jks" password="store123">
<PrivateKey alias="http://localhost:8080/sales-post-sig/" password="test123"/>
<Certificate alias="http://localhost:8080/sales-post-sig/"/>
</KeyStore>
</Key>
</Keys>
<PrincipalNameMapping policy="FROM_NAME_ID"/>
<RoleMapping>
<Attribute name="Role"/>
</RoleMapping>
<IDP entityID="idp">
<SingleSignOnService signRequest="true"
validateResponseSignature="true"
requestBinding="POST"
bindingUrl="http://localhost:8080/auth/realms/saml-demo/protocol/saml"
/>
<SingleLogoutService
validateRequestSignature="true"
validateResponseSignature="true"
signRequest="true"
signResponse="true"
requestBinding="POST"
responseBinding="POST"
postBindingUrl="http://localhost:8080/auth/realms/saml-demo/protocol/saml"
redirectBindingUrl="http://localhost:8080/auth/realms/saml-demo/protocol/saml"
/>
<Keys>
<Key signing="true">
<KeyStore resource="/WEB-INF/keystore.jks" password="store123">
<Certificate alias="saml-demo"/>
</KeyStore>
</Key>
</Keys>
</IDP>
</SP>
</keycloak-saml-adapter>

0
examples/saml/post-with-signature/src/main/resources/keystore.jks → examples/saml/post-with-signature/src/main/webapp/WEB-INF/keystore.jks
View file

31
examples/saml/post-with-signature/src/main/webapp/WEB-INF/picketlink.xml
View file

@ -1,31 +0,0 @@
<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
<PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1"
ServerEnvironment="tomcat" BindingType="POST" SupportsSignatures="true">
<IdentityURL>${idp-sig.url::http://localhost:8080/auth/realms/saml-demo/protocol/saml}
</IdentityURL>
<ServiceURL>${sales-post-sig.url::http://localhost:8080/sales-post-sig/}
</ServiceURL>
<KeyProvider
ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager">
<Auth Key="KeyStoreURL" Value="/keystore.jks" />
<Auth Key="KeyStorePass" Value="store123" />
<Auth Key="SigningKeyPass" Value="test123" />
<Auth Key="SigningKeyAlias" Value="http://localhost:8080/sales-post-sig/" />
<ValidatingAlias Key="localhost" Value="saml-demo" />
<ValidatingAlias Key="127.0.0.1" Value="saml-demo" />
</KeyProvider>
</PicketLinkSP>
<Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureGenerationHandler" />
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler" />
</Handlers>
</PicketLink>

50
examples/saml/post-with-signature/src/main/webapp/WEB-INF/web.xml Executable file
View file

@ -0,0 +1,50 @@
<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<module-name>sales-post-sig</module-name>
<!-- Define a Security Constraint on this Application -->
<security-constraint>
<web-resource-collection>
<web-resource-name>SALES Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>
<!-- Define a security constraint that gives unlimted access to freezone -->
<security-constraint>
<web-resource-collection>
<web-resource-name>freezone</web-resource-name>
<url-pattern>/freezone/*</url-pattern>
</web-resource-collection>
<web-resource-collection>
<web-resource-name>images</web-resource-name>
<url-pattern>/images/*</url-pattern>
</web-resource-collection>
<web-resource-collection>
<web-resource-name>css</web-resource-name>
<url-pattern>/css/*</url-pattern>
</web-resource-collection>
</security-constraint>
<!-- Define the Login Configuration for this Application -->
<login-config>
<auth-method>KEYCLOAK-SAML</auth-method>
<realm-name>Tomcat SALES Application</realm-name>
<form-login-config>
<form-login-page>/jsp/login.jsp</form-login-page>
<form-error-page>/jsp/loginerror.jsp</form-error-page>
</form-login-config>
</login-config>
<!-- Security roles referenced by this web application -->
<security-role>
<description>The role that is required to log in to the Manager Application</description>
<role-name>manager</role-name>
</security-role>
</web-app>

0
examples/saml/redirect-basic/src/main/webapp/css/idp.css → examples/saml/post-with-signature/src/main/webapp/css/idp.css Normal file → Executable file
View file

0
examples/saml/redirect-basic/src/main/webapp/error.jsp → examples/saml/post-with-signature/src/main/webapp/error.jsp Normal file → Executable file
View file

0
examples/saml/redirect-basic/src/main/webapp/favicon.ico → examples/saml/post-with-signature/src/main/webapp/favicon.ico Normal file → Executable file
View file

Side by side Swipe Overlay

Before

Width:  |  Height:  |  Size: 1.3 KiB

After

Width:  |  Height:  |  Size: 1.3 KiB

0
examples/saml/redirect-basic/src/main/webapp/images/bkg.gif → examples/saml/post-with-signature/src/main/webapp/images/bkg.gif Normal file → Executable file
View file

Side by side Swipe Overlay

Before

Width:  |  Height:  |  Size: 50 KiB

After

Width:  |  Height:  |  Size: 50 KiB

BIN
examples/saml/post-with-signature/src/main/webapp/images/keycloak_default_banner-1180px.png Executable file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 81 KiB

0
examples/saml/redirect-basic/src/main/webapp/images/rh_bg.png → examples/saml/post-with-signature/src/main/webapp/images/rh_bg.png Normal file → Executable file
View file

Side by side Swipe Overlay

Before

Width:  |  Height:  |  Size: 577 B

After

Width:  |  Height:  |  Size: 577 B

15
examples/saml/post-with-signature/src/main/webapp/index.jsp Executable file
View file

@ -0,0 +1,15 @@
<div align="center">
<h1>SalesTool</h1>
<br/>
Welcome to the Sales Tool, <%=request.getUserPrincipal().getName()%>
<br/>
<a href="?GLO=true">Click to LogOut</a>
<br/>
<br/>
Here is your sales chart:
<br/>
<img src="piechart.gif"/>
<br/>
</div>

43
examples/saml/post-with-signature/src/main/webapp/logout.jsp Executable file
View file

@ -0,0 +1,43 @@
<!--
~ JBoss, Home of Professional Open Source.
~ Copyright (c) 2011, Red Hat, Inc., and individual contributors
~ as indicated by the @author tags. See the copyright.txt file in the
~ distribution for a full listing of individual contributors.
~
~ This is free software; you can redistribute it and/or modify it
~ under the terms of the GNU Lesser General Public License as
~ published by the Free Software Foundation; either version 2.1 of
~ the License, or (at your option) any later version.
~
~ This software is distributed in the hope that it will be useful,
~ but WITHOUT ANY WARRANTY; without even the implied warranty of
~ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
~ Lesser General Public License for more details.
~
~ You should have received a copy of the GNU Lesser General Public
~ License along with this software; if not, write to the Free
~ Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
~ 02110-1301 USA, or see the FSF site: http://www.fsf.org.
-->
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Keycloak SAML Client Adapter Example Application</title>
<link rel="shortcut icon" href="favicon.ico" type="image/x-icon">
<link rel="StyleSheet" href="css/idp.css" type="text/css">
</head>
<body>
<img src="images/keycloak_default_banner-1180px.png"
style="margin-top: -10px; margin-left: -10px; opacity: 0.4; filter: alpha(opacity = 40);" />
<div class="loginBox"
style="margin-bottom: 80px; border: 1px solid #000000; width: 440px; background-color: #F8F8F8; align: center;">
<center>
<p>
<b>Logged out. <a href="<%= request.getContextPath() %>">Login</a> again.</b>
</p>
</center>
</div>
</body>
</html>

BIN
examples/saml/post-with-signature/src/main/webapp/piechart.gif Executable file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 20 KiB

251
examples/saml/redirect-basic/README.md
View file

@ -1,251 +0,0 @@
picketlink-federation-saml-sp-redirect-basic: PicketLink Service Provider With a Basic Configuration using SAML HTTP Redirect Binding
===============================
Author: Pedro Igor
Level: Intermediate
Technologies: PicketLink Federation, SAML v2.0
Summary: Basic example that demonstrates how to setup an application as a SAML v2.0 Service Provider using SAML HTTP Redirect Binding.
Source: <https://github.com/jboss-developer/jboss-picketlink-quickstarts/>
What is it?
-----------
This example demonstrates Keycloak SAML 2.0 support in conjunction with a servlet secured by Picketlink's SAML SP client.
WARNING: This example doesn't use signed SAML request and response messages. It's used just for demonstration purpose, but in production
you should always use signed SAML messages as shown in "redirect-with-signature" example.
Make sure you've set up the Keycloak Server
--------------------------------------
The Keycloak Appliance Distribution comes with a preconfigured Keycloak server (based on Wildfly). You can use it out of
the box to run these demos. So, if you're using this, you can head to Step 2.
Alternatively, you can install the Keycloak Server onto any EAP 6.x, or Wildfly 8.x server, but there is
a few steps you must follow.
Obtain latest keycloak-war-dist-all.zip. This distro is used to install Keycloak onto an existing JBoss installation.
This installs the server.
$ cd ${wildfly.jboss.home}/standalone
$ cp -r ${keycloak-war-dist-all}/deployments .
To be able to run the demos you also need to install the Keycloak client adapter. For Wildfly:
$ cd ${wildfly.home}
$ unzip ${keycloak-war-dist-all}/adapters/keycloak-wildfly-adapter-dist.zip
For JBoss EAP 6.x
$ cd ${eap.home}
$ unzip ${keycloak-war-dist-all}/adapters/keycloak-eap6-adapter-dist.zip
For JBoss AS 7.1.1:
$ cd ${as7.home}
$ unzip ${keycloak-war-dist-all}/adapters/keycloak-as7-adapter-dist.zip
Unzipping the adapter ZIP only installs the JAR files. You must also add the Keycloak Subsystem to the server's
configuration (standalone/configuration/standalone.xml).
<server xmlns="urn:jboss:domain:1.4">
<extensions>
<extension module="org.keycloak.keycloak-subsystem"/>
...
</extensions>
<profile>
<subsystem xmlns="urn:jboss:domain:keycloak:1.0"/>
...
</profile>
Boot Keycloak Server
---------------------------------------
Where you go to start up the Keycloak Server depends on which distro you installed.
From appliance:
```
$ cd keycloak/bin
$ ./standalone.sh
```
From existing Wildfly/EAP6/AS7 distro
```
$ cd ${wildfly.jboss.home}/bin
$ ./standalone.sh
```
Import the Test Realm
---------------------------------------
Next thing you have to do is import the test realm for the demo. Clicking on the below link will bring you to the
create realm page in the Admin UI. The username/password is admin/admin to login in. Keycloak will ask you to
create a new admin password before you can go to the create realm page.
[http://localhost:8080/auth/admin/master/console/#/create/realm](http://localhost:8080/auth/admin/master/console/#/create/realm)
Import the testsaml.json file that is in the saml/ example directory.
Install Picketlink Modules into App server
------------------------------------------
If you are running this example with the Keycloak application distribution, you can skip this step.
You may have to upgrade your picketlink modules in your JBoss EAP or Wildfly distribution. See Picketlink docs for more details.
Create the Security Domain for JBoss EAP
---------------
If you are running this example with the Keycloak application distribution, you can skip this step.
These steps assume you are running the server in standalone mode and using the default standalone.xml supplied with the distribution.
You configure the security domain by running JBoss CLI commands. For your convenience, this quickstart batches the commands into a `configure-security-domain-eap.cli` script provided in the root directory of this quickstart.
1. Before you begin, back up your server configuration file
* If it is running, stop the JBoss server.
* Backup the file: `JBOSS_HOME/standalone/configuration/standalone.xml`
* After you have completed testing this quickstart, you can replace this file to restore the server to its original configuration.
2. Start the JBoss server by typing the following:
For Linux: JBOSS_HOME/bin/standalone.sh
For Windows: JBOSS_HOME\bin\standalone.bat
3. Review the `configure-security-domain-eap.cli` file in the root of this quickstart directory. This script adds the `sp` domain to the `security` subsystem in the server configuration and configures authentication access. Comments in the script describe the purpose of each block of commands.
4. Open a new command prompt, navigate to the root directory of this quickstart, and run the following command, replacing JBOSS_HOME with the path to your server:
JBOSS_HOME/bin/jboss-cli.sh --connect --file=configure-security-domain-eap.cli
You should see the following result when you run the script:
The batch executed successfully
{
"outcome" => "success",
}
Create the Security Domain for WildFly
---------------
If you are running this example with the Keycloak application distribution, you can skip this step.
These steps assume you are running the server in standalone mode and using the default standalone.xml supplied with the distribution.
You configure the security domain by running JBoss CLI commands. For your convenience, this quickstart batches the commands into a `configure-security-domain-wildfly.cli` script provided in the root directory of this quickstart.
1. Before you begin, back up your server configuration file
* If it is running, stop the JBoss server.
* Backup the file: `JBOSS_HOME/standalone/configuration/standalone.xml`
* After you have completed testing this quickstart, you can replace this file to restore the server to its original configuration.
2. Start the JBoss server by typing the following:
For Linux: JBOSS_HOME/bin/standalone.sh
For Windows: JBOSS_HOME\bin\standalone.bat
3. Review the `configure-security-domain-wildfly.cli` file in the root of this quickstart directory. This script adds the `sp` domain to the `security` subsystem in the server configuration and configures authentication access. Comments in the script describe the purpose of each block of commands.
4. Open a new command prompt, navigate to the root directory of this quickstart, and run the following command, replacing JBOSS_HOME with the path to your server:
JBOSS_HOME/bin/jboss-cli.sh --connect --file=configure-security-domain-wildfly.cli
You should see the following result when you run the script:
The batch executed successfully
{
"outcome" => "success",
}
Review the Modified Server Configuration for EAP
-----------------------------------
If you are running this example with the Keycloak application distribution, you can skip this step.
If you want to review and understand newly added XML configuration, stop the JBoss server and open the `JBOSS_HOME/standalone/configuration/standalone.xml` file.
The following `sp` security-domain was added to the `security` subsystem.
<security-domain name="sp" cache-type="default">
<authentication>
<login-module code="org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule" flag="required"/>
</authentication>
</security-domain>
The configuration above defines a security-domain which will be used by the SP to authenticate users based on a SAML Assertion previously issued by a Identity Provider.
Review the Modified Server Configuration for WildFly
-----------------------------------
If you are running this example with the Keycloak application distribution, you can skip this step.
If you are using Wildfly, the security-domain should have the following configuration:
<security-domain name="sp" cache-type="default">
<authentication>
<login-module code="org.picketlink.identity.federation.bindings.wildfly.SAML2LoginModule" flag="required"/>
</authentication>
</security-domain>
SAML SP-Initiated Single Sign-On
-----------------------------------
The SAML v2.0 specification defines a specific SSO mode called *SP-Initiated SSO*. In this mode, the SSO flow starts at the Service Provider side.
Please, take a look at the following documentation for more details:
1. [SAML v2.0 SP-Initiated SSO](https://docs.jboss.org/author/display/PLINK/SP-Initiated+SSO)
Start JBoss Enterprise Application Platform 6 or WildFly with the Web Profile
-------------------------
1. Open a command line and navigate to the root of the JBoss server directory.
2. The following shows the command line to start the server with the web profile:
For Linux: JBOSS_HOME/bin/standalone.sh
For Windows: JBOSS_HOME\bin\standalone.bat
Build and Deploy the Quickstart
-------------------------
_NOTE: The following build command assumes you have configured your Maven user settings. If you have not, you must include Maven setting arguments on the command line. See [Build and Deploy the Quickstarts](../README.md#build-and-deploy-the-quickstarts) for complete instructions and additional options._
1. Make sure you have started the JBoss Server as described above.
2. Open a command line and navigate to the root directory of this quickstart.
3. Type this command to build and deploy the archive:
For EAP 6: mvn clean package jboss-as:deploy
For WildFly: mvn -Pwildfly clean package wildfly:deploy
4. This will deploy `target/picketlink-federation-saml-sp-redirect-basic.war` to the running instance of the server.
Access the application
---------------------
The application will be running at the following URL: <http://localhost:8080/employee>.
*Note: A Service Provider alone is not very useful without an Identity Provider to authenticate users and issue SAML Assertions. Once you get this application deployed, please take a look at [About the PicketLink Federation Quickstarts](../README.md#about-the-keycloak-saml-quickstarts).*
Undeploy the Archive
--------------------
1. Make sure you have started the JBoss Server as described above.
2. Open a command line and navigate to the root directory of this quickstart.
3. When you are finished testing, type this command to undeploy the archive:
For EAP 6: mvn jboss-as:undeploy
For WildFly: mvn -Pwildfly wildfly:undeploy
Debug the Application
------------------------------------
If you want to debug the source code or look at the Javadocs of any library in the project, run either of the following commands to pull them into your local repository. The IDE should then detect them.
mvn dependency:sources
mvn dependency:resolve -Dclassifier=javadoc

10
examples/saml/redirect-basic/conf/jboss-eap/META-INF/jboss-deployment-structure.xml
View file

@ -1,10 +0,0 @@
<jboss-deployment-structure>
<deployment>
<!-- You must configure the PicketLink dependency to your deployment. The dependency above is a reference to a static module
from JBoss EAP modules directory. -->
<dependencies>
<module name="org.picketlink"/>
</dependencies>
</deployment>
</jboss-deployment-structure>

16
examples/saml/redirect-basic/conf/jboss-eap/WEB-INF/jboss-web.xml
View file

@ -1,16 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<!-- You must have a security-domain configured in your JBoss EAP instance. The security-domain is necessary to provide user
authentication and roles mappings. In this case,we need a specific JAAS LoginModule that knows how to extract user's information from a SAML Assertion previously
issued by the Identity Provider. -->
<security-domain>sp</security-domain>
<!-- Here we just define the context path of the deployment. -->
<context-root>employee</context-root>
<!-- You must configure one of the PicketLink Authenticators to get enable SAML-based SSO. Identity Providers and Service Providers
have different authenticators. In this case we're configuring an Service Provider, so we authenticator above is required. -->
<valve>
<class-name>org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator</class-name>
</valve>
</jboss-web>

10
examples/saml/redirect-basic/conf/wildfly/META-INF/jboss-deployment-structure.xml
View file

@ -1,10 +0,0 @@
<jboss-deployment-structure>
<deployment>
<!-- You must configure the PicketLink dependency to your deployment. The dependency above is a reference to a static module
from JBoss EAP modules directory. -->
<dependencies>
<module name="org.picketlink"/>
</dependencies>
</deployment>
</jboss-deployment-structure>

1
examples/saml/redirect-basic/conf/wildfly/WEB-INF/classes/META-INF/services/io.undertow.servlet.ServletExtension
View file

@ -1 +0,0 @@
org.picketlink.identity.federation.bindings.wildfly.sp.SPServletExtension

10
examples/saml/redirect-basic/conf/wildfly/WEB-INF/jboss-web.xml
View file

@ -1,10 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<!-- You must have a security-domain configured in your JBoss EAP instance. The security-domain is necessary to provide user
authentication and roles mappings. In this case,we need a specific JAAS LoginModule that knows how to extract user's information from a SAML Assertion previously
issued by the Identity Provider. -->
<security-domain>sp</security-domain>
<!-- Here we just define the context path of the deployment. -->
<context-root>employee</context-root>
</jboss-web>

16
examples/saml/redirect-basic/configure-security-domain-eap.cli
View file

@ -1,16 +0,0 @@
# Batch script to add and configure the quickstart-domain security domain in the JBoss server
# Start batching commands
batch
# Add and configure the security domain, then add the PicketLink SAML2LoginModule. Which wil be used to extract user's information from the SAML Assertion and authenticate the user.
/subsystem=security/security-domain=sp:add(cache-type=default)
/subsystem=security/security-domain=sp/authentication=classic:add
/subsystem=security/security-domain=sp/authentication=classic/login-module=org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule:add(code=org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule,flag=required)
# Run the batch commands
run-batch
# Reload the server configuration
:reload

16
examples/saml/redirect-basic/configure-security-domain-wildfly.cli
View file

@ -1,16 +0,0 @@
# Batch script to add and configure the quickstart-domain security domain in the JBoss server
# Start batching commands
batch
# Add and configure the security domain, then add the PicketLink SAML2LoginModule. Which wil be used to extract user's information from the SAML Assertion and authenticate the user.
/subsystem=security/security-domain=sp:add(cache-type=default)
/subsystem=security/security-domain=sp/authentication=classic:add
/subsystem=security/security-domain=sp/authentication=classic/login-module=org.picketlink.identity.federation.bindings.wildfly.SAML2LoginModule:add(code=org.picketlink.identity.federation.bindings.wildfly.SAML2LoginModule,flag=required)
# Run the batch commands
run-batch
# Reload the server configuration
:reload

111
examples/saml/redirect-basic/pom.xml
View file

@ -1,111 +0,0 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>org.picketlink.quickstarts</groupId>
<artifactId>picketlink-federation-saml-sp-redirect-basic</artifactId>
<version>2.7.0.Beta2</version>
<packaging>war</packaging>
<name>PicketLink Quickstart: picketlink-federation-saml-sp-redirect-basic</name>
<description>PicketLink Quickstart: PicketLink Service Provider With a Basic Configuration using SAML HTTP Redirect Binding</description>
<url>http://www.picketlink.org</url>
<licenses>
<license>
<name>Apache License, Version 2.0</name>
<distribution>repo</distribution>
<url>http://www.apache.org/licenses/LICENSE-2.0.html</url>
</license>
</licenses>
<properties>
<!-- PicketLink dependency versions -->
<version.picketlink.javaee.bom>2.7.0.Beta2</version.picketlink.javaee.bom>
<!-- Default target container. -->
<target.container>jboss-eap</target.container>
<!-- maven-compiler-plugin -->
<version.compiler.plugin>3.1</version.compiler.plugin>
<!-- maven-deploy-plugin -->
<version.deploy.plugin>2.8.1</version.deploy.plugin>
<!-- JBoss AS dependency versions -->
<version.jboss.maven.plugin>7.4.Final</version.jboss.maven.plugin>
<!-- maven-war-plugin -->
<version.war.plugin>2.1.1</version.war.plugin>
<!-- WildFly dependency versions -->
<version.wildfly.maven.plugin>1.0.1.Final</version.wildfly.maven.plugin>
<maven.compiler.target>1.6</maven.compiler.target>
<maven.compiler.source>1.6</maven.compiler.source>
</properties>
<build>
<!-- Set the name of the war, used as the context root when the app is deployed -->
<finalName>${project.artifactId}</finalName>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-deploy-plugin</artifactId>
<version>${version.deploy.plugin}</version>
<configuration>
<skip>true</skip>
</configuration>
</plugin>
<plugin>
<artifactId>maven-war-plugin</artifactId>
<version>${version.war.plugin}</version>
<configuration>
<!-- Java EE 6 doesn't require web.xml, Maven needs to catch up! -->
<failOnMissingWebXml>false</failOnMissingWebXml>
<!-- We need to get the configuration resources for the provided target container. -->
<classifier>${target.container}</classifier>
<!-- Instead of duplicating resources for each example application, we just reuse all resources from the
base application. -->
<webResources>
<resource>
<directory>${basedir}/conf/${target.container}</directory>
</resource>
</webResources>
</configuration>
</plugin>
<!-- JBoss AS plugin to deploy war -->
<plugin>
<groupId>org.jboss.as.plugins</groupId>
<artifactId>jboss-as-maven-plugin</artifactId>
<version>${version.jboss.maven.plugin}</version>
<configuration>
<filename>${project.build.finalName}-${target.container}.${project.packaging}</filename>
</configuration>
</plugin>
</plugins>
</build>
<profiles>
<profile>
<id>wildfly</id>
<properties>
<target.container>wildfly</target.container>
</properties>
<build>
<plugins>
<plugin>
<groupId>org.wildfly.plugins</groupId>
<artifactId>wildfly-maven-plugin</artifactId>
<version>${version.wildfly.maven.plugin}</version>
<configuration>
<filename>${project.build.finalName}-${target.container}.${project.packaging}</filename>
</configuration>
</plugin>
</plugins>
</build>
</profile>
</profiles>
</project>

13
examples/saml/redirect-basic/remove-security-domain.cli
View file

@ -1,13 +0,0 @@
# Batch script to remove the quickstart-domain security domain from the JBoss server
# Start batching commands
batch
# Remove the security domain
/subsystem=security/security-domain=sp:remove
# Run the batch commands
run-batch
# Reload the server configuration
:reload

10
examples/saml/redirect-basic/src/main/webapp/META-INF/jboss-deployment-structure.xml
View file

@ -1,10 +0,0 @@
<jboss-deployment-structure>
<deployment>
<!-- You must configure the PicketLink dependency to your deployment. The dependency above is a reference to a static module
from JBoss EAP modules directory. -->
<dependencies>
<module name="org.picketlink"/>
</dependencies>
</deployment>
</jboss-deployment-structure>

20
examples/saml/redirect-basic/src/main/webapp/WEB-INF/picketlink.xml
View file

@ -1,20 +0,0 @@
<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
<PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1"
ServerEnvironment="tomcat" BindingType="REDIRECT" RelayState="someURL">
<IdentityURL>${idp.url::http://localhost:8080/auth/realms/saml-demo/protocol/saml}</IdentityURL>
<ServiceURL>${employee.url::http://localhost:8080/employee/}
</ServiceURL>
</PicketLinkSP>
<Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler">
<Option Key="ASSERTION_SESSION_ATTRIBUTE_NAME" Value="org.picketlink.sp.assertion"/>
</Handler>
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
</Handlers>
</PicketLink>

BIN
examples/saml/redirect-basic/src/main/webapp/images/picketlink-banner-1180px.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 102 KiB

244
examples/saml/redirect-with-signature/README.md
View file

@ -1,87 +1,12 @@
picketlink-federation-saml-sp-redirect-with-signature: PicketLink Service Provider With a Basic Configuration using SAML HTTP Redirect Binding With Signature Support
===============================
Author: Pedro Igor
Level: Intermediate
Technologies: PicketLink Federation, SAML v2.0
Summary: Basic example that demonstrates how to setup an application as a SAML v2.0 Service Provider using SAML HTTP Redirect Binding With Signature Support.
Source: <https://github.com/jboss-developer/jboss-picketlink-quickstarts/>
# Keycloak SAML Client Adapter using HTTP Redirect Binding With Signatures
## Introduction
What is it?
-----------
Basic example that demonstrates how to setup an application as a SAML v2.0 Service Provider using SAML HTTP Redirect Binding With Signature Support.
This example demonstrates Keycloak SAML 2.0 support in conjunction with a servlet secured by Picketlink's SAML SP client.
## Import the test realm
Make sure you've set up the Keycloak Server
--------------------------------------
The Keycloak Appliance Distribution comes with a preconfigured Keycloak server (based on Wildfly). You can use it out of
the box to run these demos. So, if you're using this, you can head to Step 2.
Alternatively, you can install the Keycloak Server onto any EAP 6.x, or Wildfly 8.x server, but there is
a few steps you must follow.
Obtain latest keycloak-war-dist-all.zip. This distro is used to install Keycloak onto an existing JBoss installation.
This installs the server.
$ cd ${wildfly.jboss.home}/standalone
$ cp -r ${keycloak-war-dist-all}/deployments .
To be able to run the demos you also need to install the Keycloak client adapter. For Wildfly:
$ cd ${wildfly.home}
$ unzip ${keycloak-war-dist-all}/adapters/keycloak-wildfly-adapter-dist.zip
For JBoss EAP 6.x
$ cd ${eap.home}
$ unzip ${keycloak-war-dist-all}/adapters/keycloak-eap6-adapter-dist.zip
For JBoss AS 7.1.1:
$ cd ${as7.home}
$ unzip ${keycloak-war-dist-all}/adapters/keycloak-as7-adapter-dist.zip
Unzipping the adapter ZIP only installs the JAR files. You must also add the Keycloak Subsystem to the server's
configuration (standalone/configuration/standalone.xml).
<server xmlns="urn:jboss:domain:1.4">
<extensions>
<extension module="org.keycloak.keycloak-subsystem"/>
...
</extensions>
<profile>
<subsystem xmlns="urn:jboss:domain:keycloak:1.0"/>
...
</profile>
Boot Keycloak Server
---------------------------------------
Where you go to start up the Keycloak Server depends on which distro you installed.
From appliance:
```
$ cd keycloak/bin
$ ./standalone.sh
```
From existing Wildfly/EAP6/AS7 distro
```
$ cd ${wildfly.jboss.home}/bin
$ ./standalone.sh
```
Import the Test Realm
---------------------------------------
Next thing you have to do is import the test realm for the demo. Clicking on the below link will bring you to the
If you haven't already done so, you need to import the test realm for this examples. Clicking on the below link will bring you to the
create realm page in the Admin UI. The username/password is admin/admin to login in. Keycloak will ask you to
create a new admin password before you can go to the create realm page.
@ -89,162 +14,13 @@ create a new admin password before you can go to the create realm page.
Import the testsaml.json file that is in the saml/ example directory.
Install Picketlink Modules into App server
------------------------------------------
## Build and Deploy
If you are running this example with the Keycloak application distribution, you can skip this step.
```
$ mvn clean install wildfly:deploy
```
You may have to upgrade your picketlink modules in your JBoss EAP or Wildfly distribution. See Picketlink docs for more details.
Create the Security Domain for JBoss EAP
---------------
If you are running this example with the Keycloak application distribution, you can skip this step.
These steps assume you are running the server in standalone mode and using the default standalone.xml supplied with the distribution.
You configure the security domain by running JBoss CLI commands. For your convenience, this quickstart batches the commands into a `configure-security-domain-eap.cli` script provided in the root directory of this quickstart.
1. Before you begin, back up your server configuration file
* If it is running, stop the JBoss server.
* Backup the file: `JBOSS_HOME/standalone/configuration/standalone.xml`
* After you have completed testing this quickstart, you can replace this file to restore the server to its original configuration.
2. Start the JBoss server by typing the following:
For Linux: JBOSS_HOME/bin/standalone.sh
For Windows: JBOSS_HOME\bin\standalone.bat
3. Review the `configure-security-domain-eap.cli` file in the root of this quickstart directory. This script adds the `sp` domain to the `security` subsystem in the server configuration and configures authentication access. Comments in the script describe the purpose of each block of commands.
4. Open a new command prompt, navigate to the root directory of this quickstart, and run the following command, replacing JBOSS_HOME with the path to your server:
JBOSS_HOME/bin/jboss-cli.sh --connect --file=configure-security-domain-eap.cli
You should see the following result when you run the script:
The batch executed successfully
{
"outcome" => "success",
}
Create the Security Domain for WildFly
---------------
If you are running this example with the Keycloak application distribution, you can skip this step.
These steps assume you are running the server in standalone mode and using the default standalone.xml supplied with the distribution.
You configure the security domain by running JBoss CLI commands. For your convenience, this quickstart batches the commands into a `configure-security-domain-wildfly.cli` script provided in the root directory of this quickstart.
1. Before you begin, back up your server configuration file
* If it is running, stop the JBoss server.
* Backup the file: `JBOSS_HOME/standalone/configuration/standalone.xml`
* After you have completed testing this quickstart, you can replace this file to restore the server to its original configuration.
2. Start the JBoss server by typing the following:
For Linux: JBOSS_HOME/bin/standalone.sh
For Windows: JBOSS_HOME\bin\standalone.bat
3. Review the `configure-security-domain-wildfly.cli` file in the root of this quickstart directory. This script adds the `sp` domain to the `security` subsystem in the server configuration and configures authentication access. Comments in the script describe the purpose of each block of commands.
4. Open a new command prompt, navigate to the root directory of this quickstart, and run the following command, replacing JBOSS_HOME with the path to your server:
JBOSS_HOME/bin/jboss-cli.sh --connect --file=configure-security-domain-wildfly.cli
You should see the following result when you run the script:
The batch executed successfully
{
"outcome" => "success",
}
Review the Modified Server Configuration for EAP
-----------------------------------
If you are running this example with the Keycloak application distribution, you can skip this step.
If you want to review and understand newly added XML configuration, stop the JBoss server and open the `JBOSS_HOME/standalone/configuration/standalone.xml` file.
The following `sp` security-domain was added to the `security` subsystem.
<security-domain name="sp" cache-type="default">
<authentication>
<login-module code="org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule" flag="required"/>
</authentication>
</security-domain>
The configuration above defines a security-domain which will be used by the SP to authenticate users based on a SAML Assertion previously issued by a Identity Provider.
Review the Modified Server Configuration for WildFly
-----------------------------------
If you are running this example with the Keycloak application distribution, you can skip this step.
If you are using Wildfly, the security-domain should have the following configuration:
<security-domain name="sp" cache-type="default">
<authentication>
<login-module code="org.picketlink.identity.federation.bindings.wildfly.SAML2LoginModule" flag="required"/>
</authentication>
</security-domain>
SAML SP-Initiated Single Sign-On
-----------------------------------
The SAML v2.0 specification defines a specific SSO mode called *SP-Initiated SSO*. In this mode, the SSO flow starts at the Service Provider side.
Please, take a look at the following documentation for more details:
1. [SAML v2.0 SP-Initiated SSO](https://docs.jboss.org/author/display/PLINK/SP-Initiated+SSO)
Start JBoss Enterprise Application Platform 6 or WildFly with the Web Profile
-------------------------
1. Open a command line and navigate to the root of the JBoss server directory.
2. The following shows the command line to start the server with the web profile:
For Linux: JBOSS_HOME/bin/standalone.sh
For Windows: JBOSS_HOME\bin\standalone.bat
Build and Deploy the Quickstart
-------------------------
_NOTE: The following build command assumes you have configured your Maven user settings. If you have not, you must include Maven setting arguments on the command line. See [Build and Deploy the Quickstarts](../README.md#build-and-deploy-the-quickstarts) for complete instructions and additional options._
1. Make sure you have started the JBoss Server as described above.
2. Open a command line and navigate to the root directory of this quickstart.
3. Type this command to build and deploy the archive:
For EAP 6: mvn clean package jboss-as:deploy
For WildFly: mvn -Pwildfly clean package wildfly:deploy
4. This will deploy `target/picketlink-federation-saml-sp-redirect-with-signature.war` to the running instance of the server.
Access the application
---------------------
## Access the application
The application will be running at the following URL: <http://localhost:8080/employee-sig>.
*Note: A Service Provider alone is not very useful without an Identity Provider to authenticate users and issue SAML Assertions. Once you get this application deployed, please take a look at [About the PicketLink Federation Quickstarts](../README.md#about-the-keycloak-saml-quickstarts).*
Undeploy the Archive
--------------------
1. Make sure you have started the JBoss Server as described above.
2. Open a command line and navigate to the root directory of this quickstart.
3. When you are finished testing, type this command to undeploy the archive:
For EAP 6: mvn jboss-as:undeploy
For WildFly: mvn -Pwildfly wildfly:undeploy
Debug the Application
------------------------------------
If you want to debug the source code or look at the Javadocs of any library in the project, run either of the following commands to pull them into your local repository. The IDE should then detect them.
mvn dependency:sources
mvn dependency:resolve -Dclassifier=javadoc

10
examples/saml/redirect-with-signature/conf/jboss-eap/META-INF/jboss-deployment-structure.xml
View file

@ -1,10 +0,0 @@
<jboss-deployment-structure>
<deployment>
<!-- You must configure the PicketLink dependency to your deployment. The dependency above is a reference to a static module
from JBoss EAP modules directory. -->
<dependencies>
<module name="org.picketlink"/>
</dependencies>
</deployment>
</jboss-deployment-structure>

16
examples/saml/redirect-with-signature/conf/jboss-eap/WEB-INF/jboss-web.xml
View file

@ -1,16 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<!-- You must have a security-domain configured in your JBoss EAP instance. The security-domain is necessary to provide user
authentication and roles mappings. In this case,we need a specific JAAS LoginModule that knows how to extract user's information from a SAML Assertion previously
issued by the Identity Provider. -->
<security-domain>sp</security-domain>
<!-- Here we just define the context path of the deployment. -->
<context-root>employee-sig</context-root>
<!-- You must configure one of the PicketLink Authenticators to get enable SAML-based SSO. Identity Providers and Service Providers
have different authenticators. In this case we're configuring an Service Provider, so we authenticator above is required. -->
<valve>
<class-name>org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator</class-name>
</valve>
</jboss-web>

10
examples/saml/redirect-with-signature/conf/wildfly/META-INF/jboss-deployment-structure.xml
View file

@ -1,10 +0,0 @@
<jboss-deployment-structure>
<deployment>
<!-- You must configure the PicketLink dependency to your deployment. The dependency above is a reference to a static module
from JBoss EAP modules directory. -->
<dependencies>
<module name="org.picketlink"/>
</dependencies>
</deployment>
</jboss-deployment-structure>

1
examples/saml/redirect-with-signature/conf/wildfly/WEB-INF/classes/META-INF/services/io.undertow.servlet.ServletExtension
View file

@ -1 +0,0 @@
org.picketlink.identity.federation.bindings.wildfly.sp.SPServletExtension

10
examples/saml/redirect-with-signature/conf/wildfly/WEB-INF/jboss-web.xml
View file

@ -1,10 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<!-- You must have a security-domain configured in your JBoss EAP instance. The security-domain is necessary to provide user
authentication and roles mappings. In this case,we need a specific JAAS LoginModule that knows how to extract user's information from a SAML Assertion previously
issued by the Identity Provider. -->
<security-domain>sp</security-domain>
<!-- Here we just define the context path of the deployment. -->
<context-root>employee-sig</context-root>
</jboss-web>

16
examples/saml/redirect-with-signature/configure-security-domain-eap.cli
View file

@ -1,16 +0,0 @@
# Batch script to add and configure the quickstart-domain security domain in the JBoss server
# Start batching commands
batch
# Add and configure the security domain, then add the PicketLink SAML2LoginModule. Which wil be used to extract user's information from the SAML Assertion and authenticate the user.
/subsystem=security/security-domain=sp:add(cache-type=default)
/subsystem=security/security-domain=sp/authentication=classic:add
/subsystem=security/security-domain=sp/authentication=classic/login-module=org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule:add(code=org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule,flag=required)
# Run the batch commands
run-batch
# Reload the server configuration
:reload

16
examples/saml/redirect-with-signature/configure-security-domain-wildfly.cli
View file

@ -1,16 +0,0 @@
# Batch script to add and configure the quickstart-domain security domain in the JBoss server
# Start batching commands
batch
# Add and configure the security domain, then add the PicketLink SAML2LoginModule. Which wil be used to extract user's information from the SAML Assertion and authenticate the user.
/subsystem=security/security-domain=sp:add(cache-type=default)
/subsystem=security/security-domain=sp/authentication=classic:add
/subsystem=security/security-domain=sp/authentication=classic/login-module=org.picketlink.identity.federation.bindings.wildfly.SAML2LoginModule:add(code=org.picketlink.identity.federation.bindings.wildfly.SAML2LoginModule,flag=required)
# Run the batch commands
run-batch
# Reload the server configuration
:reload

104
examples/saml/redirect-with-signature/pom.xml
View file

@ -2,16 +2,14 @@
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>org.picketlink.quickstarts</groupId>
<artifactId>picketlink-federation-saml-sp-redirect-with-signature</artifactId>
<version>2.7.0.Beta2</version>
<groupId>org.keycloak.examples</groupId>
<artifactId>saml-redirect-signatures</artifactId>
<version>1.6.0.Final-SNAPSHOT</version>
<packaging>war</packaging>
<name>PicketLink Quickstart: picketlink-federation-saml-sp-redirect-with-signature</name>
<description>PicketLink Quickstart: PicketLink Service Provider With a Basic Configuration using SAML HTTP Redirect Binding With Signature Support</description>
<name>Keycloak SAML Adapter Example Redirect Binding with Signatures</name>
<url>http://www.picketlink.org</url>
<licenses>
<license>
@ -21,104 +19,26 @@
</license>
</licenses>
<properties>
<!-- PicketLink dependency versions -->
<version.picketlink.javaee.bom>2.7.0.Beta2</version.picketlink.javaee.bom>
<!-- Default target container. -->
<target.container>jboss-eap</target.container>
<!-- maven-compiler-plugin -->
<version.compiler.plugin>3.1</version.compiler.plugin>
<!-- maven-deploy-plugin -->
<version.deploy.plugin>2.8.1</version.deploy.plugin>
<!-- JBoss AS dependency versions -->
<version.jboss.maven.plugin>7.4.Final</version.jboss.maven.plugin>
<!-- maven-war-plugin -->
<version.war.plugin>2.1.1</version.war.plugin>
<!-- WildFly dependency versions -->
<version.wildfly.maven.plugin>1.0.1.Final</version.wildfly.maven.plugin>
<maven.compiler.target>1.6</maven.compiler.target>
<maven.compiler.source>1.6</maven.compiler.source>
</properties>
<build>
<!-- Set the name of the war, used as the context root when the app is deployed -->
<finalName>${project.artifactId}</finalName>
<resources>
<resource>
<directory>src/main/resources</directory>
</resource>
<resource>
<directory>../redirect-basic/src/main/resources</directory>
</resource>
</resources>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-deploy-plugin</artifactId>
<version>${version.deploy.plugin}</version>
<configuration>
<skip>true</skip>
</configuration>
</plugin>
<plugin>
<artifactId>maven-war-plugin</artifactId>
<version>${version.war.plugin}</version>
<configuration>
<!-- Java EE 6 doesn't require web.xml, Maven needs to catch up! -->
<failOnMissingWebXml>false</failOnMissingWebXml>
<!-- We need to get the configuration resources for the provided target container. -->
<classifier>${target.container}</classifier>
<!-- Instead of duplicating resources for each example application, we just reuse all resources from the
base application. -->
<webResources>
<resource>
<directory>src/main/webapp</directory>
</resource>
<resource>
<directory>../redirect-basic/src/main/webapp</directory>
</resource>
<resource>
<directory>${basedir}/conf/${target.container}</directory>
</resource>
</webResources>
</configuration>
</plugin>
<!-- JBoss AS plugin to deploy war -->
<plugin>
<groupId>org.jboss.as.plugins</groupId>
<artifactId>jboss-as-maven-plugin</artifactId>
<version>${version.jboss.maven.plugin}</version>
<configuration>
<filename>${project.build.finalName}-${target.container}.${project.packaging}</filename>
<skip>false</skip>
</configuration>
</plugin>
<plugin>
<groupId>org.wildfly.plugins</groupId>
<artifactId>wildfly-maven-plugin</artifactId>
<configuration>
<skip>false</skip>
</configuration>
</plugin>
</plugins>
</build>
<profiles>
<profile>
<id>wildfly</id>
<properties>
<target.container>wildfly</target.container>
</properties>
<build>
<plugins>
<plugin>
<groupId>org.wildfly.plugins</groupId>
<artifactId>wildfly-maven-plugin</artifactId>
<version>${version.wildfly.maven.plugin}</version>
<configuration>
<filename>${project.build.finalName}-${target.container}.${project.packaging}</filename>
</configuration>
</plugin>
</plugins>
</build>
</profile>
</profiles>
</project>

13
examples/saml/redirect-with-signature/remove-security-domain.cli
View file

@ -1,13 +0,0 @@
# Batch script to remove the quickstart-domain security domain from the JBoss server
# Start batching commands
batch
# Remove the security domain
/subsystem=security/security-domain=sp:remove
# Run the batch commands
run-batch
# Reload the server configuration
:reload

44
examples/saml/redirect-with-signature/src/main/webapp/WEB-INF/keycloak-saml.xml Executable file
View file

@ -0,0 +1,44 @@
<keycloak-saml-adapter>
<SP entityID="http://localhost:8080/employee-sig/"
sslPolicy="EXTERNAL"
logoutPage="/logout.jsp"
nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
forceAuthentication="false">
<Keys>
<Key signing="true" >
<KeyStore resource="/WEB-INF/keystore.jks" password="store123">
<PrivateKey alias="http://localhost:8080/employee-sig/" password="test123"/>
<Certificate alias="http://localhost:8080/employee-sig/"/>
</KeyStore>
</Key>
</Keys>
<PrincipalNameMapping policy="FROM_NAME_ID"/>
<RoleMapping>
<Attribute name="Role"/>
</RoleMapping>
<IDP entityID="idp">
<SingleSignOnService signRequest="true"
validateResponseSignature="true"
requestBinding="REDIRECT"
bindingUrl="http://localhost:8080/auth/realms/saml-demo/protocol/saml"
/>
<SingleLogoutService
validateRequestSignature="true"
validateResponseSignature="true"
signRequest="true"
signResponse="true"
requestBinding="REDIRECT"
responseBinding="REDIRECT"
redirectBindingUrl="http://localhost:8080/auth/realms/saml-demo/protocol/saml"
/>
<Keys>
<Key signing="true">
<KeyStore resource="/WEB-INF/keystore.jks" password="store123">
<Certificate alias="saml-demo"/>
</KeyStore>
</Key>
</Keys>
</IDP>
</SP>
</keycloak-saml-adapter>

0
examples/saml/redirect-with-signature/src/main/resources/keystore.jks → examples/saml/redirect-with-signature/src/main/webapp/WEB-INF/keystore.jks
View file

36
examples/saml/redirect-with-signature/src/main/webapp/WEB-INF/picketlink.xml
View file

@ -1,36 +0,0 @@
<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
<PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1"
ServerEnvironment="tomcat" BindingType="REDIRECT" SupportsSignatures="true">
<IdentityURL>${idp-sig.url::http://localhost:8080/auth/realms/saml-demo/protocol/saml}
</IdentityURL>
<ServiceURL>${employee-sig.url::http://localhost:8080/employee-sig/}
</ServiceURL>
<KeyProvider
ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager">
<Auth Key="KeyStoreURL" Value="/keystore.jks" />
<Auth Key="KeyStorePass" Value="store123" />
<Auth Key="SigningKeyPass" Value="test123" />
<Auth Key="SigningKeyAlias" Value="http://localhost:8080/employee-sig/" />
<ValidatingAlias Key="localhost" Value="saml-demo" />
<ValidatingAlias Key="127.0.0.1" Value="saml-demo" />
</KeyProvider>
</PicketLinkSP>
<Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureGenerationHandler">
<!--
This is a optional configuration. By default, method http://www.w3.org/2000/09/xmldsig#rsa-sha1
and digest http://www.w3.org/2000/09/xmldsig#sha1 are used. -->
<Option Key="SIGN_METHOD" Value="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Option Key="SIGN_DIGEST" Value="http://www.w3.org/2001/04/xmlenc#sha256"/>
</Handler>
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler" />
</Handlers>
</PicketLink>

Some files were not shown because too many files have changed in this diff Show more