saml subsystem as7 backport

This commit is contained in:
Bill Burke 2016-02-01 10:36:25 -05:00
parent 6c020661e8
commit 66f4921227
5 changed files with 123 additions and 96 deletions

View file

@ -24,46 +24,48 @@ public class Constants {
static class Model { static class Model {
static final String SECURE_DEPLOYMENT = "secure-deployment"; static final String SECURE_DEPLOYMENT = "secure-deployment";
static final String SERVICE_PROVIDER = "service-provider"; static final String SERVICE_PROVIDER = "SP";
static final String SSL_POLICY = "ssl-policy"; static final String SSL_POLICY = "sslPolicy";
static final String NAME_ID_POLICY_FORMAT = "name-id-policy-format"; static final String NAME_ID_POLICY_FORMAT = "nameIDPolicyFormat";
static final String LOGOUT_PAGE = "logout-page"; static final String LOGOUT_PAGE = "logoutPage";
static final String FORCE_AUTHENTICATION = "force-authentication"; static final String FORCE_AUTHENTICATION = "forceAuthentication";
static final String ROLE_ATTRIBUTES = "role-attributes"; static final String IS_PASSIVE = "isPassive";
static final String TURN_OFF_CHANGE_SESSSION_ID_ON_LOGIN = "turnOffChangeSessionIdOnLogin";
static final String ROLE_ATTRIBUTES = "RoleIdentifiers";
static final String SIGNING = "signing"; static final String SIGNING = "signing";
static final String ENCRYPTION = "encryption"; static final String ENCRYPTION = "encryption";
static final String KEY = "key"; static final String KEY = "Key";
static final String RESOURCE = "resource"; static final String RESOURCE = "resource";
static final String PASSWORD = "password"; static final String PASSWORD = "password";
static final String PRIVATE_KEY_ALIAS = "private-key-alias"; static final String PRIVATE_KEY_ALIAS = "PrivateKey-alias";
static final String PRIVATE_KEY_PASSWORD = "private-key-password"; static final String PRIVATE_KEY_PASSWORD = "PrivateKey-password";
static final String CERTIFICATE_ALIAS = "certificate-alias"; static final String CERTIFICATE_ALIAS = "Certificate-alias";
static final String KEY_STORE = "key-store"; static final String KEY_STORE = "KeyStore";
static final String SIGN_REQUEST = "sign-request"; static final String SIGN_REQUEST = "signRequest";
static final String VALIDATE_RESPONSE_SIGNATURE = "validate-response-signature"; static final String VALIDATE_RESPONSE_SIGNATURE = "validateResponseSignature";
static final String REQUEST_BINDING = "request-binding"; static final String REQUEST_BINDING = "requestBinding";
static final String BINDING_URL = "binding-url"; static final String BINDING_URL = "bindingUrl";
static final String VALIDATE_REQUEST_SIGNATURE = "validate-request-signature"; static final String VALIDATE_REQUEST_SIGNATURE = "validateRequestSignature";
static final String SIGN_RESPONSE = "sign-response"; static final String SIGN_RESPONSE = "signResponse";
static final String RESPONSE_BINDING = "response-binding"; static final String RESPONSE_BINDING = "responseBinding";
static final String POST_BINDING_URL = "post-binding-url"; static final String POST_BINDING_URL = "postBindingUrl";
static final String REDIRECT_BINDING_URL = "redirect-binding-url"; static final String REDIRECT_BINDING_URL = "redirectBindingUrl";
static final String SINGLE_SIGN_ON = "single-sign-on"; static final String SINGLE_SIGN_ON = "SingleSignOnService";
static final String SINGLE_LOGOUT = "single-logout"; static final String SINGLE_LOGOUT = "SingleLogoutService";
static final String IDENTITY_PROVIDER = "identity-provider"; static final String IDENTITY_PROVIDER = "IDP";
static final String PRINCIPAL_NAME_MAPPING_POLICY = "principal-name-mapping-policy"; static final String PRINCIPAL_NAME_MAPPING_POLICY = "PrincipalNameMapping-policy";
static final String PRINCIPAL_NAME_MAPPING_ATTRIBUTE_NAME = "principal-name-mapping-attribute-name"; static final String PRINCIPAL_NAME_MAPPING_ATTRIBUTE_NAME = "PrincipalNameMapping-attribute-name";
static final String SIGNATURE_ALGORITHM = "signature-algorithm"; static final String SIGNATURE_ALGORITHM = "signatureAlgorithm";
static final String SIGNATURE_CANONICALIZATION_METHOD = "signature-canonicalization-method"; static final String SIGNATURE_CANONICALIZATION_METHOD = "signatureCanonicalizationMethod";
static final String PRIVATE_KEY_PEM = "private-key-pem"; static final String PRIVATE_KEY_PEM = "PrivateKeyPem";
static final String PUBLIC_KEY_PEM = "public-key-pem"; static final String PUBLIC_KEY_PEM = "PublicKeyPem";
static final String CERTIFICATE_PEM = "certificate-pem"; static final String CERTIFICATE_PEM = "CertificatePem";
static final String TYPE = "type"; static final String TYPE = "type";
static final String ALIAS = "alias"; static final String ALIAS = "alias";
static final String FILE = "file"; static final String FILE = "file";
static final String SIGNATURES_REQUIRED = "signatures-required"; static final String SIGNATURES_REQUIRED = "signaturesRequired";
} }
@ -87,6 +89,8 @@ public class Constants {
static final String KEY_STORE = "KeyStore"; static final String KEY_STORE = "KeyStore";
static final String PRIVATE_KEY = "PrivateKey"; static final String PRIVATE_KEY = "PrivateKey";
static final String CERTIFICATE = "Certificate"; static final String CERTIFICATE = "Certificate";
static final String IS_PASSIVE = "isPassive";
static final String TURN_OFF_CHANGE_SESSSION_ID_ON_LOGIN = "turnOffChangeSessionIdOnLogin";
static final String PRIVATE_KEY_ALIAS = "alias"; static final String PRIVATE_KEY_ALIAS = "alias";
static final String PRIVATE_KEY_PASSWORD = "password"; static final String PRIVATE_KEY_PASSWORD = "password";

View file

@ -32,9 +32,7 @@ import org.jboss.staxmapper.XMLExtendedStreamWriter;
import javax.xml.stream.XMLStreamConstants; import javax.xml.stream.XMLStreamConstants;
import javax.xml.stream.XMLStreamException; import javax.xml.stream.XMLStreamException;
import java.util.Arrays;
import java.util.Collections; import java.util.Collections;
import java.util.HashSet;
import java.util.LinkedList; import java.util.LinkedList;
import java.util.List; import java.util.List;
@ -555,14 +553,18 @@ class KeycloakSubsystemParser implements XMLStreamConstants, XMLElementReader<Li
} }
void writePrincipalNameMapping(XMLExtendedStreamWriter writer, ModelNode model) throws XMLStreamException { void writePrincipalNameMapping(XMLExtendedStreamWriter writer, ModelNode model) throws XMLStreamException {
writer.writeStartElement(Constants.XML.PRINCIPAL_NAME_MAPPING);
ModelNode value = model.get(Constants.Model.PRINCIPAL_NAME_MAPPING_POLICY); ModelNode policy = model.get(Constants.Model.PRINCIPAL_NAME_MAPPING_POLICY);
if (value.isDefined()) { ModelNode mappingAttribute = model.get(Constants.Model.PRINCIPAL_NAME_MAPPING_ATTRIBUTE_NAME);
writer.writeAttribute(Constants.XML.PRINCIPAL_NAME_MAPPING_POLICY, value.asString()); if (!policy.isDefined() && !mappingAttribute.isDefined()) {
return;
} }
value = model.get(Constants.Model.PRINCIPAL_NAME_MAPPING_ATTRIBUTE_NAME); writer.writeStartElement(Constants.XML.PRINCIPAL_NAME_MAPPING);
if (value.isDefined()) { if (policy.isDefined()) {
writer.writeAttribute(Constants.XML.PRINCIPAL_NAME_MAPPING_ATTRIBUTE_NAME, value.asString()); writer.writeAttribute(Constants.XML.PRINCIPAL_NAME_MAPPING_POLICY, policy.asString());
}
if (mappingAttribute.isDefined()) {
writer.writeAttribute(Constants.XML.PRINCIPAL_NAME_MAPPING_ATTRIBUTE_NAME, mappingAttribute.asString());
} }
writer.writeEndElement(); writer.writeEndElement();
} }

View file

@ -59,6 +59,15 @@ public class ServiceProviderDefinition extends SimpleResourceDefinition {
.setXmlName(Constants.XML.FORCE_AUTHENTICATION) .setXmlName(Constants.XML.FORCE_AUTHENTICATION)
.build(); .build();
static final SimpleAttributeDefinition IS_PASSIVE =
new SimpleAttributeDefinitionBuilder(Constants.Model.IS_PASSIVE, ModelType.BOOLEAN, true)
.setXmlName(Constants.XML.IS_PASSIVE)
.build();
static final SimpleAttributeDefinition TURN_OFF_CHANGE_SESSSION_ID_ON_LOGIN =
new SimpleAttributeDefinitionBuilder(Constants.Model.TURN_OFF_CHANGE_SESSSION_ID_ON_LOGIN, ModelType.BOOLEAN, true)
.setXmlName(Constants.XML.TURN_OFF_CHANGE_SESSSION_ID_ON_LOGIN)
.build();
static final SimpleAttributeDefinition PRINCIPAL_NAME_MAPPING_POLICY = static final SimpleAttributeDefinition PRINCIPAL_NAME_MAPPING_POLICY =
new SimpleAttributeDefinitionBuilder(Constants.Model.PRINCIPAL_NAME_MAPPING_POLICY, ModelType.STRING, true) new SimpleAttributeDefinitionBuilder(Constants.Model.PRINCIPAL_NAME_MAPPING_POLICY, ModelType.STRING, true)
.setXmlName(Constants.XML.PRINCIPAL_NAME_MAPPING_POLICY) .setXmlName(Constants.XML.PRINCIPAL_NAME_MAPPING_POLICY)
@ -71,10 +80,10 @@ public class ServiceProviderDefinition extends SimpleResourceDefinition {
static final ListAttributeDefinition ROLE_ATTRIBUTES = static final ListAttributeDefinition ROLE_ATTRIBUTES =
new StringListAttributeDefinition.Builder(Constants.Model.ROLE_ATTRIBUTES) new StringListAttributeDefinition.Builder(Constants.Model.ROLE_ATTRIBUTES)
.setAllowNull(false) .setAllowNull(true)
.build(); .build();
static final SimpleAttributeDefinition[] ATTRIBUTES = {SSL_POLICY, NAME_ID_POLICY_FORMAT, LOGOUT_PAGE, FORCE_AUTHENTICATION}; static final SimpleAttributeDefinition[] ATTRIBUTES = {SSL_POLICY, NAME_ID_POLICY_FORMAT, LOGOUT_PAGE, FORCE_AUTHENTICATION, IS_PASSIVE, TURN_OFF_CHANGE_SESSSION_ID_ON_LOGIN};
static final AttributeDefinition[] ELEMENTS = {PRINCIPAL_NAME_MAPPING_POLICY, PRINCIPAL_NAME_MAPPING_ATTRIBUTE_NAME, ROLE_ATTRIBUTES}; static final AttributeDefinition[] ELEMENTS = {PRINCIPAL_NAME_MAPPING_POLICY, PRINCIPAL_NAME_MAPPING_ATTRIBUTE_NAME, ROLE_ATTRIBUTES};

View file

@ -6,58 +6,60 @@ keycloak-saml.subsystem.secure-deployment=A deployment secured by Keycloak.
keycloak-saml.secure-deployment=A deployment secured by Keycloak keycloak-saml.secure-deployment=A deployment secured by Keycloak
keycloak-saml.secure-deployment.add=Add a deployment to be secured by Keycloak keycloak-saml.secure-deployment.add=Add a deployment to be secured by Keycloak
keycloak-saml.secure-deployment.remove=Remove a deployment to be secured by Keycloak keycloak-saml.secure-deployment.remove=Remove a deployment to be secured by Keycloak
keycloak-saml.secure-deployment.service-provider=A security provider configuration for secure deployment keycloak-saml.secure-deployment.SP=A security provider configuration for secure deployment
keycloak-saml.service-provider=A security provider configuration for secure deployment keycloak-saml.SP=A security provider configuration for secure deployment
keycloak-saml.service-provider.add=Add a security provider configuration to deployment secured by Keycloak SAML keycloak-saml.SP.add=Add a security provider configuration to deployment secured by Keycloak SAML
keycloak-saml.service-provider.remove=Remove a security provider definition from deployment secured by Keycloak SAML keycloak-saml.SP.remove=Remove a security provider definition from deployment secured by Keycloak SAML
keycloak-saml.service-provider.ssl-policy=SSL Policy to use keycloak-saml.SP.sslPolicy=SSL Policy to use
keycloak-saml.service-provider.name-id-policy-format=Name ID policy format URN keycloak-saml.SP.nameIDPolicyFormat=Name ID policy format URN
keycloak-saml.service-provider.logout-page=URI to a logout page keycloak-saml.SP.logoutPage=URI to a logout page
keycloak-saml.service-provider.force-authentication=Redirected unauthenticated request to a login page keycloak-saml.SP.forceAuthentication=Redirected unauthenticated request to a login page
keycloak-saml.service-provider.role-attributes=Role identifiers keycloak-saml.SP.isPassive=If user isn't logged in just return with an error. Used to check if a user is already logged in or not
keycloak-saml.service-provider.principal-name-mapping-policy=Principal name mapping policy keycloak-saml.SP.turnOffChangeSessionIdOnLogin=The session id is changed by default on a successful login. Change this to true if you want to turn this off
keycloak-saml.service-provider.principal-name-mapping-attribute-name=Principal name mapping attribute name keycloak-saml.SP.RoleIdentifiers=Role identifiers
keycloak-saml.service-provider.key=A key definition keycloak-saml.SP.PrincipalNameMapping-policy=Principal name mapping policy
keycloak-saml.service-provider.identity-provider=Identity provider definition keycloak-saml.SP.PrincipalNameMapping-attribute-name=Principal name mapping attribute name
keycloak-saml.SP.Key=A key definition
keycloak-saml.SP.IDP=Identity provider definition
keycloak-saml.key=A key configuration for service provider or identity provider keycloak-saml.Key=A key configuration for service provider or identity provider
keycloak-saml.key.add=Add a key definition keycloak-saml.Key.add=Add a key definition
keycloak-saml.key.remove=Remove a key definition keycloak-saml.Key.remove=Remove a key definition
keycloak-saml.key.signing=Key can be used for signing keycloak-saml.Key.signing=Key can be used for signing
keycloak-saml.key.encryption=Key can be used for encryption keycloak-saml.Key.encryption=Key can be used for encryption
keycloak-saml.key.private-key-pem=Private key string in pem format keycloak-saml.Key.PrivateKeyPem=Private key string in pem format
keycloak-saml.key.public-key-pem=Public key string in pem format keycloak-saml.Key.PublicKeyPem=Public key string in pem format
keycloak-saml.key.certificate-pem=Certificate key string in pem format keycloak-saml.Key.CertificatePem=Certificate key string in pem format
keycloak-saml.key.key-store=Key store definition keycloak-saml.Key.KeyStore=Key store definition
keycloak-saml.key.key-store.file=Key store filesystem path keycloak-saml.Key.KeyStore.file=Key store filesystem path
keycloak-saml.key.key-store.resource=Key store resource URI keycloak-saml.Key.KeyStore.resource=Key store resource URI
keycloak-saml.key.key-store.password=Key store password keycloak-saml.Key.KeyStore.password=Key store password
keycloak-saml.key.key-store.type=Key store format keycloak-saml.Key.KeyStore.type=Key store format
keycloak-saml.key.key-store.alias=Key alias keycloak-saml.Key.KeyStore.alias=Key alias
keycloak-saml.key.key-store.private-key-alias=Private key alias keycloak-saml.Key.KeyStore.PrivateKey-alias=Private key alias
keycloak-saml.key.key-store.private-key-password=Private key password keycloak-saml.Key.KeyStore.PrivateKey-password=Private key password
keycloak-saml.key.key-store.certificate-alias=Certificate alias keycloak-saml.Key.KeyStore.Certificate-alias=Certificate alias
keycloak-saml.identity-provider=An identity provider configuration keycloak-saml.IDP=An identity provider configuration
keycloak-saml.identity-provider.add=Add an identity provider keycloak-saml.IDP.add=Add an identity provider
keycloak-saml.identity-provider.remove=Remove an identity provider keycloak-saml.IDP.remove=Remove an identity provider
keycloak-saml.identity-provider.signatures-required=Require signatures for single-sign-on and single-logout keycloak-saml.IDP.signaturesRequired=Require signatures for SingleSignOnService and SingleLogoutService
keycloak-saml.identity-provider.signature-algorithm=Signature algorithm keycloak-saml.IDP.signatureAlgorithm=Signature algorithm
keycloak-saml.identity-provider.signature-canonicalization-method=Signature canonicalization method keycloak-saml.IDP.signatureCanonicalizationMethod=Signature canonicalization method
keycloak-saml.identity-provider.single-sign-on=Single sign-on configuration keycloak-saml.IDP.SingleSignOnService=Single sign-on configuration
keycloak-saml.identity-provider.single-sign-on.sign-request=Sign SSO requests keycloak-saml.IDP.SingleSignOnService.signRequest=Sign SSO requests
keycloak-saml.identity-provider.single-sign-on.validate-response-signature=Validate an SSO response signature keycloak-saml.IDP.SingleSignOnService.validateResponseSignature=Validate an SSO response signature
keycloak-saml.identity-provider.single-sign-on.request-binding=HTTP method to use for requests keycloak-saml.IDP.SingleSignOnService.requestBinding=HTTP method to use for requests
keycloak-saml.identity-provider.single-sign-on.response-binding=HTTP method to use for responses keycloak-saml.IDP.SingleSignOnService.responseBinding=HTTP method to use for responses
keycloak-saml.identity-provider.single-sign-on.binding-url=SSO endpoint URL keycloak-saml.IDP.SingleSignOnService.bindingUrl=SSO endpoint URL
keycloak-saml.identity-provider.single-logout=Single logout configuration keycloak-saml.IDP.SingleLogoutService=Single logout configuration
keycloak-saml.identity-provider.single-logout.validate-request-signature=Validate a single-logout request signature keycloak-saml.IDP.SingleLogoutService.validateRequestSignature=Validate a SingleLogoutService request signature
keycloak-saml.identity-provider.single-logout.validate-response-signature=Validate a single-logout response signature keycloak-saml.IDP.SingleLogoutService.validateResponseSignature=Validate a SingleLogoutService response signature
keycloak-saml.identity-provider.single-logout.sign-request=Sign single-logout requests keycloak-saml.IDP.SingleLogoutService.signRequest=Sign SingleLogoutService requests
keycloak-saml.identity-provider.single-logout.sign-response=Sign single-logout responses keycloak-saml.IDP.SingleLogoutService.signResponse=Sign SingleLogoutService responses
keycloak-saml.identity-provider.single-logout.request-binding=HTTP method to use for request keycloak-saml.IDP.SingleLogoutService.requestBinding=HTTP method to use for request
keycloak-saml.identity-provider.single-logout.response-binding=HTTP method to use for response keycloak-saml.IDP.SingleLogoutService.responseBinding=HTTP method to use for response
keycloak-saml.identity-provider.single-logout.post-binding-url=Endpoint URL for posting keycloak-saml.IDP.SingleLogoutService.postBindingUrl=Endpoint URL for posting
keycloak-saml.identity-provider.single-logout.redirect-binding-url=Endpoint URL for redirects keycloak-saml.IDP.SingleLogoutService.redirectBindingUrl=Endpoint URL for redirects
keycloak-saml.identity-provider.key=Key definition for identity provider keycloak-saml.IDP.Key=Key definition for identity provider

View file

@ -61,11 +61,21 @@
<xs:documentation>URI to a logout page</xs:documentation> <xs:documentation>URI to a logout page</xs:documentation>
</xs:annotation> </xs:annotation>
</xs:attribute> </xs:attribute>
<xs:attribute name="forceAuthentication" type="xs:boolean" use="required"> <xs:attribute name="forceAuthentication" type="xs:boolean" use="optional">
<xs:annotation> <xs:annotation>
<xs:documentation>Redirected unauthenticated request to a login page</xs:documentation> <xs:documentation>Redirected unauthenticated request to a login page</xs:documentation>
</xs:annotation> </xs:annotation>
</xs:attribute> </xs:attribute>
<xs:attribute name="isPassive" type="xs:boolean" use="optional">
<xs:annotation>
<xs:documentation>If user isn't logged in just return with an error. Used to check if a user is already logged in or not</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="turnOffChangeSessionIdOnLogin" type="xs:boolean" use="optional">
<xs:annotation>
<xs:documentation>The session id is changed by default on a successful login. Change this to true if you want to turn this off</xs:documentation>
</xs:annotation>
</xs:attribute>
</xs:complexType> </xs:complexType>
<xs:complexType name="identity-provider-type"> <xs:complexType name="identity-provider-type">
<xs:all minOccurs="1" maxOccurs="1"> <xs:all minOccurs="1" maxOccurs="1">
@ -78,7 +88,7 @@
<xs:documentation>The entity ID for SAML service provider</xs:documentation> <xs:documentation>The entity ID for SAML service provider</xs:documentation>
</xs:annotation> </xs:annotation>
</xs:attribute> </xs:attribute>
<xs:attribute name="signaturesRequired" type="xs:boolean" use="required"> <xs:attribute name="signaturesRequired" type="xs:boolean" use="optional">
<xs:annotation> <xs:annotation>
<xs:documentation>Require signatures for single-sign-on and single-logout</xs:documentation> <xs:documentation>Require signatures for single-sign-on and single-logout</xs:documentation>
</xs:annotation> </xs:annotation>