KEYCLOAK-3071 Add SOAP and PAOS endpoints to valid redirect URIs on SP import

saml-core-api/src/main/java/org/keycloak/saml/common/constants/JBossSAMLURIConstants.java

@@ -79,8 +79,9 @@ public enum JBossSAMLURIConstants {
             "http://www.w3.org/2000/09/xmldsig#rsa-sha1"),
 
     SAML_HTTP_POST_BINDING("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"),
-    SAML_HTTP_SOAP_BINDING("urn:oasis:names:tc:SAML:2.0:bindings:SOAP"),
     SAML_HTTP_REDIRECT_BINDING("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"),
+    SAML_SOAP_BINDING("urn:oasis:names:tc:SAML:2.0:bindings:SOAP"),
+    SAML_PAOS_BINDING("urn:oasis:names:tc:SAML:2.0:bindings:PAOS"),
 
     SAML_11_NS("urn:oasis:names:tc:SAML:1.0:assertion"),
 

services/src/main/java/org/keycloak/protocol/saml/EntityDescriptorDescriptionConverter.java

@@ -123,6 +123,14 @@ public class EntityDescriptorDescriptionConverter implements ClientDescriptionCo
             attributes.put(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_REDIRECT_ATTRIBUTE, assertionConsumerServiceRedirectBinding);
             redirectUris.add(assertionConsumerServiceRedirectBinding);
         }
+        String assertionConsumerServiceSoapBinding = CoreConfigUtil.getServiceURL(spDescriptorType, JBossSAMLURIConstants.SAML_SOAP_BINDING.get());
+        if (assertionConsumerServiceSoapBinding != null) {
+            redirectUris.add(assertionConsumerServiceSoapBinding);
+        }
+        String assertionConsumerServicePaosBinding = CoreConfigUtil.getServiceURL(spDescriptorType, JBossSAMLURIConstants.SAML_PAOS_BINDING.get());
+        if (assertionConsumerServicePaosBinding != null) {
+            redirectUris.add(assertionConsumerServicePaosBinding);
+        }
         if (spDescriptorType.getNameIDFormat() != null) {
             for (String format : spDescriptorType.getNameIDFormat()) {
                 String attribute = SamlClient.samlNameIDFormatToClientAttribute(format);

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/SAMLClientRegistrationTest.java

@@ -28,8 +28,8 @@ import org.keycloak.representations.idm.ClientRepresentation;
 
 import java.io.IOException;
 
-import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertThat;
-import static org.junit.Assert.assertNotNull;
+import static org.hamcrest.Matchers.*;
 
 /**
  * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
@@ -49,10 +49,14 @@ public class SAMLClientRegistrationTest extends AbstractClientRegistrationTest {
         String entityDescriptor = IOUtils.toString(getClass().getResourceAsStream("/clientreg-test/saml-entity-descriptor.xml"));
         ClientRepresentation response = reg.saml().create(entityDescriptor);
 
-        assertNotNull(response.getRegistrationAccessToken());
+        assertThat(response.getRegistrationAccessToken(), notNullValue());
-        assertEquals("loadbalancer-9.siroe.com", response.getClientId());
+        assertThat(response.getClientId(), is("loadbalancer-9.siroe.com"));
-        assertEquals(1, response.getRedirectUris().size());
+        assertThat(response.getRedirectUris(), containsInAnyOrder(
-        assertEquals("https://LoadBalancer-9.siroe.com:3443/federation/Consumer/metaAlias/sp", response.getRedirectUris().get(0));
+          "https://LoadBalancer-9.siroe.com:3443/federation/Consumer/metaAlias/sp/post",
+          "https://LoadBalancer-9.siroe.com:3443/federation/Consumer/metaAlias/sp/soap",
+          "https://LoadBalancer-9.siroe.com:3443/federation/Consumer/metaAlias/sp/paos",
+          "https://LoadBalancer-9.siroe.com:3443/federation/Consumer/metaAlias/sp/redirect"
+        ));  // No redirect URI for ARTIFACT binding which is unsupported
     }
 
 }

testsuite/integration-arquillian/tests/base/src/test/resources/clientreg-test/saml-entity-descriptor.xml

@@ -90,10 +90,22 @@ x5Ql0ejivIJAYcMGUyA+/YwJg2FGoA==
             isDefault="true"
             index="0"
             Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
-            Location="https://LoadBalancer-9.siroe.com:3443/federation/Consumer/metaAlias/sp"/>
+            Location="https://LoadBalancer-9.siroe.com:3443/federation/Consumer/metaAlias/sp/artifact"/>
         <AssertionConsumerService
             index="1"
             Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
-            Location="https://LoadBalancer-9.siroe.com:3443/federation/Consumer/metaAlias/sp"/>
+            Location="https://LoadBalancer-9.siroe.com:3443/federation/Consumer/metaAlias/sp/post"/>
+        <AssertionConsumerService
+            index="2"
+            Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"
+            Location="https://LoadBalancer-9.siroe.com:3443/federation/Consumer/metaAlias/sp/paos"/>
+        <AssertionConsumerService
+            index="3"
+            Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
+            Location="https://LoadBalancer-9.siroe.com:3443/federation/Consumer/metaAlias/sp/soap"/>
+        <AssertionConsumerService
+            index="4"
+            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+            Location="https://LoadBalancer-9.siroe.com:3443/federation/Consumer/metaAlias/sp/redirect"/>
     </SPSSODescriptor>
 </EntityDescriptor>