KEYCLOAK-4809 Support for SAML AttributeAuthorityDescriptor.Attribute elements
This commit is contained in:
parent
e6a64e234b
commit
958185ec51
5 changed files with 253 additions and 0 deletions
|
@ -366,6 +366,8 @@ public class SAMLEntityDescriptorParser extends AbstractDescriptorParser impleme
|
||||||
} else if (JBossSAMLConstants.ATTRIBUTE_PROFILE.get().equalsIgnoreCase(localPart)) {
|
} else if (JBossSAMLConstants.ATTRIBUTE_PROFILE.get().equalsIgnoreCase(localPart)) {
|
||||||
startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
|
startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
|
||||||
attributeAuthority.addAttributeProfile(StaxParserUtil.getElementText(xmlEventReader));
|
attributeAuthority.addAttributeProfile(StaxParserUtil.getElementText(xmlEventReader));
|
||||||
|
} else if (JBossSAMLConstants.ATTRIBUTE.get().equalsIgnoreCase(localPart)) {
|
||||||
|
attributeAuthority.addAttribute(SAMLParserUtil.parseAttribute(xmlEventReader));
|
||||||
} else if (JBossSAMLConstants.KEY_DESCRIPTOR.get().equalsIgnoreCase(localPart)) {
|
} else if (JBossSAMLConstants.KEY_DESCRIPTOR.get().equalsIgnoreCase(localPart)) {
|
||||||
attributeAuthority.addKeyDescriptor(parseKeyDescriptor(xmlEventReader));
|
attributeAuthority.addKeyDescriptor(parseKeyDescriptor(xmlEventReader));
|
||||||
} else if (JBossSAMLConstants.NAMEID_FORMAT.get().equalsIgnoreCase(localPart)) {
|
} else if (JBossSAMLConstants.NAMEID_FORMAT.get().equalsIgnoreCase(localPart)) {
|
||||||
|
|
|
@ -207,6 +207,27 @@ public class SAMLParserTest {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testSaml20MetadataEntityDescriptorIdP() throws IOException, ParsingException {
|
||||||
|
try (InputStream st = SAMLParserTest.class.getResourceAsStream("saml20-entity-descriptor-idp.xml")) {
|
||||||
|
parser.parse(st);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testSaml20MetadataEntityDescriptorSP() throws IOException, ParsingException {
|
||||||
|
try (InputStream st = SAMLParserTest.class.getResourceAsStream("saml20-entity-descriptor-sp.xml")) {
|
||||||
|
parser.parse(st);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testSaml20MetadataEntityDescriptorAdfsIdP() throws IOException, ParsingException {
|
||||||
|
try (InputStream st = SAMLParserTest.class.getResourceAsStream("KEYCLOAK-4809-IdPMetadata_test.xml")) {
|
||||||
|
parser.parse(st);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testAttributeProfileMetadata() throws Exception {
|
public void testAttributeProfileMetadata() throws Exception {
|
||||||
try (InputStream st = SAMLParserTest.class.getResourceAsStream("KEYCLOAK-4236-AttributeProfile-element.xml")) {
|
try (InputStream st = SAMLParserTest.class.getResourceAsStream("KEYCLOAK-4236-AttributeProfile-element.xml")) {
|
||||||
|
|
|
@ -0,0 +1,73 @@
|
||||||
|
<?xml version="1.0" encoding="utf-8"?>
|
||||||
|
<EntityDescriptor ID="_5495b16a-7b17-4411-bba2-832fb12b8fa0" entityID="https://erghplferkughduhf.dk/" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:a="urn:oasis:names:tc:SAML:2.0:assertion">
|
||||||
|
<IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
|
||||||
|
<KeyDescriptor use="encryption">
|
||||||
|
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
|
||||||
|
<X509Data>
|
||||||
|
<X509Certificate>...</X509Certificate>
|
||||||
|
</X509Data>
|
||||||
|
</KeyInfo>
|
||||||
|
</KeyDescriptor>
|
||||||
|
<KeyDescriptor use="signing">
|
||||||
|
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
|
||||||
|
<X509Data>
|
||||||
|
<X509Certificate>...</X509Certificate>
|
||||||
|
</X509Data>
|
||||||
|
</KeyInfo>
|
||||||
|
</KeyDescriptor>
|
||||||
|
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://sdhgrjhsdgrjhgdrjhgj.dk/adfs/ls/"/>
|
||||||
|
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sdhgrjhsdgrjhgdrjhgj.dk/adfs/ls/"/>
|
||||||
|
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</NameIDFormat>
|
||||||
|
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
|
||||||
|
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://sdhgrjhsdgrjhgdrjhgj.dk/adfs/ls/"/>
|
||||||
|
<a:Attribute Name="urn:oid:2.5.29.29" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Certificate Issuer DN"/>
|
||||||
|
<a:Attribute Name="urn:oid:2.5.4.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Common Name"/>
|
||||||
|
<a:Attribute Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="email"/>
|
||||||
|
<a:Attribute Name="urn:oid:2.5.4.65" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="OCES Pseudonym"/>
|
||||||
|
<a:Attribute Name="urn:oid:2.5.4.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Organisation Name"/>
|
||||||
|
<a:Attribute Name="urn:oid:2.5.4.11" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Organisation Unit"/>
|
||||||
|
<a:Attribute Name="urn:oid:2.5.4.16" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Postal Address"/>
|
||||||
|
<a:Attribute Name="urn:oid:2.5.4.5" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Serialnumber"/>
|
||||||
|
<a:Attribute Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="SubjectSerialNumber"/>
|
||||||
|
<a:Attribute Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Surname"/>
|
||||||
|
<a:Attribute Name="urn:oid:2.5.4.12" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Title"/>
|
||||||
|
<a:Attribute Name="urn:oid:1.3.6.1.4.1.1466.115.121.1.8" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="User Certificate"/>
|
||||||
|
<a:Attribute Name="urn:liberty:disco:2006-08:DiscoveryEPR" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="STS Bootstrap Token" />
|
||||||
|
</IDPSSODescriptor>
|
||||||
|
<AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
|
||||||
|
<KeyDescriptor use="encryption">
|
||||||
|
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
|
||||||
|
<X509Data>
|
||||||
|
<X509Certificate>...</X509Certificate>
|
||||||
|
</X509Data>
|
||||||
|
</KeyInfo>
|
||||||
|
</KeyDescriptor>
|
||||||
|
<KeyDescriptor use="signing">
|
||||||
|
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
|
||||||
|
<X509Data>
|
||||||
|
<X509Certificate>...</X509Certificate>
|
||||||
|
</X509Data>
|
||||||
|
</KeyInfo>
|
||||||
|
</KeyDescriptor>
|
||||||
|
<AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://attributequery.sdfjhjhgjsdghd.dk/AttributeQuery.svc"/>
|
||||||
|
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</NameIDFormat>
|
||||||
|
<a:Attribute Name="urn:oid:2.5.29.29" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Certificate Issuer DN"/>
|
||||||
|
<a:Attribute Name="urn:oid:2.5.4.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Common Name"/>
|
||||||
|
<a:Attribute Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="email"/>
|
||||||
|
<a:Attribute Name="urn:oid:2.5.4.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Organisation Name"/>
|
||||||
|
<a:Attribute Name="urn:oid:2.5.4.11" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Organisation Unit"/>
|
||||||
|
<a:Attribute Name="urn:oid:2.5.4.16" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Postal Address"/>
|
||||||
|
<a:Attribute Name="urn:oid:2.5.4.5" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Serialnumber"/>
|
||||||
|
<a:Attribute Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="SubjectSerialNumber"/>
|
||||||
|
<a:Attribute Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Surname"/>
|
||||||
|
<a:Attribute Name="urn:oid:2.5.4.12" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Title"/>
|
||||||
|
<a:Attribute Name="urn:oid:1.3.6.1.4.1.1466.115.121.1.8" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="User Certificate"/>
|
||||||
|
</AttributeAuthorityDescriptor>
|
||||||
|
<ContactPerson contactType="administrative">
|
||||||
|
<Company>Thadfjhkj</Company>
|
||||||
|
<GivenName>Hasfkjk</GivenName>
|
||||||
|
<SurName>Hasfjfjjris</SurName>
|
||||||
|
<EmailAddress>ydfthshe@yudff.dk</EmailAddress>
|
||||||
|
<TelephoneNumber>12345678</TelephoneNumber>
|
||||||
|
</ContactPerson>
|
||||||
|
</EntityDescriptor>
|
|
@ -0,0 +1,101 @@
|
||||||
|
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
|
||||||
|
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
|
||||||
|
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
|
||||||
|
entityID="https://IdentityProvider.com/SAML">
|
||||||
|
<ds:Signature>...</ds:Signature>
|
||||||
|
<IDPSSODescriptor WantAuthnRequestsSigned="true"
|
||||||
|
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
|
||||||
|
<KeyDescriptor use="signing">
|
||||||
|
<ds:KeyInfo>
|
||||||
|
<ds:KeyName>IdentityProvider.com SSO Key</ds:KeyName>
|
||||||
|
</ds:KeyInfo>
|
||||||
|
</KeyDescriptor>
|
||||||
|
<ArtifactResolutionService isDefault="true" index="0"
|
||||||
|
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
|
||||||
|
Location="https://IdentityProvider.com/SAML/Artifact"/>
|
||||||
|
<SingleLogoutService
|
||||||
|
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
|
||||||
|
Location="https://IdentityProvider.com/SAML/SLO/SOAP"/>
|
||||||
|
<SingleLogoutService
|
||||||
|
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
|
||||||
|
Location="https://IdentityProvider.com/SAML/SLO/Browser"
|
||||||
|
ResponseLocation="https://IdentityProvider.com/SAML/SLO/Response"/>
|
||||||
|
<NameIDFormat>
|
||||||
|
urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
|
||||||
|
</NameIDFormat>
|
||||||
|
<NameIDFormat>
|
||||||
|
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
|
||||||
|
</NameIDFormat>
|
||||||
|
<NameIDFormat>
|
||||||
|
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
|
||||||
|
</NameIDFormat>
|
||||||
|
<SingleSignOnService
|
||||||
|
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
|
||||||
|
Location="https://IdentityProvider.com/SAML/SSO/Browser"/>
|
||||||
|
<SingleSignOnService
|
||||||
|
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
|
||||||
|
Location="https://IdentityProvider.com/SAML/SSO/Browser"/>
|
||||||
|
<saml:Attribute
|
||||||
|
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
|
||||||
|
Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
|
||||||
|
FriendlyName="eduPersonPrincipalName">
|
||||||
|
</saml:Attribute>
|
||||||
|
<saml:Attribute
|
||||||
|
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
|
||||||
|
Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
|
||||||
|
FriendlyName="eduPersonAffiliation">
|
||||||
|
<saml:AttributeValue>member</saml:AttributeValue>
|
||||||
|
<saml:AttributeValue>student</saml:AttributeValue>
|
||||||
|
<saml:AttributeValue>faculty</saml:AttributeValue>
|
||||||
|
<saml:AttributeValue>employee</saml:AttributeValue>
|
||||||
|
<saml:AttributeValue>staff</saml:AttributeValue>
|
||||||
|
</saml:Attribute>
|
||||||
|
</IDPSSODescriptor>
|
||||||
|
<AttributeAuthorityDescriptor
|
||||||
|
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
|
||||||
|
<KeyDescriptor use="signing">
|
||||||
|
<ds:KeyInfo>
|
||||||
|
<ds:KeyName>IdentityProvider.com AA Key</ds:KeyName>
|
||||||
|
</ds:KeyInfo>
|
||||||
|
</KeyDescriptor>
|
||||||
|
<AttributeService
|
||||||
|
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
|
||||||
|
Location="https://IdentityProvider.com/SAML/AA/SOAP"/>
|
||||||
|
<AssertionIDRequestService
|
||||||
|
Binding="urn:oasis:names:tc:SAML:2.0:bindings:URI"
|
||||||
|
Location="https://IdentityProvider.com/SAML/AA/URI"/>
|
||||||
|
<NameIDFormat>
|
||||||
|
urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
|
||||||
|
</NameIDFormat>
|
||||||
|
<NameIDFormat>
|
||||||
|
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
|
||||||
|
</NameIDFormat>
|
||||||
|
<NameIDFormat>
|
||||||
|
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
|
||||||
|
</NameIDFormat>
|
||||||
|
<saml:Attribute
|
||||||
|
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
|
||||||
|
Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
|
||||||
|
FriendlyName="eduPersonPrincipalName">
|
||||||
|
</saml:Attribute>
|
||||||
|
<saml:Attribute
|
||||||
|
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
|
||||||
|
Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
|
||||||
|
FriendlyName="eduPersonAffiliation">
|
||||||
|
<saml:AttributeValue>member</saml:AttributeValue>
|
||||||
|
<saml:AttributeValue>student</saml:AttributeValue>
|
||||||
|
<saml:AttributeValue>faculty</saml:AttributeValue>
|
||||||
|
<saml:AttributeValue>employee</saml:AttributeValue>
|
||||||
|
<saml:AttributeValue>staff</saml:AttributeValue>
|
||||||
|
</saml:Attribute>
|
||||||
|
</AttributeAuthorityDescriptor>
|
||||||
|
<Organization>
|
||||||
|
<OrganizationName xml:lang="en">Identity Providers R
|
||||||
|
US</OrganizationName>
|
||||||
|
<OrganizationDisplayName xml:lang="en">
|
||||||
|
Identity Providers R US, a Division of Lerxst Corp.
|
||||||
|
</OrganizationDisplayName>
|
||||||
|
<OrganizationURL
|
||||||
|
xml:lang="en">https://IdentityProvider.com</OrganizationURL>
|
||||||
|
</Organization>
|
||||||
|
</EntityDescriptor>
|
|
@ -0,0 +1,56 @@
|
||||||
|
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
|
||||||
|
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
|
||||||
|
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
|
||||||
|
entityID="https://ServiceProvider.com/SAML">
|
||||||
|
<ds:Signature>...</ds:Signature>
|
||||||
|
<SPSSODescriptor AuthnRequestsSigned="true"
|
||||||
|
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
|
||||||
|
<KeyDescriptor use="signing">
|
||||||
|
<ds:KeyInfo>
|
||||||
|
<ds:KeyName>ServiceProvider.com SSO Key</ds:KeyName>
|
||||||
|
</ds:KeyInfo>
|
||||||
|
</KeyDescriptor>
|
||||||
|
<KeyDescriptor use="encryption">
|
||||||
|
<ds:KeyInfo>
|
||||||
|
<ds:KeyName>ServiceProvider.com Encrypt Key</ds:KeyName>
|
||||||
|
</ds:KeyInfo>
|
||||||
|
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
|
||||||
|
</KeyDescriptor>
|
||||||
|
<SingleLogoutService
|
||||||
|
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
|
||||||
|
Location="https://ServiceProvider.com/SAML/SLO/SOAP"/>
|
||||||
|
<SingleLogoutService
|
||||||
|
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
|
||||||
|
Location="https://ServiceProvider.com/SAML/SLO/Browser"
|
||||||
|
ResponseLocation="https://ServiceProvider.com/SAML/SLO/Response"/>
|
||||||
|
<NameIDFormat>
|
||||||
|
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
|
||||||
|
</NameIDFormat>
|
||||||
|
<AssertionConsumerService isDefault="true" index="0"
|
||||||
|
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
|
||||||
|
Location="https://ServiceProvider.com/SAML/SSO/Artifact"/>
|
||||||
|
<AssertionConsumerService index="1"
|
||||||
|
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
|
||||||
|
Location="https://ServiceProvider.com/SAML/SSO/POST"/>
|
||||||
|
<AttributeConsumingService index="0">
|
||||||
|
<ServiceName xml:lang="en">Academic Journals R US</ServiceName>
|
||||||
|
<RequestedAttribute
|
||||||
|
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
|
||||||
|
Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7"
|
||||||
|
FriendlyName="eduPersonEntitlement">
|
||||||
|
<saml:AttributeValue>
|
||||||
|
https://ServiceProvider.com/entitlements/123456789
|
||||||
|
</saml:AttributeValue>
|
||||||
|
</RequestedAttribute>
|
||||||
|
</AttributeConsumingService>
|
||||||
|
</SPSSODescriptor>
|
||||||
|
<Organization>
|
||||||
|
<OrganizationName xml:lang="en">Academic Journals R
|
||||||
|
US</OrganizationName>
|
||||||
|
<OrganizationDisplayName xml:lang="en">
|
||||||
|
Academic Journals R US, a Division of Dirk Corp.
|
||||||
|
</OrganizationDisplayName>
|
||||||
|
<OrganizationURL
|
||||||
|
xml:lang="en">https://ServiceProvider.com</OrganizationURL>
|
||||||
|
</Organization>
|
||||||
|
</EntityDescriptor>
|
Loading…
Reference in a new issue