KEYCLOAK-4809 Support for SAML AttributeAuthorityDescriptor.Attribute elements

2017-12-11 15:54:48 +01:00 · 2017-12-11 15:54:48 +01:00 · 958185ec51
commit 958185ec51
parent e6a64e234b
5 changed files with 253 additions and 0 deletions
--- a/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/metadata/SAMLEntityDescriptorParser.java
+++ b/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/metadata/SAMLEntityDescriptorParser.java
@ -366,6 +366,8 @@ public class SAMLEntityDescriptorParser extends AbstractDescriptorParser impleme
            } else if (JBossSAMLConstants.ATTRIBUTE_PROFILE.get().equalsIgnoreCase(localPart)) {
                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
                attributeAuthority.addAttributeProfile(StaxParserUtil.getElementText(xmlEventReader));
+            } else if (JBossSAMLConstants.ATTRIBUTE.get().equalsIgnoreCase(localPart)) {
+                attributeAuthority.addAttribute(SAMLParserUtil.parseAttribute(xmlEventReader));
            } else if (JBossSAMLConstants.KEY_DESCRIPTOR.get().equalsIgnoreCase(localPart)) {
                attributeAuthority.addKeyDescriptor(parseKeyDescriptor(xmlEventReader));
            } else if (JBossSAMLConstants.NAMEID_FORMAT.get().equalsIgnoreCase(localPart)) {
--- a/saml-core/src/test/java/org/keycloak/saml/processing/core/parsers/saml/SAMLParserTest.java
+++ b/saml-core/src/test/java/org/keycloak/saml/processing/core/parsers/saml/SAMLParserTest.java
@ -207,6 +207,27 @@ public class SAMLParserTest {
        }
    }

+    @Test
+    public void testSaml20MetadataEntityDescriptorIdP() throws IOException, ParsingException {
+        try (InputStream st = SAMLParserTest.class.getResourceAsStream("saml20-entity-descriptor-idp.xml")) {
+            parser.parse(st);
+        }
+    }
+
+    @Test
+    public void testSaml20MetadataEntityDescriptorSP() throws IOException, ParsingException {
+        try (InputStream st = SAMLParserTest.class.getResourceAsStream("saml20-entity-descriptor-sp.xml")) {
+            parser.parse(st);
+        }
+    }
+
+    @Test
+    public void testSaml20MetadataEntityDescriptorAdfsIdP() throws IOException, ParsingException {
+        try (InputStream st = SAMLParserTest.class.getResourceAsStream("KEYCLOAK-4809-IdPMetadata_test.xml")) {
+            parser.parse(st);
+        }
+    }
+
    @Test
    public void testAttributeProfileMetadata() throws Exception {
        try (InputStream st = SAMLParserTest.class.getResourceAsStream("KEYCLOAK-4236-AttributeProfile-element.xml")) {
--- a/saml-core/src/test/resources/org/keycloak/saml/processing/core/parsers/saml/KEYCLOAK-4809-IdPMetadata_test.xml
+++ b/saml-core/src/test/resources/org/keycloak/saml/processing/core/parsers/saml/KEYCLOAK-4809-IdPMetadata_test.xml
@ -0,0 +1,73 @@
+<?xml version="1.0" encoding="utf-8"?>
+<EntityDescriptor ID="_5495b16a-7b17-4411-bba2-832fb12b8fa0" entityID="https://erghplferkughduhf.dk/" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:a="urn:oasis:names:tc:SAML:2.0:assertion">
+    <IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+        <KeyDescriptor use="encryption">
+            <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
+                <X509Data>
+                    <X509Certificate>...</X509Certificate>
+                </X509Data>
+            </KeyInfo>
+        </KeyDescriptor>
+        <KeyDescriptor use="signing">
+            <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
+                <X509Data>
+                    <X509Certificate>...</X509Certificate>
+                </X509Data>
+            </KeyInfo>
+        </KeyDescriptor>
+        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://sdhgrjhsdgrjhgdrjhgj.dk/adfs/ls/"/>
+        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sdhgrjhsdgrjhgdrjhgj.dk/adfs/ls/"/>
+        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</NameIDFormat>
+        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
+        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://sdhgrjhsdgrjhgdrjhgj.dk/adfs/ls/"/>
+        <a:Attribute Name="urn:oid:2.5.29.29" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Certificate Issuer DN"/>
+        <a:Attribute Name="urn:oid:2.5.4.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Common Name"/>
+        <a:Attribute Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="email"/>
+        <a:Attribute Name="urn:oid:2.5.4.65" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="OCES Pseudonym"/>
+        <a:Attribute Name="urn:oid:2.5.4.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Organisation Name"/>
+        <a:Attribute Name="urn:oid:2.5.4.11" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Organisation Unit"/>
+        <a:Attribute Name="urn:oid:2.5.4.16" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Postal Address"/>
+        <a:Attribute Name="urn:oid:2.5.4.5" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Serialnumber"/>
+        <a:Attribute Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="SubjectSerialNumber"/>
+        <a:Attribute Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Surname"/>
+        <a:Attribute Name="urn:oid:2.5.4.12" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Title"/>
+        <a:Attribute Name="urn:oid:1.3.6.1.4.1.1466.115.121.1.8" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="User Certificate"/>
+        <a:Attribute Name="urn:liberty:disco:2006-08:DiscoveryEPR" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="STS Bootstrap Token" /> 
+    </IDPSSODescriptor>  
+    <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+        <KeyDescriptor use="encryption">
+            <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
+                <X509Data>
+                    <X509Certificate>...</X509Certificate>
+                </X509Data>
+            </KeyInfo>
+        </KeyDescriptor>
+        <KeyDescriptor use="signing">
+            <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
+                <X509Data>
+                    <X509Certificate>...</X509Certificate>
+                </X509Data>
+            </KeyInfo>
+        </KeyDescriptor>
+        <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://attributequery.sdfjhjhgjsdghd.dk/AttributeQuery.svc"/>    
+        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</NameIDFormat>
+        <a:Attribute Name="urn:oid:2.5.29.29" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Certificate Issuer DN"/>
+        <a:Attribute Name="urn:oid:2.5.4.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Common Name"/>
+        <a:Attribute Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="email"/>
+        <a:Attribute Name="urn:oid:2.5.4.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Organisation Name"/>
+        <a:Attribute Name="urn:oid:2.5.4.11" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Organisation Unit"/>
+        <a:Attribute Name="urn:oid:2.5.4.16" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Postal Address"/>
+        <a:Attribute Name="urn:oid:2.5.4.5" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Serialnumber"/>
+        <a:Attribute Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="SubjectSerialNumber"/>
+        <a:Attribute Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Surname"/>
+        <a:Attribute Name="urn:oid:2.5.4.12" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Title"/>
+        <a:Attribute Name="urn:oid:1.3.6.1.4.1.1466.115.121.1.8" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="User Certificate"/>
+    </AttributeAuthorityDescriptor>	
+    <ContactPerson contactType="administrative">
+        <Company>Thadfjhkj</Company>
+        <GivenName>Hasfkjk</GivenName>
+        <SurName>Hasfjfjjris</SurName>
+        <EmailAddress>ydfthshe@yudff.dk</EmailAddress>
+        <TelephoneNumber>12345678</TelephoneNumber>
+    </ContactPerson>
+</EntityDescriptor>
--- a/saml-core/src/test/resources/org/keycloak/saml/processing/core/parsers/saml/saml20-entity-descriptor-idp.xml
+++ b/saml-core/src/test/resources/org/keycloak/saml/processing/core/parsers/saml/saml20-entity-descriptor-idp.xml
@ -0,0 +1,101 @@
+<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+                  xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+                  xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+                  entityID="https://IdentityProvider.com/SAML">
+    <ds:Signature>...</ds:Signature>
+    <IDPSSODescriptor WantAuthnRequestsSigned="true"
+                      protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+        <KeyDescriptor use="signing">
+            <ds:KeyInfo>
+                <ds:KeyName>IdentityProvider.com SSO Key</ds:KeyName>
+            </ds:KeyInfo>
+        </KeyDescriptor>
+        <ArtifactResolutionService isDefault="true" index="0"
+                                   Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
+                                   Location="https://IdentityProvider.com/SAML/Artifact"/>
+        <SingleLogoutService
+            Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
+            Location="https://IdentityProvider.com/SAML/SLO/SOAP"/>
+        <SingleLogoutService
+            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+            Location="https://IdentityProvider.com/SAML/SLO/Browser"
+            ResponseLocation="https://IdentityProvider.com/SAML/SLO/Response"/>
+        <NameIDFormat>
+            urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
+        </NameIDFormat>
+        <NameIDFormat>
+            urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
+        </NameIDFormat>
+        <NameIDFormat>
+            urn:oasis:names:tc:SAML:2.0:nameid-format:transient
+        </NameIDFormat>
+        <SingleSignOnService
+            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+            Location="https://IdentityProvider.com/SAML/SSO/Browser"/>
+        <SingleSignOnService
+            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+            Location="https://IdentityProvider.com/SAML/SSO/Browser"/>
+        <saml:Attribute
+            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+            Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
+            FriendlyName="eduPersonPrincipalName">
+        </saml:Attribute>
+        <saml:Attribute
+            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+            Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
+            FriendlyName="eduPersonAffiliation">
+            <saml:AttributeValue>member</saml:AttributeValue>
+            <saml:AttributeValue>student</saml:AttributeValue>
+            <saml:AttributeValue>faculty</saml:AttributeValue>
+            <saml:AttributeValue>employee</saml:AttributeValue>
+            <saml:AttributeValue>staff</saml:AttributeValue>
+        </saml:Attribute>
+    </IDPSSODescriptor>
+    <AttributeAuthorityDescriptor
+        protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+        <KeyDescriptor use="signing">
+            <ds:KeyInfo>
+                <ds:KeyName>IdentityProvider.com AA Key</ds:KeyName>
+            </ds:KeyInfo>
+        </KeyDescriptor>
+        <AttributeService
+            Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
+            Location="https://IdentityProvider.com/SAML/AA/SOAP"/>
+        <AssertionIDRequestService
+            Binding="urn:oasis:names:tc:SAML:2.0:bindings:URI"
+            Location="https://IdentityProvider.com/SAML/AA/URI"/>
+        <NameIDFormat>
+            urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
+        </NameIDFormat>
+        <NameIDFormat>
+            urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
+        </NameIDFormat>
+        <NameIDFormat>
+            urn:oasis:names:tc:SAML:2.0:nameid-format:transient
+        </NameIDFormat>
+        <saml:Attribute
+            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+            Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
+            FriendlyName="eduPersonPrincipalName">
+        </saml:Attribute>
+        <saml:Attribute
+            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+            Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
+            FriendlyName="eduPersonAffiliation">
+            <saml:AttributeValue>member</saml:AttributeValue>
+            <saml:AttributeValue>student</saml:AttributeValue>
+            <saml:AttributeValue>faculty</saml:AttributeValue>
+            <saml:AttributeValue>employee</saml:AttributeValue>
+            <saml:AttributeValue>staff</saml:AttributeValue>
+        </saml:Attribute>
+    </AttributeAuthorityDescriptor>
+    <Organization>
+        <OrganizationName xml:lang="en">Identity Providers R
+            US</OrganizationName>
+        <OrganizationDisplayName xml:lang="en">
+            Identity Providers R US, a Division of Lerxst Corp.
+        </OrganizationDisplayName>
+        <OrganizationURL
+            xml:lang="en">https://IdentityProvider.com</OrganizationURL>
+    </Organization>
+</EntityDescriptor>
--- a/saml-core/src/test/resources/org/keycloak/saml/processing/core/parsers/saml/saml20-entity-descriptor-sp.xml
+++ b/saml-core/src/test/resources/org/keycloak/saml/processing/core/parsers/saml/saml20-entity-descriptor-sp.xml
@ -0,0 +1,56 @@
+<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+                  xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+                  xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+                  entityID="https://ServiceProvider.com/SAML">
+    <ds:Signature>...</ds:Signature>
+    <SPSSODescriptor AuthnRequestsSigned="true"
+                     protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+        <KeyDescriptor use="signing">
+            <ds:KeyInfo>
+                <ds:KeyName>ServiceProvider.com SSO Key</ds:KeyName>
+            </ds:KeyInfo>
+        </KeyDescriptor>
+        <KeyDescriptor use="encryption">
+            <ds:KeyInfo>
+                <ds:KeyName>ServiceProvider.com Encrypt Key</ds:KeyName>
+            </ds:KeyInfo>
+            <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
+        </KeyDescriptor>
+        <SingleLogoutService
+            Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
+            Location="https://ServiceProvider.com/SAML/SLO/SOAP"/>
+        <SingleLogoutService
+            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+            Location="https://ServiceProvider.com/SAML/SLO/Browser"
+            ResponseLocation="https://ServiceProvider.com/SAML/SLO/Response"/>
+        <NameIDFormat>
+            urn:oasis:names:tc:SAML:2.0:nameid-format:transient
+        </NameIDFormat>
+        <AssertionConsumerService isDefault="true" index="0"
+                                  Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
+                                  Location="https://ServiceProvider.com/SAML/SSO/Artifact"/>
+        <AssertionConsumerService index="1"
+                                  Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+                                  Location="https://ServiceProvider.com/SAML/SSO/POST"/>
+        <AttributeConsumingService index="0">
+            <ServiceName xml:lang="en">Academic Journals R US</ServiceName>
+            <RequestedAttribute
+                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+                Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7"
+                FriendlyName="eduPersonEntitlement">
+                <saml:AttributeValue>
+                    https://ServiceProvider.com/entitlements/123456789
+                </saml:AttributeValue>
+            </RequestedAttribute>
+        </AttributeConsumingService>
+    </SPSSODescriptor>
+    <Organization>
+        <OrganizationName xml:lang="en">Academic Journals R
+            US</OrganizationName>
+        <OrganizationDisplayName xml:lang="en">
+            Academic Journals R US, a Division of Dirk Corp.
+        </OrganizationDisplayName>
+        <OrganizationURL
+            xml:lang="en">https://ServiceProvider.com</OrganizationURL>
+    </Organization>
+</EntityDescriptor>