libre.sh/keycloak-scim
4
0
Fork 0
Code Issues 15 Pull requests Releases 1 Activity Actions

saml adapter endpoint changes

Browse source
This commit is contained in:
Bill Burke 2016-01-28 22:56:14 -05:00
parent 93f85d34a7
commit a068d83dd8
77 changed files with 1920 additions and 299 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
adapters/saml/core/src/main/java/org/keycloak/adapters/saml/SamlAuthenticator.java
View file

@ -38,12 +38,16 @@ public abstract class SamlAuthenticator {
protected abstract void completeAuthentication(SamlSession samlSession); protected abstract void completeAuthentication(SamlSession samlSession);
private SamlAuthenticationHandler createAuthenticationHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) { protected SamlAuthenticationHandler createAuthenticationHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
if (EcpAuthenticationHandler.canHandle(facade)) { if (EcpAuthenticationHandler.canHandle(facade)) {
return EcpAuthenticationHandler.create(facade, deployment, sessionStore); return EcpAuthenticationHandler.create(facade, deployment, sessionStore);
} }
// defaults to the web browser sso profile // defaults to the web browser sso profile
return createBrowserHandler(facade, deployment, sessionStore);
}
protected SamlAuthenticationHandler createBrowserHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
return WebBrowserSsoAuthenticationHandler.create(facade, deployment, sessionStore); return WebBrowserSsoAuthenticationHandler.create(facade, deployment, sessionStore);
} }
} }

38
adapters/saml/core/src/main/java/org/keycloak/adapters/saml/SamlUtil.java
View file

@ -2,6 +2,7 @@ package org.keycloak.adapters.saml;
import org.keycloak.adapters.spi.HttpFacade; import org.keycloak.adapters.spi.HttpFacade;
import org.keycloak.saml.BaseSAML2BindingBuilder; import org.keycloak.saml.BaseSAML2BindingBuilder;
import org.keycloak.saml.common.constants.GeneralConstants;
import org.keycloak.saml.common.exceptions.ConfigurationException; import org.keycloak.saml.common.exceptions.ConfigurationException;
import org.keycloak.saml.common.exceptions.ProcessingException; import org.keycloak.saml.common.exceptions.ProcessingException;
import org.w3c.dom.Document; import org.w3c.dom.Document;
@ -32,4 +33,41 @@ public class SamlUtil {
} }
} }
/**
* Gets a url to redirect to if there is an IDP initiated login. Looks for a redirectTo query param first, then looks
* in RelayState, if not in either defaults to context path.
*
* @param facade
* @param contextPath
* @param baseUri
* @return
*/
public static String getRedirectTo(HttpFacade facade, String contextPath, String baseUri) {
String redirectTo = facade.getRequest().getQueryParamValue("redirectTo");
if (redirectTo != null && !redirectTo.isEmpty()) {
return buildRedirectTo(baseUri, redirectTo);
} else {
redirectTo = facade.getRequest().getFirstParam(GeneralConstants.RELAY_STATE);
if (redirectTo != null) {
int index = redirectTo.indexOf("redirectTo=");
if (index >= 0) {
String to = redirectTo.substring(index + "redirectTo=".length());
index = to.indexOf(';');
if (index >=0) {
to = to.substring(0, index);
}
return buildRedirectTo(baseUri, to);
}
}
if (contextPath.isEmpty()) baseUri += "/";
return baseUri;
}
}
private static String buildRedirectTo(String baseUri, String redirectTo) {
if (redirectTo.startsWith("/")) redirectTo = redirectTo.substring(1);
if (baseUri.endsWith("/")) baseUri = baseUri.substring(0, baseUri.length() - 1);
redirectTo = baseUri + "/" + redirectTo;
return redirectTo;
}
} }

24
adapters/saml/core/src/main/java/org/keycloak/adapters/saml/profile/webbrowsersso/BrowserHandler.java Executable file
View file

@ -0,0 +1,24 @@
package org.keycloak.adapters.saml.profile.webbrowsersso;
import org.keycloak.adapters.saml.OnSessionCreated;
import org.keycloak.adapters.saml.SamlDeployment;
import org.keycloak.adapters.saml.SamlSessionStore;
import org.keycloak.adapters.saml.profile.SamlInvocationContext;
import org.keycloak.adapters.spi.AuthOutcome;
import org.keycloak.adapters.spi.HttpFacade;
import org.keycloak.saml.common.constants.GeneralConstants;
/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $
*/
public class BrowserHandler extends WebBrowserSsoAuthenticationHandler {
public BrowserHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
super(facade, deployment, sessionStore);
}
@Override
public AuthOutcome handle(OnSessionCreated onCreateSession) {
return doHandle(new SamlInvocationContext(null, null, null), onCreateSession);
}
}

33
adapters/saml/core/src/main/java/org/keycloak/adapters/saml/profile/webbrowsersso/SamlEndpoint.java Executable file
View file

@ -0,0 +1,33 @@
package org.keycloak.adapters.saml.profile.webbrowsersso;
import org.keycloak.adapters.saml.OnSessionCreated;
import org.keycloak.adapters.saml.SamlDeployment;
import org.keycloak.adapters.saml.SamlSessionStore;
import org.keycloak.adapters.saml.profile.SamlInvocationContext;
import org.keycloak.adapters.spi.AuthOutcome;
import org.keycloak.adapters.spi.HttpFacade;
import org.keycloak.saml.common.constants.GeneralConstants;
/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $
*/
public class SamlEndpoint extends WebBrowserSsoAuthenticationHandler {
public SamlEndpoint(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
super(facade, deployment, sessionStore);
}
@Override
public AuthOutcome handle(OnSessionCreated onCreateSession) {
String samlRequest = facade.getRequest().getFirstParam(GeneralConstants.SAML_REQUEST_KEY);
String samlResponse = facade.getRequest().getFirstParam(GeneralConstants.SAML_RESPONSE_KEY);
String relayState = facade.getRequest().getFirstParam(GeneralConstants.RELAY_STATE);
if (samlRequest != null) {
return handleSamlRequest(samlRequest, relayState);
} else if (samlResponse != null) {
return handleSamlResponse(samlResponse, relayState, onCreateSession);
}
return AuthOutcome.NOT_ATTEMPTED;
}
}

2
adapters/saml/core/src/main/java/org/keycloak/adapters/saml/profile/webbrowsersso/WebBrowserSsoAuthenticationHandler.java Normal file → Executable file
View file

@ -25,7 +25,7 @@ public class WebBrowserSsoAuthenticationHandler extends AbstractSamlAuthenticati
return new WebBrowserSsoAuthenticationHandler(facade, deployment, sessionStore); return new WebBrowserSsoAuthenticationHandler(facade, deployment, sessionStore);
} }
private WebBrowserSsoAuthenticationHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) { WebBrowserSsoAuthenticationHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
super(facade, deployment, sessionStore); super(facade, deployment, sessionStore);
} }

38
adapters/saml/jetty/jetty-core/src/main/java/org/keycloak/adapters/saml/jetty/AbstractSamlAuthenticator.java
View file

@ -13,6 +13,10 @@ import org.eclipse.jetty.server.UserIdentity;
import org.eclipse.jetty.server.handler.ContextHandler; import org.eclipse.jetty.server.handler.ContextHandler;
import org.eclipse.jetty.util.URIUtil; import org.eclipse.jetty.util.URIUtil;
import org.jboss.logging.Logger; import org.jboss.logging.Logger;
import org.keycloak.adapters.saml.SamlSessionStore;
import org.keycloak.adapters.saml.profile.SamlAuthenticationHandler;
import org.keycloak.adapters.saml.profile.webbrowsersso.BrowserHandler;
import org.keycloak.adapters.saml.profile.webbrowsersso.SamlEndpoint;
import org.keycloak.adapters.spi.AdapterSessionStore; import org.keycloak.adapters.spi.AdapterSessionStore;
import org.keycloak.adapters.spi.AuthChallenge; import org.keycloak.adapters.spi.AuthChallenge;
import org.keycloak.adapters.spi.AuthOutcome; import org.keycloak.adapters.spi.AuthOutcome;
@ -234,16 +238,38 @@ public abstract class AbstractSamlAuthenticator extends LoginAuthenticator {
log.debug("*** deployment isn't configured return false"); log.debug("*** deployment isn't configured return false");
return Authentication.UNAUTHENTICATED; return Authentication.UNAUTHENTICATED;
} }
if (!mandatory) boolean isEndpoint = request.getRequestURI().substring(request.getContextPath().length()).endsWith("/saml");
if (!mandatory && !isEndpoint)
return new DeferredAuthentication(this); return new DeferredAuthentication(this);
JettySamlSessionStore tokenStore = getTokenStore(request, facade, deployment); JettySamlSessionStore tokenStore = getTokenStore(request, facade, deployment);
SamlAuthenticator authenticator = new SamlAuthenticator(facade, deployment, tokenStore ) { SamlAuthenticator authenticator = null;
@Override if (isEndpoint) {
protected void completeAuthentication(SamlSession account) { authenticator = new SamlAuthenticator(facade, deployment, tokenStore) {
@Override
protected void completeAuthentication(SamlSession account) {
} }
};
@Override
protected SamlAuthenticationHandler createBrowserHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
return new SamlEndpoint(facade, deployment, sessionStore);
}
};
} else {
authenticator = new SamlAuthenticator(facade, deployment, tokenStore) {
@Override
protected void completeAuthentication(SamlSession account) {
}
@Override
protected SamlAuthenticationHandler createBrowserHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
return new BrowserHandler(facade, deployment, sessionStore);
}
};
}
AuthOutcome outcome = authenticator.authenticate(); AuthOutcome outcome = authenticator.authenticate();
if (outcome == AuthOutcome.AUTHENTICATED) { if (outcome == AuthOutcome.AUTHENTICATED) {
if (facade.isEnded()) { if (facade.isEnded()) {

10
adapters/saml/jetty/jetty-core/src/main/java/org/keycloak/adapters/saml/jetty/JettySamlSessionStore.java
View file

@ -3,12 +3,14 @@ package org.keycloak.adapters.saml.jetty;
import org.eclipse.jetty.server.Request; import org.eclipse.jetty.server.Request;
import org.jboss.logging.Logger; import org.jboss.logging.Logger;
import org.keycloak.adapters.saml.SamlDeployment; import org.keycloak.adapters.saml.SamlDeployment;
import org.keycloak.adapters.saml.SamlUtil;
import org.keycloak.adapters.spi.AdapterSessionStore; import org.keycloak.adapters.spi.AdapterSessionStore;
import org.keycloak.adapters.spi.HttpFacade; import org.keycloak.adapters.spi.HttpFacade;
import org.keycloak.adapters.spi.SessionIdMapper; import org.keycloak.adapters.spi.SessionIdMapper;
import org.keycloak.adapters.jetty.spi.JettyUserSessionManagement; import org.keycloak.adapters.jetty.spi.JettyUserSessionManagement;
import org.keycloak.adapters.saml.SamlSession; import org.keycloak.adapters.saml.SamlSession;
import org.keycloak.adapters.saml.SamlSessionStore; import org.keycloak.adapters.saml.SamlSessionStore;
import org.keycloak.common.util.KeycloakUriBuilder;
import org.keycloak.dom.saml.v2.protocol.StatusType; import org.keycloak.dom.saml.v2.protocol.StatusType;
import javax.servlet.http.HttpSession; import javax.servlet.http.HttpSession;
@ -151,7 +153,13 @@ public class JettySamlSessionStore implements SamlSessionStore {
@Override @Override
public String getRedirectUri() { public String getRedirectUri() {
return (String)request.getSession(true).getAttribute(SAML_REDIRECT_URI); String redirect = (String)request.getSession(true).getAttribute(SAML_REDIRECT_URI);
if (redirect == null) {
String contextPath = request.getContextPath();
String baseUri = KeycloakUriBuilder.fromUri(request.getRequestURL().toString()).replacePath(contextPath).build().toString();
return SamlUtil.getRedirectTo(facade, contextPath, baseUri);
}
return redirect;
} }
@Override @Override

10
adapters/saml/servlet-filter/src/main/java/org/keycloak/adapters/saml/servlet/FilterSamlSessionStore.java
View file

@ -1,12 +1,14 @@
package org.keycloak.adapters.saml.servlet; package org.keycloak.adapters.saml.servlet;
import org.jboss.logging.Logger; import org.jboss.logging.Logger;
import org.keycloak.adapters.saml.SamlUtil;
import org.keycloak.adapters.spi.HttpFacade; import org.keycloak.adapters.spi.HttpFacade;
import org.keycloak.adapters.spi.KeycloakAccount; import org.keycloak.adapters.spi.KeycloakAccount;
import org.keycloak.adapters.spi.SessionIdMapper; import org.keycloak.adapters.spi.SessionIdMapper;
import org.keycloak.adapters.saml.SamlSession; import org.keycloak.adapters.saml.SamlSession;
import org.keycloak.adapters.saml.SamlSessionStore; import org.keycloak.adapters.saml.SamlSessionStore;
import org.keycloak.adapters.servlet.FilterSessionStore; import org.keycloak.adapters.servlet.FilterSessionStore;
import org.keycloak.common.util.KeycloakUriBuilder;
import org.keycloak.dom.saml.v2.protocol.StatusType; import org.keycloak.dom.saml.v2.protocol.StatusType;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
@ -145,7 +147,13 @@ public class FilterSamlSessionStore extends FilterSessionStore implements SamlSe
public String getRedirectUri() { public String getRedirectUri() {
HttpSession session = request.getSession(false); HttpSession session = request.getSession(false);
if (session == null) return null; if (session == null) return null;
return (String)session.getAttribute(REDIRECT_URI); String redirect = (String)session.getAttribute(REDIRECT_URI);
if (redirect == null) {
String contextPath = request.getContextPath();
String baseUri = KeycloakUriBuilder.fromUri(request.getRequestURL().toString()).replacePath(contextPath).build().toString();
return SamlUtil.getRedirectTo(facade, contextPath, baseUri);
}
return redirect;
} }
} }

45
adapters/saml/servlet-filter/src/main/java/org/keycloak/adapters/saml/servlet/SamlFilter.java
View file

@ -23,11 +23,16 @@ import org.keycloak.adapters.saml.SamlAuthenticator;
import org.keycloak.adapters.saml.SamlDeployment; import org.keycloak.adapters.saml.SamlDeployment;
import org.keycloak.adapters.saml.SamlDeploymentContext; import org.keycloak.adapters.saml.SamlDeploymentContext;
import org.keycloak.adapters.saml.SamlSession; import org.keycloak.adapters.saml.SamlSession;
import org.keycloak.adapters.saml.SamlSessionStore;
import org.keycloak.adapters.saml.config.parsers.DeploymentBuilder; import org.keycloak.adapters.saml.config.parsers.DeploymentBuilder;
import org.keycloak.adapters.saml.config.parsers.ResourceLoader; import org.keycloak.adapters.saml.config.parsers.ResourceLoader;
import org.keycloak.adapters.saml.profile.SamlAuthenticationHandler;
import org.keycloak.adapters.saml.profile.webbrowsersso.BrowserHandler;
import org.keycloak.adapters.saml.profile.webbrowsersso.SamlEndpoint;
import org.keycloak.adapters.servlet.ServletHttpFacade; import org.keycloak.adapters.servlet.ServletHttpFacade;
import org.keycloak.adapters.spi.AuthChallenge; import org.keycloak.adapters.spi.AuthChallenge;
import org.keycloak.adapters.spi.AuthOutcome; import org.keycloak.adapters.spi.AuthOutcome;
import org.keycloak.adapters.spi.HttpFacade;
import org.keycloak.adapters.spi.InMemorySessionIdMapper; import org.keycloak.adapters.spi.InMemorySessionIdMapper;
import org.keycloak.adapters.spi.SessionIdMapper; import org.keycloak.adapters.spi.SessionIdMapper;
import org.keycloak.saml.common.exceptions.ParsingException; import org.keycloak.saml.common.exceptions.ParsingException;
@ -38,11 +43,16 @@ import org.keycloak.saml.common.exceptions.ParsingException;
*/ */
public class SamlFilter implements Filter { public class SamlFilter implements Filter {
protected SamlDeploymentContext deploymentContext; protected SamlDeploymentContext deploymentContext;
protected SessionIdMapper idMapper = new InMemorySessionIdMapper(); protected SessionIdMapper idMapper;
private final static Logger log = Logger.getLogger("" + SamlFilter.class); private final static Logger log = Logger.getLogger("" + SamlFilter.class);
@Override @Override
public void init(final FilterConfig filterConfig) throws ServletException { public void init(final FilterConfig filterConfig) throws ServletException {
deploymentContext = (SamlDeploymentContext)filterConfig.getServletContext().getAttribute(SamlDeploymentContext.class.getName());
if (deploymentContext != null) {
idMapper = (SessionIdMapper)filterConfig.getServletContext().getAttribute(SessionIdMapper.class.getName());
return;
}
String configResolverClass = filterConfig.getInitParameter("keycloak.config.resolver"); String configResolverClass = filterConfig.getInitParameter("keycloak.config.resolver");
if (configResolverClass != null) { if (configResolverClass != null) {
try { try {
@ -92,7 +102,9 @@ public class SamlFilter implements Filter {
deploymentContext = new SamlDeploymentContext(deployment); deploymentContext = new SamlDeploymentContext(deployment);
log.fine("Keycloak is using a per-deployment configuration."); log.fine("Keycloak is using a per-deployment configuration.");
} }
idMapper = new InMemorySessionIdMapper();
filterConfig.getServletContext().setAttribute(SamlDeploymentContext.class.getName(), deploymentContext); filterConfig.getServletContext().setAttribute(SamlDeploymentContext.class.getName(), deploymentContext);
filterConfig.getServletContext().setAttribute(SessionIdMapper.class.getName(), idMapper);
} }
@ -108,13 +120,34 @@ public class SamlFilter implements Filter {
return; return;
} }
FilterSamlSessionStore tokenStore = new FilterSamlSessionStore(request, facade, 100000, idMapper); FilterSamlSessionStore tokenStore = new FilterSamlSessionStore(request, facade, 100000, idMapper);
boolean isEndpoint = request.getRequestURI().substring(request.getContextPath().length()).endsWith("/saml");
SamlAuthenticator authenticator = null;
if (isEndpoint) {
authenticator = new SamlAuthenticator(facade, deployment, tokenStore) {
@Override
protected void completeAuthentication(SamlSession account) {
SamlAuthenticator authenticator = new SamlAuthenticator(facade, deployment, tokenStore) { }
@Override
protected void completeAuthentication(SamlSession account) {
} @Override
}; protected SamlAuthenticationHandler createBrowserHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
return new SamlEndpoint(facade, deployment, sessionStore);
}
};
} else {
authenticator = new SamlAuthenticator(facade, deployment, tokenStore) {
@Override
protected void completeAuthentication(SamlSession account) {
}
@Override
protected SamlAuthenticationHandler createBrowserHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
return new BrowserHandler(facade, deployment, sessionStore);
}
};
}
AuthOutcome outcome = authenticator.authenticate(); AuthOutcome outcome = authenticator.authenticate();
if (outcome == AuthOutcome.AUTHENTICATED) { if (outcome == AuthOutcome.AUTHENTICATED) {
log.fine("AUTHENTICATED"); log.fine("AUTHENTICATED");

22
adapters/saml/tomcat/tomcat-core/src/main/java/org/keycloak/adapters/saml/AbstractSamlAuthenticatorValve.java
View file

@ -150,10 +150,23 @@ public abstract class AbstractSamlAuthenticatorValve extends FormAuthenticator i
@Override @Override
public void invoke(Request request, Response response) throws IOException, ServletException { public void invoke(Request request, Response response) throws IOException, ServletException {
log.fine("*********************** SAML ************"); log.fine("*********************** SAML ************");
if (request.getRequestURI().substring(request.getContextPath().length()).endsWith("/saml")) {
CatalinaHttpFacade facade = new CatalinaHttpFacade(response, request);
SamlDeployment deployment = deploymentContext.resolveDeployment(facade);
if (deployment != null && deployment.isConfigured()) {
SamlSessionStore tokenStore = getSessionStore(request, facade, deployment);
SamlAuthenticator authenticator = new CatalinaSamlEndpoint(facade, deployment, tokenStore);
executeAuthenticator(request, response, facade, deployment, authenticator);
return;
}
}
try { try {
super.invoke(request, response); super.invoke(request, response);
} finally { } finally {
} }
} }
protected abstract GenericPrincipalFactory createPrincipalFactory(); protected abstract GenericPrincipalFactory createPrincipalFactory();
@ -187,7 +200,11 @@ public abstract class AbstractSamlAuthenticatorValve extends FormAuthenticator i
SamlSessionStore tokenStore = getSessionStore(request, facade, deployment); SamlSessionStore tokenStore = getSessionStore(request, facade, deployment);
CatalinaSamlAuthenticator authenticator = new CatalinaSamlAuthenticator(facade, deployment, tokenStore); SamlAuthenticator authenticator = new CatalinaSamlAuthenticator(facade, deployment, tokenStore);
return executeAuthenticator(request, response, facade, deployment, authenticator);
}
protected boolean executeAuthenticator(Request request, HttpServletResponse response, CatalinaHttpFacade facade, SamlDeployment deployment, SamlAuthenticator authenticator) {
AuthOutcome outcome = authenticator.authenticate(); AuthOutcome outcome = authenticator.authenticate();
if (outcome == AuthOutcome.AUTHENTICATED) { if (outcome == AuthOutcome.AUTHENTICATED) {
log.fine("AUTHENTICATED"); log.fine("AUTHENTICATED");
@ -209,9 +226,6 @@ public abstract class AbstractSamlAuthenticatorValve extends FormAuthenticator i
AuthChallenge challenge = authenticator.getChallenge(); AuthChallenge challenge = authenticator.getChallenge();
if (challenge != null) { if (challenge != null) {
log.fine("challenge"); log.fine("challenge");
if (loginConfig == null) {
loginConfig = request.getContext().getLoginConfig();
}
challenge.challenge(facade); challenge.challenge(facade);
} }
return false; return false;

8
adapters/saml/tomcat/tomcat-core/src/main/java/org/keycloak/adapters/saml/CatalinaSamlAuthenticator.java
View file

@ -1,5 +1,7 @@
package org.keycloak.adapters.saml; package org.keycloak.adapters.saml;
import org.keycloak.adapters.saml.profile.SamlAuthenticationHandler;
import org.keycloak.adapters.saml.profile.webbrowsersso.BrowserHandler;
import org.keycloak.adapters.spi.HttpFacade; import org.keycloak.adapters.spi.HttpFacade;
/** /**
@ -15,4 +17,10 @@ public class CatalinaSamlAuthenticator extends SamlAuthenticator {
protected void completeAuthentication(SamlSession account) { protected void completeAuthentication(SamlSession account) {
// complete // complete
} }
@Override
protected SamlAuthenticationHandler createBrowserHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
return new BrowserHandler(facade, deployment, sessionStore);
}
} }

28
adapters/saml/tomcat/tomcat-core/src/main/java/org/keycloak/adapters/saml/CatalinaSamlEndpoint.java Executable file
View file

@ -0,0 +1,28 @@
package org.keycloak.adapters.saml;
import org.keycloak.adapters.saml.profile.SamlAuthenticationHandler;
import org.keycloak.adapters.saml.profile.webbrowsersso.BrowserHandler;
import org.keycloak.adapters.saml.profile.webbrowsersso.SamlEndpoint;
import org.keycloak.adapters.spi.HttpFacade;
/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $
*/
public class CatalinaSamlEndpoint extends SamlAuthenticator {
public CatalinaSamlEndpoint(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
super(facade, deployment, sessionStore);
}
@Override
protected void completeAuthentication(SamlSession account) {
// complete
}
@Override
protected SamlAuthenticationHandler createBrowserHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
return new SamlEndpoint(facade, deployment, sessionStore);
}
}

10
adapters/saml/tomcat/tomcat-core/src/main/java/org/keycloak/adapters/saml/CatalinaSamlSessionStore.java
View file

@ -9,9 +9,11 @@ import org.keycloak.adapters.spi.HttpFacade;
import org.keycloak.adapters.spi.SessionIdMapper; import org.keycloak.adapters.spi.SessionIdMapper;
import org.keycloak.adapters.tomcat.CatalinaUserSessionManagement; import org.keycloak.adapters.tomcat.CatalinaUserSessionManagement;
import org.keycloak.adapters.tomcat.GenericPrincipalFactory; import org.keycloak.adapters.tomcat.GenericPrincipalFactory;
import org.keycloak.common.util.KeycloakUriBuilder;
import org.keycloak.dom.saml.v2.protocol.StatusResponseType; import org.keycloak.dom.saml.v2.protocol.StatusResponseType;
import org.keycloak.dom.saml.v2.protocol.StatusType; import org.keycloak.dom.saml.v2.protocol.StatusType;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession; import javax.servlet.http.HttpSession;
import java.io.IOException; import java.io.IOException;
import java.util.LinkedList; import java.util.LinkedList;
@ -193,7 +195,13 @@ public class CatalinaSamlSessionStore implements SamlSessionStore {
@Override @Override
public String getRedirectUri() { public String getRedirectUri() {
return (String)getSession(true).getAttribute(SAML_REDIRECT_URI); String redirect = (String)getSession(true).getAttribute(SAML_REDIRECT_URI);
if (redirect == null) {
String contextPath = request.getContextPath();
String baseUri = KeycloakUriBuilder.fromUri(request.getRequestURL().toString()).replacePath(contextPath).build().toString();
return SamlUtil.getRedirectTo(facade, contextPath, baseUri);
}
return redirect;
} }
@Override @Override

10
adapters/saml/undertow/src/main/java/org/keycloak/adapters/saml/undertow/AbstractSamlAuthMech.java
View file

@ -16,6 +16,7 @@
*/ */
package org.keycloak.adapters.saml.undertow; package org.keycloak.adapters.saml.undertow;
import org.keycloak.adapters.saml.SamlAuthenticator;
import org.keycloak.adapters.saml.SamlDeployment; import org.keycloak.adapters.saml.SamlDeployment;
import org.keycloak.adapters.saml.SamlDeploymentContext; import org.keycloak.adapters.saml.SamlDeploymentContext;
import org.keycloak.adapters.saml.SamlSessionStore; import org.keycloak.adapters.saml.SamlSessionStore;
@ -104,7 +105,14 @@ public abstract class AbstractSamlAuthMech implements AuthenticationMechanism {
return AuthenticationMechanismOutcome.NOT_ATTEMPTED; return AuthenticationMechanismOutcome.NOT_ATTEMPTED;
} }
SamlSessionStore sessionStore = getTokenStore(exchange, facade, deployment, securityContext); SamlSessionStore sessionStore = getTokenStore(exchange, facade, deployment, securityContext);
UndertowSamlAuthenticator authenticator = new UndertowSamlAuthenticator(securityContext, facade, deploymentContext.resolveDeployment(facade), sessionStore); SamlAuthenticator authenticator = null;
if (exchange.getRequestPath().endsWith("/saml")) {
authenticator = new UndertowSamlEndpoint(facade, deploymentContext.resolveDeployment(facade), sessionStore);
} else {
authenticator = new UndertowSamlAuthenticator(securityContext, facade, deploymentContext.resolveDeployment(facade), sessionStore);
}
AuthOutcome outcome = authenticator.authenticate(); AuthOutcome outcome = authenticator.authenticate();
if (outcome == AuthOutcome.AUTHENTICATED) { if (outcome == AuthOutcome.AUTHENTICATED) {
registerNotifications(securityContext); registerNotifications(securityContext);

16
adapters/saml/undertow/src/main/java/org/keycloak/adapters/saml/undertow/SamlServletExtension.java
View file

@ -26,7 +26,9 @@ import io.undertow.servlet.ServletExtension;
import io.undertow.servlet.api.AuthMethodConfig; import io.undertow.servlet.api.AuthMethodConfig;
import io.undertow.servlet.api.DeploymentInfo; import io.undertow.servlet.api.DeploymentInfo;
import io.undertow.servlet.api.LoginConfig; import io.undertow.servlet.api.LoginConfig;
import io.undertow.servlet.api.SecurityConstraint;
import io.undertow.servlet.api.ServletSessionConfig; import io.undertow.servlet.api.ServletSessionConfig;
import io.undertow.servlet.api.WebResourceCollection;
import org.jboss.logging.Logger; import org.jboss.logging.Logger;
import org.keycloak.adapters.saml.AdapterConstants; import org.keycloak.adapters.saml.AdapterConstants;
import org.keycloak.adapters.saml.DefaultSamlDeployment; import org.keycloak.adapters.saml.DefaultSamlDeployment;
@ -184,10 +186,24 @@ public class SamlServletExtension implements ServletExtension {
ServletSessionConfig cookieConfig = new ServletSessionConfig(); ServletSessionConfig cookieConfig = new ServletSessionConfig();
cookieConfig.setPath(deploymentInfo.getContextPath()); cookieConfig.setPath(deploymentInfo.getContextPath());
deploymentInfo.setServletSessionConfig(cookieConfig); deploymentInfo.setServletSessionConfig(cookieConfig);
addEndpointConstraint(deploymentInfo);
ChangeSessionId.turnOffChangeSessionIdOnLogin(deploymentInfo); ChangeSessionId.turnOffChangeSessionIdOnLogin(deploymentInfo);
} }
/**
* add security constraint to /saml so that the endpoint can be called and auth mechanism pinged.
* @param deploymentInfo
*/
protected void addEndpointConstraint(DeploymentInfo deploymentInfo) {
SecurityConstraint constraint = new SecurityConstraint();
WebResourceCollection collection = new WebResourceCollection();
collection.addUrlPattern("/saml");
constraint.addWebResourceCollection(collection);
deploymentInfo.addSecurityConstraint(constraint);
}
protected ServletSamlAuthMech createAuthMech(DeploymentInfo deploymentInfo, SamlDeploymentContext deploymentContext, UndertowUserSessionManagement userSessionManagement) { protected ServletSamlAuthMech createAuthMech(DeploymentInfo deploymentInfo, SamlDeploymentContext deploymentContext, UndertowUserSessionManagement userSessionManagement) {
return new ServletSamlAuthMech(deploymentContext, userSessionManagement, getErrorPage(deploymentInfo)); return new ServletSamlAuthMech(deploymentContext, userSessionManagement, getErrorPage(deploymentInfo));
} }

14
adapters/saml/undertow/src/main/java/org/keycloak/adapters/saml/undertow/ServletSamlSessionStore.java
View file

@ -8,19 +8,19 @@ import io.undertow.servlet.handlers.ServletRequestContext;
import io.undertow.servlet.spec.HttpSessionImpl; import io.undertow.servlet.spec.HttpSessionImpl;
import org.jboss.logging.Logger; import org.jboss.logging.Logger;
import org.keycloak.adapters.saml.SamlDeployment; import org.keycloak.adapters.saml.SamlDeployment;
import org.keycloak.adapters.saml.SamlUtil;
import org.keycloak.adapters.spi.SessionIdMapper; import org.keycloak.adapters.spi.SessionIdMapper;
import org.keycloak.adapters.saml.SamlSession; import org.keycloak.adapters.saml.SamlSession;
import org.keycloak.adapters.saml.SamlSessionStore; import org.keycloak.adapters.saml.SamlSessionStore;
import org.keycloak.adapters.undertow.ChangeSessionId; import org.keycloak.adapters.undertow.ChangeSessionId;
import org.keycloak.adapters.undertow.SavedRequest; import org.keycloak.adapters.undertow.SavedRequest;
import org.keycloak.adapters.undertow.ServletHttpFacade;
import org.keycloak.adapters.undertow.UndertowUserSessionManagement; import org.keycloak.adapters.undertow.UndertowUserSessionManagement;
import org.keycloak.common.util.KeycloakUriBuilder; import org.keycloak.common.util.KeycloakUriBuilder;
import org.keycloak.dom.saml.v2.protocol.StatusType;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession; import javax.servlet.http.HttpSession;
import java.io.IOException;
import java.security.Principal; import java.security.Principal;
import java.util.LinkedList; import java.util.LinkedList;
import java.util.List; import java.util.List;
@ -179,7 +179,15 @@ public class ServletSamlSessionStore implements SamlSessionStore {
public String getRedirectUri() { public String getRedirectUri() {
final ServletRequestContext sc = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY); final ServletRequestContext sc = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
HttpSessionImpl session = sc.getCurrentServletContext().getSession(exchange, true); HttpSessionImpl session = sc.getCurrentServletContext().getSession(exchange, true);
return (String)session.getAttribute(SAML_REDIRECT_URI); String redirect = (String)session.getAttribute(SAML_REDIRECT_URI);
if (redirect == null) {
ServletHttpFacade facade = new ServletHttpFacade(exchange);
HttpServletRequest req = (HttpServletRequest)sc.getServletRequest();
String contextPath = req.getContextPath();
String baseUri = KeycloakUriBuilder.fromUri(req.getRequestURL().toString()).replacePath(contextPath).build().toString();
return SamlUtil.getRedirectTo(facade, contextPath, baseUri);
}
return redirect;
} }
@Override @Override

9
adapters/saml/undertow/src/main/java/org/keycloak/adapters/saml/undertow/UndertowSamlAuthenticator.java
View file

@ -2,6 +2,9 @@ package org.keycloak.adapters.saml.undertow;
import io.undertow.security.api.SecurityContext; import io.undertow.security.api.SecurityContext;
import io.undertow.security.idm.Account; import io.undertow.security.idm.Account;
import org.keycloak.adapters.saml.profile.SamlAuthenticationHandler;
import org.keycloak.adapters.saml.profile.webbrowsersso.BrowserHandler;
import org.keycloak.adapters.saml.profile.webbrowsersso.SamlEndpoint;
import org.keycloak.adapters.spi.HttpFacade; import org.keycloak.adapters.spi.HttpFacade;
import org.keycloak.adapters.saml.SamlAuthenticator; import org.keycloak.adapters.saml.SamlAuthenticator;
import org.keycloak.adapters.saml.SamlDeployment; import org.keycloak.adapters.saml.SamlDeployment;
@ -39,4 +42,10 @@ public class UndertowSamlAuthenticator extends SamlAuthenticator {
securityContext.authenticationComplete(undertowAccount, "KEYCLOAK-SAML", false); securityContext.authenticationComplete(undertowAccount, "KEYCLOAK-SAML", false);
} }
@Override
protected SamlAuthenticationHandler createBrowserHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
return new BrowserHandler(facade, deployment, sessionStore);
}
} }

32
adapters/saml/undertow/src/main/java/org/keycloak/adapters/saml/undertow/UndertowSamlEndpoint.java Executable file
View file

@ -0,0 +1,32 @@
package org.keycloak.adapters.saml.undertow;
import io.undertow.server.HttpHandler;
import org.keycloak.adapters.saml.SamlAuthenticator;
import org.keycloak.adapters.saml.SamlDeployment;
import org.keycloak.adapters.saml.SamlSession;
import org.keycloak.adapters.saml.SamlSessionStore;
import org.keycloak.adapters.saml.profile.SamlAuthenticationHandler;
import org.keycloak.adapters.saml.profile.webbrowsersso.SamlEndpoint;
import org.keycloak.adapters.spi.HttpFacade;
/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $
*/
public class UndertowSamlEndpoint extends SamlAuthenticator {
public UndertowSamlEndpoint(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
super(facade, deployment, sessionStore);
}
@Override
protected void completeAuthentication(SamlSession samlSession) {
}
@Override
protected SamlAuthenticationHandler createBrowserHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
return new SamlEndpoint(facade, deployment, sessionStore);
}
}

8
testsuite/integration/src/test/java/org/keycloak/testsuite/keycloaksaml/SamlAdapterTest.java
View file

@ -24,6 +24,7 @@ public class SamlAdapterTest {
ClassLoader classLoader = SamlAdapterTest.class.getClassLoader(); ClassLoader classLoader = SamlAdapterTest.class.getClassLoader();
initializeSamlSecuredWar("/keycloak-saml/simple-post", "/sales-post", "post.war", classLoader); initializeSamlSecuredWar("/keycloak-saml/simple-post", "/sales-post", "post.war", classLoader);
initializeSamlSecuredWar("/keycloak-saml/simple-post2", "/sales-post2", "post.war", classLoader);
initializeSamlSecuredWar("/keycloak-saml/simple-post-passive", "/sales-post-passive", "post-passive.war", classLoader); initializeSamlSecuredWar("/keycloak-saml/simple-post-passive", "/sales-post-passive", "post-passive.war", classLoader);
initializeSamlSecuredWar("/keycloak-saml/signed-post", "/sales-post-sig", "post-sig.war", classLoader); initializeSamlSecuredWar("/keycloak-saml/signed-post", "/sales-post-sig", "post-sig.war", classLoader);
initializeSamlSecuredWar("/keycloak-saml/signed-post-email", "/sales-post-sig-email", "post-sig-email.war", classLoader); initializeSamlSecuredWar("/keycloak-saml/signed-post-email", "/sales-post-sig-email", "post-sig-email.war", classLoader);
@ -76,7 +77,7 @@ public class SamlAdapterTest {
} }
//@Test Doesn't work for Wildfly as the input stream is read by getParameter for SAML POST binding @Test
public void testSavedPostRequest() throws Exception { public void testSavedPostRequest() throws Exception {
testStrategy.testSavedPostRequest(); testStrategy.testSavedPostRequest();
} }
@ -129,6 +130,11 @@ public class SamlAdapterTest {
testStrategy.testPostSimpleLoginLogoutIdpInitiated(); testStrategy.testPostSimpleLoginLogoutIdpInitiated();
} }
@Test
public void testPostSimpleLoginLogoutIdpInitiatedRedirectTo() {
testStrategy.testPostSimpleLoginLogoutIdpInitiatedRedirectTo();
}
@Test @Test
public void testAttributes() throws Exception { public void testAttributes() throws Exception {
testStrategy.testAttributes(); testStrategy.testAttributes();

24
testsuite/integration/src/test/java/org/keycloak/testsuite/keycloaksaml/SamlAdapterTestStrategy.java
View file

@ -124,7 +124,7 @@ public class SamlAdapterTestStrategy extends ExternalResource {
public void testSavedPostRequest() throws Exception { public void testSavedPostRequest() throws Exception {
// test login to customer-portal which does a bearer request to customer-db // test login to customer-portal which does a bearer request to customer-db
driver.navigate().to(APP_SERVER_BASE_URL + "/input-portal"); driver.navigate().to(APP_SERVER_BASE_URL + "/input-portal");
System.out.println("Current url: " + driver.getCurrentUrl()); System.err.println("*********** Current url: " + driver.getCurrentUrl());
Assert.assertTrue(driver.getCurrentUrl().startsWith(APP_SERVER_BASE_URL + "/input-portal")); Assert.assertTrue(driver.getCurrentUrl().startsWith(APP_SERVER_BASE_URL + "/input-portal"));
inputPage.execute("hello"); inputPage.execute("hello");
@ -160,13 +160,13 @@ public class SamlAdapterTestStrategy extends ExternalResource {
Response response = client.target(APP_SERVER_BASE_URL + "/employee-sig/").request().get(); Response response = client.target(APP_SERVER_BASE_URL + "/employee-sig/").request().get();
response.close(); response.close();
SAML2ErrorResponseBuilder builder = new SAML2ErrorResponseBuilder() SAML2ErrorResponseBuilder builder = new SAML2ErrorResponseBuilder()
.destination(APP_SERVER_BASE_URL + "/employee-sig/") .destination(APP_SERVER_BASE_URL + "/employee-sig/saml")
.issuer(AUTH_SERVER_URL + "/realms/demo") .issuer(AUTH_SERVER_URL + "/realms/demo")
.status(JBossSAMLURIConstants.STATUS_REQUEST_DENIED.get()); .status(JBossSAMLURIConstants.STATUS_REQUEST_DENIED.get());
BaseSAML2BindingBuilder binding = new BaseSAML2BindingBuilder() BaseSAML2BindingBuilder binding = new BaseSAML2BindingBuilder()
.relayState(null); .relayState(null);
Document document = builder.buildDocument(); Document document = builder.buildDocument();
URI uri = binding.redirectBinding(document).generateURI(APP_SERVER_BASE_URL + "/employee-sig/", false); URI uri = binding.redirectBinding(document).generateURI(APP_SERVER_BASE_URL + "/employee-sig/saml", false);
response = client.target(uri).request().get(); response = client.target(uri).request().get();
String errorPage = response.readEntity(String.class); String errorPage = response.readEntity(String.class);
response.close(); response.close();
@ -195,7 +195,7 @@ public class SamlAdapterTestStrategy extends ExternalResource {
// first request on passive app - no login page shown, user not logged in as we are in passive mode. // first request on passive app - no login page shown, user not logged in as we are in passive mode.
// Shown page depends on used authentication mechanism, some may return forbidden error, some return requested page with anonymous user (not logged in) // Shown page depends on used authentication mechanism, some may return forbidden error, some return requested page with anonymous user (not logged in)
driver.navigate().to(APP_SERVER_BASE_URL + "/sales-post-passive/"); driver.navigate().to(APP_SERVER_BASE_URL + "/sales-post-passive/");
assertEquals(APP_SERVER_BASE_URL + "/sales-post-passive/", driver.getCurrentUrl()); assertEquals(APP_SERVER_BASE_URL + "/sales-post-passive/saml", driver.getCurrentUrl());
System.out.println(driver.getPageSource()); System.out.println(driver.getPageSource());
if (forbiddenIfNotauthenticated) { if (forbiddenIfNotauthenticated) {
Assert.assertTrue(driver.getPageSource().contains("HTTP status code: 403")); Assert.assertTrue(driver.getPageSource().contains("HTTP status code: 403"));
@ -219,7 +219,7 @@ public class SamlAdapterTestStrategy extends ExternalResource {
// refresh passive app page, not logged in again as we are in passive mode // refresh passive app page, not logged in again as we are in passive mode
driver.navigate().to(APP_SERVER_BASE_URL + "/sales-post-passive/"); driver.navigate().to(APP_SERVER_BASE_URL + "/sales-post-passive/");
assertEquals(APP_SERVER_BASE_URL + "/sales-post-passive/", driver.getCurrentUrl()); assertEquals(APP_SERVER_BASE_URL + "/sales-post-passive/saml", driver.getCurrentUrl());
Assert.assertFalse(driver.getPageSource().contains("bburke")); Assert.assertFalse(driver.getPageSource().contains("bburke"));
} }
@ -235,13 +235,23 @@ public class SamlAdapterTestStrategy extends ExternalResource {
public void testPostSimpleLoginLogoutIdpInitiated() { public void testPostSimpleLoginLogoutIdpInitiated() {
driver.navigate().to(AUTH_SERVER_URL + "/realms/demo/protocol/saml/clients/sales-post"); driver.navigate().to(AUTH_SERVER_URL + "/realms/demo/protocol/saml/clients/sales-post");
loginPage.login("bburke", "password"); loginPage.login("bburke", "password");
assertEquals(driver.getCurrentUrl(), APP_SERVER_BASE_URL + "/sales-post/"); Assert.assertTrue(driver.getCurrentUrl().startsWith(APP_SERVER_BASE_URL + "/sales-post"));
System.out.println(driver.getPageSource()); System.out.println(driver.getPageSource());
Assert.assertTrue(driver.getPageSource().contains("bburke")); Assert.assertTrue(driver.getPageSource().contains("bburke"));
driver.navigate().to(APP_SERVER_BASE_URL + "/sales-post?GLO=true"); driver.navigate().to(APP_SERVER_BASE_URL + "/sales-post?GLO=true");
checkLoggedOut(APP_SERVER_BASE_URL + "/sales-post/", true); checkLoggedOut(APP_SERVER_BASE_URL + "/sales-post/", true);
} }
public void testPostSimpleLoginLogoutIdpInitiatedRedirectTo() {
driver.navigate().to(AUTH_SERVER_URL + "/realms/demo/protocol/saml/clients/sales-post2");
loginPage.login("bburke", "password");
assertEquals(driver.getCurrentUrl(), APP_SERVER_BASE_URL + "/sales-post2/foo");
System.out.println(driver.getPageSource());
Assert.assertTrue(driver.getPageSource().contains("bburke"));
driver.navigate().to(APP_SERVER_BASE_URL + "/sales-post2?GLO=true");
checkLoggedOut(APP_SERVER_BASE_URL + "/sales-post2/", true);
}
public void testPostSignedLoginLogout() { public void testPostSignedLoginLogout() {
driver.navigate().to(APP_SERVER_BASE_URL + "/sales-post-sig/"); driver.navigate().to(APP_SERVER_BASE_URL + "/sales-post-sig/");
assertAtLoginPagePostBinding(); assertAtLoginPagePostBinding();
@ -486,7 +496,7 @@ public class SamlAdapterTestStrategy extends ExternalResource {
driver.navigate().to(APP_SERVER_BASE_URL + "/bad-realm-sales-post-sig/"); driver.navigate().to(APP_SERVER_BASE_URL + "/bad-realm-sales-post-sig/");
assertAtLoginPagePostBinding(); assertAtLoginPagePostBinding();
loginPage.login("bburke", "password"); loginPage.login("bburke", "password");
assertEquals(driver.getCurrentUrl(), APP_SERVER_BASE_URL + "/bad-realm-sales-post-sig/"); assertEquals(driver.getCurrentUrl(), APP_SERVER_BASE_URL + "/bad-realm-sales-post-sig/saml");
System.out.println(driver.getPageSource()); System.out.println(driver.getPageSource());
Assert.assertNotNull(ErrorServlet.authError); Assert.assertNotNull(ErrorServlet.authError);
SamlAuthenticationError error = (SamlAuthenticationError)ErrorServlet.authError; SamlAuthenticationError error = (SamlAuthenticationError)ErrorServlet.authError;

2
testsuite/integration/src/test/java/org/keycloak/testsuite/keycloaksaml/SendUsernameServlet.java
View file

@ -38,7 +38,7 @@ public class SendUsernameServlet extends HttpServlet {
OutputStream stream = resp.getOutputStream(); OutputStream stream = resp.getOutputStream();
Principal principal = req.getUserPrincipal(); Principal principal = req.getUserPrincipal();
stream.write("request-path: ".getBytes()); stream.write("request-path: ".getBytes());
stream.write(req.getPathInfo().getBytes()); if (req.getPathInfo() != null) stream.write(req.getPathInfo().getBytes());
stream.write("\n".getBytes()); stream.write("\n".getBytes());
stream.write("principal=".getBytes()); stream.write("principal=".getBytes());
if (principal == null) { if (principal == null) {

7
testsuite/integration/src/test/java/org/keycloak/testsuite/samlfilter/SamlAdapterTest.java
View file

@ -24,6 +24,7 @@ public class SamlAdapterTest {
ClassLoader classLoader = SamlAdapterTest.class.getClassLoader(); ClassLoader classLoader = SamlAdapterTest.class.getClassLoader();
initializeSamlSecuredWar("/keycloak-saml/simple-post", "/sales-post", "post.war", classLoader); initializeSamlSecuredWar("/keycloak-saml/simple-post", "/sales-post", "post.war", classLoader);
initializeSamlSecuredWar("/keycloak-saml/simple-post2", "/sales-post2", "post.war", classLoader);
initializeSamlSecuredWar("/keycloak-saml/simple-post-passive", "/sales-post-passive", "post-passive.war", classLoader); initializeSamlSecuredWar("/keycloak-saml/simple-post-passive", "/sales-post-passive", "post-passive.war", classLoader);
initializeSamlSecuredWar("/keycloak-saml/signed-post", "/sales-post-sig", "post-sig.war", classLoader); initializeSamlSecuredWar("/keycloak-saml/signed-post", "/sales-post-sig", "post-sig.war", classLoader);
initializeSamlSecuredWar("/keycloak-saml/signed-post-email", "/sales-post-sig-email", "post-sig-email.war", classLoader); initializeSamlSecuredWar("/keycloak-saml/signed-post-email", "/sales-post-sig-email", "post-sig-email.war", classLoader);
@ -72,6 +73,12 @@ public class SamlAdapterTest {
} }
} }
@Test
public void testPostSimpleLoginLogoutIdpInitiatedRedirectTo() {
testStrategy.testPostSimpleLoginLogoutIdpInitiatedRedirectTo();
}
@Test @Test
public void testMetadataPostSignedLoginLogout() throws Exception { public void testMetadataPostSignedLoginLogout() throws Exception {
testStrategy.testMetadataPostSignedLoginLogout(); testStrategy.testMetadataPostSignedLoginLogout();

24
testsuite/integration/src/test/resources/keycloak-saml/simple-post2/WEB-INF/keycloak-saml.xml Executable file
View file

@ -0,0 +1,24 @@
<keycloak-saml-adapter>
<SP entityID="http://localhost:8081/sales-post2/"
sslPolicy="EXTERNAL"
nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
logoutPage="/logout.jsp"
forceAuthentication="false">
<PrincipalNameMapping policy="FROM_NAME_ID"/>
<RoleIdentifiers>
<Attribute name="Role"/>
</RoleIdentifiers>
<IDP entityID="idp">
<SingleSignOnService requestBinding="POST"
bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
/>
<SingleLogoutService
requestBinding="POST"
responseBinding="POST"
postBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
redirectBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
/>
</IDP>
</SP>
</keycloak-saml-adapter>

4
testsuite/integration/src/test/resources/keycloak-saml/sp-metadata.xml
View file

@ -7,9 +7,9 @@
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol http://schemas.xmlsoap.org/ws/2003/07/secext"> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol http://schemas.xmlsoap.org/ws/2003/07/secext">
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient
</NameIDFormat> </NameIDFormat>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8081/sales-metadata/"/> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8081/sales-metadata/saml"/>
<AssertionConsumerService <AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8081/sales-metadata/" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8081/sales-metadata/saml"
index="1" isDefault="true" /> index="1" isDefault="true" />
<KeyDescriptor use="signing"> <KeyDescriptor use="signing">
<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"> <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">

99
testsuite/integration/src/test/resources/keycloak-saml/testsaml.json
View file

@ -78,13 +78,30 @@
], ],
"attributes": { "attributes": {
"saml.authnstatement": "true", "saml.authnstatement": "true",
"saml_assertion_consumer_url_post": "http://localhost:8081/sales-post/", "saml_assertion_consumer_url_post": "http://localhost:8081/sales-post/saml",
"saml_assertion_consumer_url_redirect": "http://localhost:8081/sales-post/", "saml_assertion_consumer_url_redirect": "http://localhost:8081/sales-post/saml",
"saml_single_logout_service_url_post": "http://localhost:8081/sales-post/", "saml_single_logout_service_url_post": "http://localhost:8081/sales-post/saml",
"saml_single_logout_service_url_redirect": "http://localhost:8081/sales-post/", "saml_single_logout_service_url_redirect": "http://localhost:8081/sales-post/saml",
"saml_idp_initiated_sso_url_name": "sales-post" "saml_idp_initiated_sso_url_name": "sales-post"
} }
}, },
{
"name": "http://localhost:8081/sales-post2/",
"enabled": true,
"fullScopeAllowed": true,
"protocol": "saml",
"baseUrl": "http://localhost:8081/sales-post2",
"redirectUris": [
"http://localhost:8081/sales-post2/*"
],
"attributes": {
"saml.authnstatement": "true",
"saml_assertion_consumer_url_post": "http://localhost:8081/sales-post2/saml",
"saml_single_logout_service_url_post": "http://localhost:8081/sales-post2/saml",
"saml_idp_initiated_sso_url_name": "sales-post2",
"saml_idp_initiated_sso_relay_state": "redirectTo=/foo"
}
},
{ {
"name": "http://localhost:8081/input-portal/", "name": "http://localhost:8081/input-portal/",
"enabled": true, "enabled": true,
@ -96,10 +113,10 @@
], ],
"attributes": { "attributes": {
"saml.authnstatement": "true", "saml.authnstatement": "true",
"saml_assertion_consumer_url_post": "http://localhost:8081/input-portal/", "saml_assertion_consumer_url_post": "http://localhost:8081/input-portal/saml",
"saml_assertion_consumer_url_redirect": "http://localhost:8081/input-portal/", "saml_assertion_consumer_url_redirect": "http://localhost:8081/input-portal/saml",
"saml_single_logout_service_url_post": "http://localhost:8081/input-portal/", "saml_single_logout_service_url_post": "http://localhost:8081/input-portal/saml",
"saml_single_logout_service_url_redirect": "http://localhost:8081/input-portal/" "saml_single_logout_service_url_redirect": "http://localhost:8081/input-portal/saml"
} }
}, },
{ {
@ -113,10 +130,10 @@
], ],
"attributes": { "attributes": {
"saml.authnstatement": "true", "saml.authnstatement": "true",
"saml_assertion_consumer_url_post": "http://localhost:8081/sales-post-passive/", "saml_assertion_consumer_url_post": "http://localhost:8081/sales-post-passive/saml",
"saml_assertion_consumer_url_redirect": "http://localhost:8081/sales-post-passive/", "saml_assertion_consumer_url_redirect": "http://localhost:8081/sales-post-passive/saml",
"saml_single_logout_service_url_post": "http://localhost:8081/sales-post-passive/", "saml_single_logout_service_url_post": "http://localhost:8081/sales-post-passive/saml",
"saml_single_logout_service_url_redirect": "http://localhost:8081/sales-post-passive/", "saml_single_logout_service_url_redirect": "http://localhost:8081/sales-post-passive/saml",
"saml_idp_initiated_sso_url_name": "sales-post-passive" "saml_idp_initiated_sso_url_name": "sales-post-passive"
} }
}, },
@ -130,10 +147,10 @@
"http://localhost:8081/sales-post-sig/*" "http://localhost:8081/sales-post-sig/*"
], ],
"attributes": { "attributes": {
"saml_assertion_consumer_url_post": "http://localhost:8081/sales-post-sig/", "saml_assertion_consumer_url_post": "http://localhost:8081/sales-post-sig/saml",
"saml_assertion_consumer_url_redirect": "http://localhost:8081/sales-post-sig/", "saml_assertion_consumer_url_redirect": "http://localhost:8081/sales-post-sig/saml",
"saml_single_logout_service_url_post": "http://localhost:8081/sales-post-sig/", "saml_single_logout_service_url_post": "http://localhost:8081/sales-post-sig/saml",
"saml_single_logout_service_url_redirect": "http://localhost:8081/sales-post-sig/", "saml_single_logout_service_url_redirect": "http://localhost:8081/sales-post-sig/saml",
"saml.server.signature": "true", "saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA256", "saml.signature.algorithm": "RSA_SHA256",
"saml.client.signature": "true", "saml.client.signature": "true",
@ -152,10 +169,10 @@
"http://localhost:8081/sales-post-sig-transient/*" "http://localhost:8081/sales-post-sig-transient/*"
], ],
"attributes": { "attributes": {
"saml_assertion_consumer_url_post": "http://localhost:8081/sales-post-sig-transient/", "saml_assertion_consumer_url_post": "http://localhost:8081/sales-post-sig-transient/saml",
"saml_assertion_consumer_url_redirect": "http://localhost:8081/sales-post-sig-transient/", "saml_assertion_consumer_url_redirect": "http://localhost:8081/sales-post-sig-transient/saml",
"saml_single_logout_service_url_post": "http://localhost:8081/sales-post-sig-transient/", "saml_single_logout_service_url_post": "http://localhost:8081/sales-post-sig-transient/saml",
"saml_single_logout_service_url_redirect": "http://localhost:8081/sales-post-sig-transient/", "saml_single_logout_service_url_redirect": "http://localhost:8081/sales-post-sig-transient/saml",
"saml.server.signature": "true", "saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA256", "saml.signature.algorithm": "RSA_SHA256",
"saml.client.signature": "true", "saml.client.signature": "true",
@ -173,10 +190,10 @@
"http://localhost:8081/sales-post-sig-persistent/*" "http://localhost:8081/sales-post-sig-persistent/*"
], ],
"attributes": { "attributes": {
"saml_assertion_consumer_url_post": "http://localhost:8081/sales-post-sig-persistent/", "saml_assertion_consumer_url_post": "http://localhost:8081/sales-post-sig-persistent/saml",
"saml_assertion_consumer_url_redirect": "http://localhost:8081/sales-post-sig-persistent/", "saml_assertion_consumer_url_redirect": "http://localhost:8081/sales-post-sig-persistent/saml",
"saml_single_logout_service_url_post": "http://localhost:8081/sales-post-sig-persistent/", "saml_single_logout_service_url_post": "http://localhost:8081/sales-post-sig-persistent/saml",
"saml_single_logout_service_url_redirect": "http://localhost:8081/sales-post-sig-persistent/", "saml_single_logout_service_url_redirect": "http://localhost:8081/sales-post-sig-persistent/saml",
"saml.server.signature": "true", "saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA256", "saml.signature.algorithm": "RSA_SHA256",
"saml.client.signature": "true", "saml.client.signature": "true",
@ -197,10 +214,10 @@
"attributes": { "attributes": {
"saml_force_name_id_format": "true", "saml_force_name_id_format": "true",
"saml_name_id_format": "email", "saml_name_id_format": "email",
"saml_assertion_consumer_url_post": "http://localhost:8081/sales-post-sig-email/", "saml_assertion_consumer_url_post": "http://localhost:8081/sales-post-sig-email/saml",
"saml_assertion_consumer_url_redirect": "http://localhost:8081/sales-post-sig-email/", "saml_assertion_consumer_url_redirect": "http://localhost:8081/sales-post-sig-email/saml",
"saml_single_logout_service_url_post": "http://localhost:8081/sales-post-sig-email/", "saml_single_logout_service_url_post": "http://localhost:8081/sales-post-sig-email/saml",
"saml_single_logout_service_url_redirect": "http://localhost:8081/sales-post-sig-email/", "saml_single_logout_service_url_redirect": "http://localhost:8081/sales-post-sig-email/saml",
"saml.server.signature": "true", "saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA256", "saml.signature.algorithm": "RSA_SHA256",
"saml.client.signature": "true", "saml.client.signature": "true",
@ -214,7 +231,7 @@
"protocol": "saml", "protocol": "saml",
"fullScopeAllowed": true, "fullScopeAllowed": true,
"baseUrl": "http://localhost:8081/bad-realm-sales-post-sig/", "baseUrl": "http://localhost:8081/bad-realm-sales-post-sig/",
"adminUrl": "http://localhost:8081/bad-realm-sales-post-sig/", "adminUrl": "http://localhost:8081/bad-realm-sales-post-sig/saml",
"redirectUris": [ "redirectUris": [
"http://localhost:8081/bad-realm-sales-post-sig/*" "http://localhost:8081/bad-realm-sales-post-sig/*"
], ],
@ -231,7 +248,7 @@
"protocol": "saml", "protocol": "saml",
"fullScopeAllowed": true, "fullScopeAllowed": true,
"baseUrl": "http://localhost:8081/bad-client-sales-post-sig/", "baseUrl": "http://localhost:8081/bad-client-sales-post-sig/",
"adminUrl": "http://localhost:8081/bad-client-sales-post-sig/", "adminUrl": "http://localhost:8081/bad-client-sales-post-sig/saml",
"redirectUris": [ "redirectUris": [
"http://localhost:8081/bad-client-sales-post-sig/*" "http://localhost:8081/bad-client-sales-post-sig/*"
], ],
@ -252,10 +269,10 @@
"http://localhost:8081/sales-post-enc/*" "http://localhost:8081/sales-post-enc/*"
], ],
"attributes": { "attributes": {
"saml_assertion_consumer_url_post": "http://localhost:8081/sales-post-enc/", "saml_assertion_consumer_url_post": "http://localhost:8081/sales-post-enc/saml",
"saml_assertion_consumer_url_redirect": "http://localhost:8081/sales-post-enc/", "saml_assertion_consumer_url_redirect": "http://localhost:8081/sales-post-enc/saml",
"saml_single_logout_service_url_post": "http://localhost:8081/sales-post-enc/", "saml_single_logout_service_url_post": "http://localhost:8081/sales-post-enc/saml",
"saml_single_logout_service_url_redirect": "http://localhost:8081/sales-post-enc/", "saml_single_logout_service_url_redirect": "http://localhost:8081/sales-post-enc/saml",
"saml.server.signature": "true", "saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA512", "saml.signature.algorithm": "RSA_SHA512",
"saml.client.signature": "true", "saml.client.signature": "true",
@ -274,7 +291,7 @@
"redirectUris": [ "redirectUris": [
"http://localhost:8081/employee-sig/*" "http://localhost:8081/employee-sig/*"
], ],
"adminUrl": "http://localhost:8081/employee-sig/", "adminUrl": "http://localhost:8081/employee-sig/saml",
"attributes": { "attributes": {
"saml.server.signature": "true", "saml.server.signature": "true",
"saml.client.signature": "true", "saml.client.signature": "true",
@ -288,7 +305,7 @@
"enabled": true, "enabled": true,
"protocol": "saml", "protocol": "saml",
"fullScopeAllowed": true, "fullScopeAllowed": true,
"baseUrl": "http://localhost:8081/employee/", "baseUrl": "http://localhost:8081/employee/saml",
"redirectUris": [ "redirectUris": [
"http://localhost:8081/employee/*" "http://localhost:8081/employee/*"
], ],
@ -342,7 +359,7 @@
"redirectUris": [ "redirectUris": [
"http://localhost:8081/employee2/*" "http://localhost:8081/employee2/*"
], ],
"adminUrl": "http://localhost:8081/employee2/", "adminUrl": "http://localhost:8081/employee2/saml",
"attributes": { "attributes": {
"saml.authnstatement": "true" "saml.authnstatement": "true"
}, },
@ -394,10 +411,10 @@
"http://localhost:8081/employee-sig-front/*" "http://localhost:8081/employee-sig-front/*"
], ],
"attributes": { "attributes": {
"saml_assertion_consumer_url_post": "http://localhost:8081/employee-sig-front/", "saml_assertion_consumer_url_post": "http://localhost:8081/employee-sig-front/saml",
"saml_assertion_consumer_url_redirect": "http://localhost:8081/employee-sig-front/", "saml_assertion_consumer_url_redirect": "http://localhost:8081/employee-sig-front/saml",
"saml_single_logout_service_url_post": "http://localhost:8081/employee-sig-front/", "saml_single_logout_service_url_post": "http://localhost:8081/employee-sig-front/saml",
"saml_single_logout_service_url_redirect": "http://localhost:8081/employee-sig-front/", "saml_single_logout_service_url_redirect": "http://localhost:8081/employee-sig-front/saml",
"saml.server.signature": "true", "saml.server.signature": "true",
"saml.client.signature": "true", "saml.client.signature": "true",
"saml.signature.algorithm": "RSA_SHA1", "saml.signature.algorithm": "RSA_SHA1",

12
testsuite/jetty/jetty81/src/test/java/org/keycloak/testsuite/JettySamlTest.java
View file

@ -70,6 +70,8 @@ public class JettySamlTest {
File base = new File(dir.getFile()).getParentFile(); File base = new File(dir.getFile()).getParentFile();
//list.add(new WebAppContext(new File(base, "customer-portal").toString(), "/customer-portal")); //list.add(new WebAppContext(new File(base, "customer-portal").toString(), "/customer-portal"));
list.add(new WebAppContext(new File(base, "simple-post").toString(), "/sales-post")); list.add(new WebAppContext(new File(base, "simple-post").toString(), "/sales-post"));
list.add(new WebAppContext(new File(base, "simple-post2").toString(), "/sales-post2"));
list.add(new WebAppContext(new File(base, "simple-input").toString(), "/input-portal"));
list.add(new WebAppContext(new File(base, "signed-post").toString(), "/sales-post-sig")); list.add(new WebAppContext(new File(base, "signed-post").toString(), "/sales-post-sig"));
list.add(new WebAppContext(new File(base, "signed-post-email").toString(), "/sales-post-sig-email")); list.add(new WebAppContext(new File(base, "signed-post-email").toString(), "/sales-post-sig-email"));
list.add(new WebAppContext(new File(base, "signed-post-transient").toString(), "/sales-post-sig-transient")); list.add(new WebAppContext(new File(base, "signed-post-transient").toString(), "/sales-post-sig-transient"));
@ -103,6 +105,16 @@ public class JettySamlTest {
} catch (Exception e) {} } catch (Exception e) {}
} }
@Test
public void testSavedPostRequest() throws Exception {
testStrategy.testSavedPostRequest();
}
@Test
public void testPostSimpleLoginLogoutIdpInitiatedRedirectTo() {
testStrategy.testPostSimpleLoginLogoutIdpInitiatedRedirectTo();
}
@Test @Test
public void testErrorHandling() throws Exception { public void testErrorHandling() throws Exception {
testStrategy.testErrorHandling(); testStrategy.testErrorHandling();

29
testsuite/jetty/jetty81/src/test/resources/keycloak-saml/simple-input/WEB-INF/jetty-web.xml Executable file
View file

@ -0,0 +1,29 @@
<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd">
<Configure class="org.eclipse.jetty.webapp.WebAppContext">
<Get name="securityHandler">
<Set name="authenticator">
<New class="org.keycloak.adapters.saml.jetty.KeycloakSamlAuthenticator">
<!--
<Set name="adapterConfig">
<New class="org.keycloak.representations.adapters.config.AdapterConfig">
<Set name="realm">tomcat</Set>
<Set name="resource">customer-portal</Set>
<Set name="authServerUrl">http://localhost:8081/auth</Set>
<Set name="sslRequired">external</Set>
<Set name="credentials">
<Map>
<Entry>
<Item>secret</Item>
<Item>password</Item>
</Entry>
</Map>
</Set>
<Set name="realmKey">MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB</Set>
</New>
</Set>
-->
</New>
</Set>
</Get>
</Configure>

24
testsuite/jetty/jetty81/src/test/resources/keycloak-saml/simple-input/WEB-INF/keycloak-saml.xml Executable file
View file

@ -0,0 +1,24 @@
<keycloak-saml-adapter>
<SP entityID="http://localhost:8082/input-portal/"
sslPolicy="EXTERNAL"
nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
logoutPage="/logout.jsp"
forceAuthentication="false">
<PrincipalNameMapping policy="FROM_NAME_ID"/>
<RoleIdentifiers>
<Attribute name="Role"/>
</RoleIdentifiers>
<IDP entityID="idp">
<SingleSignOnService requestBinding="POST"
bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
/>
<SingleLogoutService
requestBinding="POST"
responseBinding="POST"
postBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
redirectBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
/>
</IDP>
</SP>
</keycloak-saml-adapter>

43
testsuite/jetty/jetty81/src/test/resources/keycloak-saml/simple-input/WEB-INF/web.xml Executable file
View file

@ -0,0 +1,43 @@
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<module-name>adapter-test</module-name>
<servlet>
<servlet-name>SendUsernameServlet</servlet-name>
<servlet-class>org.keycloak.testsuite.keycloaksaml.InputServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>SendUsernameServlet</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>Users</web-resource-name>
<url-pattern>/secured/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>demo</realm-name>
<form-login-config>
<form-login-page>/error.html</form-login-page>
<form-error-page>/error.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>manager</role-name>
</security-role>
<security-role>
<role-name>el-jefe</role-name>
</security-role>
</web-app>

29
testsuite/jetty/jetty81/src/test/resources/keycloak-saml/simple-post2/WEB-INF/jetty-web.xml Executable file
View file

@ -0,0 +1,29 @@
<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd">
<Configure class="org.eclipse.jetty.webapp.WebAppContext">
<Get name="securityHandler">
<Set name="authenticator">
<New class="org.keycloak.adapters.saml.jetty.KeycloakSamlAuthenticator">
<!--
<Set name="adapterConfig">
<New class="org.keycloak.representations.adapters.config.AdapterConfig">
<Set name="realm">tomcat</Set>
<Set name="resource">customer-portal</Set>
<Set name="authServerUrl">http://localhost:8081/auth</Set>
<Set name="sslRequired">external</Set>
<Set name="credentials">
<Map>
<Entry>
<Item>secret</Item>
<Item>password</Item>
</Entry>
</Map>
</Set>
<Set name="realmKey">MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB</Set>
</New>
</Set>
-->
</New>
</Set>
</Get>
</Configure>

24
testsuite/jetty/jetty81/src/test/resources/keycloak-saml/simple-post2/WEB-INF/keycloak-saml.xml Executable file
View file

@ -0,0 +1,24 @@
<keycloak-saml-adapter>
<SP entityID="http://localhost:8082/sales-post2/"
sslPolicy="EXTERNAL"
nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
logoutPage="/logout.jsp"
forceAuthentication="false">
<PrincipalNameMapping policy="FROM_NAME_ID"/>
<RoleIdentifiers>
<Attribute name="Role"/>
</RoleIdentifiers>
<IDP entityID="idp">
<SingleSignOnService requestBinding="POST"
bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
/>
<SingleLogoutService
requestBinding="POST"
responseBinding="POST"
postBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
redirectBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
/>
</IDP>
</SP>
</keycloak-saml-adapter>

43
testsuite/jetty/jetty81/src/test/resources/keycloak-saml/simple-post2/WEB-INF/web.xml Executable file
View file

@ -0,0 +1,43 @@
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<module-name>adapter-test</module-name>
<servlet>
<servlet-name>SendUsernameServlet</servlet-name>
<servlet-class>org.keycloak.testsuite.keycloaksaml.SendUsernameServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>SendUsernameServlet</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>Users</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>demo</realm-name>
<form-login-config>
<form-login-page>/error.html</form-login-page>
<form-error-page>/error.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>manager</role-name>
</security-role>
<security-role>
<role-name>el-jefe</role-name>
</security-role>
</web-app>

4
testsuite/jetty/jetty81/src/test/resources/keycloak-saml/sp-metadata.xml
View file

@ -7,9 +7,9 @@
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol http://schemas.xmlsoap.org/ws/2003/07/secext"> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol http://schemas.xmlsoap.org/ws/2003/07/secext">
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient
</NameIDFormat> </NameIDFormat>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/"/> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/saml"/>
<AssertionConsumerService <AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/saml"
index="1" isDefault="true" /> index="1" isDefault="true" />
<KeyDescriptor use="signing"> <KeyDescriptor use="signing">
<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"> <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">

102
testsuite/jetty/jetty81/src/test/resources/keycloak-saml/testsaml.json
View file

@ -78,13 +78,45 @@
], ],
"attributes": { "attributes": {
"saml.authnstatement": "true", "saml.authnstatement": "true",
"saml_assertion_consumer_url_post": "http://localhost:8082/sales-post/", "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post/saml",
"saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post/", "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post/saml",
"saml_single_logout_service_url_post": "http://localhost:8082/sales-post/", "saml_single_logout_service_url_post": "http://localhost:8082/sales-post/saml",
"saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post/", "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post/saml",
"saml_idp_initiated_sso_url_name": "sales-post" "saml_idp_initiated_sso_url_name": "sales-post"
} }
}, },
{
"name": "http://localhost:8082/sales-post2/",
"enabled": true,
"fullScopeAllowed": true,
"protocol": "saml",
"baseUrl": "http://localhost:8082/sales-post2",
"redirectUris": [
"http://localhost:8082/sales-post2/*"
],
"attributes": {
"saml.authnstatement": "true",
"saml_assertion_consumer_url_post": "http://localhost:8082/sales-post2/saml",
"saml_single_logout_service_url_post": "http://localhost:8082/sales-post2/saml",
"saml_idp_initiated_sso_url_name": "sales-post2",
"saml_idp_initiated_sso_relay_state": "redirectTo=/foo"
}
},
{
"name": "http://localhost:8082/input-portal/",
"enabled": true,
"fullScopeAllowed": true,
"protocol": "saml",
"baseUrl": "http://localhost:8082/input-portal/",
"redirectUris": [
"http://localhost:8082/input-portal/*"
],
"attributes": {
"saml.authnstatement": "true",
"saml_assertion_consumer_url_post": "http://localhost:8082/input-portal/saml",
"saml_single_logout_service_url_post": "http://localhost:8082/input-portal/saml"
}
},
{ {
"name": "http://localhost:8082/sales-post-sig/", "name": "http://localhost:8082/sales-post-sig/",
"enabled": true, "enabled": true,
@ -95,10 +127,10 @@
"http://localhost:8082/sales-post-sig/*" "http://localhost:8082/sales-post-sig/*"
], ],
"attributes": { "attributes": {
"saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig/", "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig/saml",
"saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig/", "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig/saml",
"saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig/", "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig/saml",
"saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig/", "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig/saml",
"saml.server.signature": "true", "saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA256", "saml.signature.algorithm": "RSA_SHA256",
"saml.client.signature": "true", "saml.client.signature": "true",
@ -112,15 +144,15 @@
"protocol": "saml", "protocol": "saml",
"fullScopeAllowed": true, "fullScopeAllowed": true,
"baseUrl": "http://localhost:8082/sales-post-sig-transient", "baseUrl": "http://localhost:8082/sales-post-sig-transient",
"adminUrl": "http://localhost:8082/sales-post-sig-transient", "adminUrl": "http://localhost:8082/sales-post-sig-transient/saml",
"redirectUris": [ "redirectUris": [
"http://localhost:8082/sales-post-sig-transient/*" "http://localhost:8082/sales-post-sig-transient/*"
], ],
"attributes": { "attributes": {
"saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-transient/", "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-transient/saml",
"saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-transient/", "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-transient/saml",
"saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-transient/", "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-transient/saml",
"saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-transient/", "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-transient/saml",
"saml.server.signature": "true", "saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA256", "saml.signature.algorithm": "RSA_SHA256",
"saml.client.signature": "true", "saml.client.signature": "true",
@ -138,10 +170,10 @@
"http://localhost:8082/sales-post-sig-persistent/*" "http://localhost:8082/sales-post-sig-persistent/*"
], ],
"attributes": { "attributes": {
"saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-persistent/", "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-persistent/saml",
"saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-persistent/", "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-persistent/saml",
"saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-persistent/", "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-persistent/saml",
"saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-persistent/", "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-persistent/saml",
"saml.server.signature": "true", "saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA256", "saml.signature.algorithm": "RSA_SHA256",
"saml.client.signature": "true", "saml.client.signature": "true",
@ -155,17 +187,17 @@
"protocol": "saml", "protocol": "saml",
"fullScopeAllowed": true, "fullScopeAllowed": true,
"baseUrl": "http://localhost:8082/sales-post-sig-email", "baseUrl": "http://localhost:8082/sales-post-sig-email",
"adminUrl": "http://localhost:8082/sales-post-sig-email", "adminUrl": "http://localhost:8082/sales-post-sig-email/saml",
"redirectUris": [ "redirectUris": [
"http://localhost:8082/sales-post-sig-email/*" "http://localhost:8082/sales-post-sig-email/*"
], ],
"attributes": { "attributes": {
"saml_force_name_id_format": "true", "saml_force_name_id_format": "true",
"saml_name_id_format": "email", "saml_name_id_format": "email",
"saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-email/", "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-email/saml",
"saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-email/", "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-email/saml",
"saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-email/", "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-email/saml",
"saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-email/", "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-email/saml",
"saml.server.signature": "true", "saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA256", "saml.signature.algorithm": "RSA_SHA256",
"saml.client.signature": "true", "saml.client.signature": "true",
@ -179,7 +211,7 @@
"protocol": "saml", "protocol": "saml",
"fullScopeAllowed": true, "fullScopeAllowed": true,
"baseUrl": "http://localhost:8082/bad-realm-sales-post-sig/", "baseUrl": "http://localhost:8082/bad-realm-sales-post-sig/",
"adminUrl": "http://localhost:8082/bad-realm-sales-post-sig/", "adminUrl": "http://localhost:8082/bad-realm-sales-post-sig/saml",
"redirectUris": [ "redirectUris": [
"http://localhost:8082/bad-realm-sales-post-sig/*" "http://localhost:8082/bad-realm-sales-post-sig/*"
], ],
@ -196,7 +228,7 @@
"protocol": "saml", "protocol": "saml",
"fullScopeAllowed": true, "fullScopeAllowed": true,
"baseUrl": "http://localhost:8082/bad-client-sales-post-sig/", "baseUrl": "http://localhost:8082/bad-client-sales-post-sig/",
"adminUrl": "http://localhost:8082/bad-client-sales-post-sig/", "adminUrl": "http://localhost:8082/bad-client-sales-post-sig/saml",
"redirectUris": [ "redirectUris": [
"http://localhost:8082/bad-client-sales-post-sig/*" "http://localhost:8082/bad-client-sales-post-sig/*"
], ],
@ -217,10 +249,10 @@
"http://localhost:8082/sales-post-enc/*" "http://localhost:8082/sales-post-enc/*"
], ],
"attributes": { "attributes": {
"saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-enc/", "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-enc/saml",
"saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-enc/", "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-enc/saml",
"saml_single_logout_service_url_post": "http://localhost:8082/sales-post-enc/", "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-enc/saml",
"saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-enc/", "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-enc/saml",
"saml.server.signature": "true", "saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA512", "saml.signature.algorithm": "RSA_SHA512",
"saml.client.signature": "true", "saml.client.signature": "true",
@ -239,7 +271,7 @@
"redirectUris": [ "redirectUris": [
"http://localhost:8082/employee-sig/*" "http://localhost:8082/employee-sig/*"
], ],
"adminUrl": "http://localhost:8082/employee-sig/", "adminUrl": "http://localhost:8082/employee-sig/saml",
"attributes": { "attributes": {
"saml.server.signature": "true", "saml.server.signature": "true",
"saml.client.signature": "true", "saml.client.signature": "true",
@ -257,7 +289,7 @@
"redirectUris": [ "redirectUris": [
"http://localhost:8082/employee/*" "http://localhost:8082/employee/*"
], ],
"adminUrl": "http://localhost:8082/employee/", "adminUrl": "http://localhost:8082/employee/saml",
"attributes": { "attributes": {
"saml.authnstatement": "true" "saml.authnstatement": "true"
}, },
@ -307,7 +339,7 @@
"redirectUris": [ "redirectUris": [
"http://localhost:8082/employee2/*" "http://localhost:8082/employee2/*"
], ],
"adminUrl": "http://localhost:8082/employee2/", "adminUrl": "http://localhost:8082/employee2/saml",
"attributes": { "attributes": {
"saml.authnstatement": "true" "saml.authnstatement": "true"
}, },
@ -359,10 +391,10 @@
"http://localhost:8082/employee-sig-front/*" "http://localhost:8082/employee-sig-front/*"
], ],
"attributes": { "attributes": {
"saml_assertion_consumer_url_post": "http://localhost:8082/employee-sig-front/", "saml_assertion_consumer_url_post": "http://localhost:8082/employee-sig-front/saml",
"saml_assertion_consumer_url_redirect": "http://localhost:8082/employee-sig-front/", "saml_assertion_consumer_url_redirect": "http://localhost:8082/employee-sig-front/saml",
"saml_single_logout_service_url_post": "http://localhost:8082/employee-sig-front/", "saml_single_logout_service_url_post": "http://localhost:8082/employee-sig-front/saml",
"saml_single_logout_service_url_redirect": "http://localhost:8082/employee-sig-front/", "saml_single_logout_service_url_redirect": "http://localhost:8082/employee-sig-front/saml",
"saml.server.signature": "true", "saml.server.signature": "true",
"saml.client.signature": "true", "saml.client.signature": "true",
"saml.signature.algorithm": "RSA_SHA1", "saml.signature.algorithm": "RSA_SHA1",

12
testsuite/jetty/jetty91/src/test/java/org/keycloak/testsuite/JettySamlTest.java
View file

@ -70,6 +70,8 @@ public class JettySamlTest {
File base = new File(dir.getFile()).getParentFile(); File base = new File(dir.getFile()).getParentFile();
//list.add(new WebAppContext(new File(base, "customer-portal").toString(), "/customer-portal")); //list.add(new WebAppContext(new File(base, "customer-portal").toString(), "/customer-portal"));
list.add(new WebAppContext(new File(base, "simple-post").toString(), "/sales-post")); list.add(new WebAppContext(new File(base, "simple-post").toString(), "/sales-post"));
list.add(new WebAppContext(new File(base, "simple-post2").toString(), "/sales-post2"));
list.add(new WebAppContext(new File(base, "simple-input").toString(), "/input-portal"));
list.add(new WebAppContext(new File(base, "signed-post").toString(), "/sales-post-sig")); list.add(new WebAppContext(new File(base, "signed-post").toString(), "/sales-post-sig"));
list.add(new WebAppContext(new File(base, "signed-post-email").toString(), "/sales-post-sig-email")); list.add(new WebAppContext(new File(base, "signed-post-email").toString(), "/sales-post-sig-email"));
list.add(new WebAppContext(new File(base, "signed-post-transient").toString(), "/sales-post-sig-transient")); list.add(new WebAppContext(new File(base, "signed-post-transient").toString(), "/sales-post-sig-transient"));
@ -103,6 +105,16 @@ public class JettySamlTest {
} catch (Exception e) {} } catch (Exception e) {}
} }
@Test
public void testSavedPostRequest() throws Exception {
testStrategy.testSavedPostRequest();
}
@Test
public void testPostSimpleLoginLogoutIdpInitiatedRedirectTo() {
testStrategy.testPostSimpleLoginLogoutIdpInitiatedRedirectTo();
}
@Test @Test
public void testErrorHandling() throws Exception { public void testErrorHandling() throws Exception {
testStrategy.testErrorHandling(); testStrategy.testErrorHandling();

29
testsuite/jetty/jetty91/src/test/resources/keycloak-saml/simple-input/WEB-INF/jetty-web.xml Executable file
View file

@ -0,0 +1,29 @@
<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd">
<Configure class="org.eclipse.jetty.webapp.WebAppContext">
<Get name="securityHandler">
<Set name="authenticator">
<New class="org.keycloak.adapters.saml.jetty.KeycloakSamlAuthenticator">
<!--
<Set name="adapterConfig">
<New class="org.keycloak.representations.adapters.config.AdapterConfig">
<Set name="realm">tomcat</Set>
<Set name="resource">customer-portal</Set>
<Set name="authServerUrl">http://localhost:8081/auth</Set>
<Set name="sslRequired">external</Set>
<Set name="credentials">
<Map>
<Entry>
<Item>secret</Item>
<Item>password</Item>
</Entry>
</Map>
</Set>
<Set name="realmKey">MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB</Set>
</New>
</Set>
-->
</New>
</Set>
</Get>
</Configure>

24
testsuite/jetty/jetty91/src/test/resources/keycloak-saml/simple-input/WEB-INF/keycloak-saml.xml Executable file
View file

@ -0,0 +1,24 @@
<keycloak-saml-adapter>
<SP entityID="http://localhost:8082/input-portal/"
sslPolicy="EXTERNAL"
nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
logoutPage="/logout.jsp"
forceAuthentication="false">
<PrincipalNameMapping policy="FROM_NAME_ID"/>
<RoleIdentifiers>
<Attribute name="Role"/>
</RoleIdentifiers>
<IDP entityID="idp">
<SingleSignOnService requestBinding="POST"
bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
/>
<SingleLogoutService
requestBinding="POST"
responseBinding="POST"
postBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
redirectBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
/>
</IDP>
</SP>
</keycloak-saml-adapter>

43
testsuite/jetty/jetty91/src/test/resources/keycloak-saml/simple-input/WEB-INF/web.xml Executable file
View file

@ -0,0 +1,43 @@
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<module-name>adapter-test</module-name>
<servlet>
<servlet-name>SendUsernameServlet</servlet-name>
<servlet-class>org.keycloak.testsuite.keycloaksaml.InputServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>SendUsernameServlet</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>Users</web-resource-name>
<url-pattern>/secured/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>demo</realm-name>
<form-login-config>
<form-login-page>/error.html</form-login-page>
<form-error-page>/error.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>manager</role-name>
</security-role>
<security-role>
<role-name>el-jefe</role-name>
</security-role>
</web-app>

29
testsuite/jetty/jetty91/src/test/resources/keycloak-saml/simple-post2/WEB-INF/jetty-web.xml Executable file
View file

@ -0,0 +1,29 @@
<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd">
<Configure class="org.eclipse.jetty.webapp.WebAppContext">
<Get name="securityHandler">
<Set name="authenticator">
<New class="org.keycloak.adapters.saml.jetty.KeycloakSamlAuthenticator">
<!--
<Set name="adapterConfig">
<New class="org.keycloak.representations.adapters.config.AdapterConfig">
<Set name="realm">tomcat</Set>
<Set name="resource">customer-portal</Set>
<Set name="authServerUrl">http://localhost:8081/auth</Set>
<Set name="sslRequired">external</Set>
<Set name="credentials">
<Map>
<Entry>
<Item>secret</Item>
<Item>password</Item>
</Entry>
</Map>
</Set>
<Set name="realmKey">MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB</Set>
</New>
</Set>
-->
</New>
</Set>
</Get>
</Configure>

24
testsuite/jetty/jetty91/src/test/resources/keycloak-saml/simple-post2/WEB-INF/keycloak-saml.xml Executable file
View file

@ -0,0 +1,24 @@
<keycloak-saml-adapter>
<SP entityID="http://localhost:8082/sales-post2/"
sslPolicy="EXTERNAL"
nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
logoutPage="/logout.jsp"
forceAuthentication="false">
<PrincipalNameMapping policy="FROM_NAME_ID"/>
<RoleIdentifiers>
<Attribute name="Role"/>
</RoleIdentifiers>
<IDP entityID="idp">
<SingleSignOnService requestBinding="POST"
bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
/>
<SingleLogoutService
requestBinding="POST"
responseBinding="POST"
postBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
redirectBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
/>
</IDP>
</SP>
</keycloak-saml-adapter>

43
testsuite/jetty/jetty91/src/test/resources/keycloak-saml/simple-post2/WEB-INF/web.xml Executable file
View file

@ -0,0 +1,43 @@
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<module-name>adapter-test</module-name>
<servlet>
<servlet-name>SendUsernameServlet</servlet-name>
<servlet-class>org.keycloak.testsuite.keycloaksaml.SendUsernameServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>SendUsernameServlet</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>Users</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>demo</realm-name>
<form-login-config>
<form-login-page>/error.html</form-login-page>
<form-error-page>/error.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>manager</role-name>
</security-role>
<security-role>
<role-name>el-jefe</role-name>
</security-role>
</web-app>

4
testsuite/jetty/jetty91/src/test/resources/keycloak-saml/sp-metadata.xml
View file

@ -7,9 +7,9 @@
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol http://schemas.xmlsoap.org/ws/2003/07/secext"> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol http://schemas.xmlsoap.org/ws/2003/07/secext">
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient
</NameIDFormat> </NameIDFormat>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/"/> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/saml"/>
<AssertionConsumerService <AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/saml"
index="1" isDefault="true" /> index="1" isDefault="true" />
<KeyDescriptor use="signing"> <KeyDescriptor use="signing">
<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"> <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">

102
testsuite/jetty/jetty91/src/test/resources/keycloak-saml/testsaml.json
View file

@ -78,13 +78,45 @@
], ],
"attributes": { "attributes": {
"saml.authnstatement": "true", "saml.authnstatement": "true",
"saml_assertion_consumer_url_post": "http://localhost:8082/sales-post/", "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post/saml",
"saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post/", "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post/saml",
"saml_single_logout_service_url_post": "http://localhost:8082/sales-post/", "saml_single_logout_service_url_post": "http://localhost:8082/sales-post/saml",
"saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post/", "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post/saml",
"saml_idp_initiated_sso_url_name": "sales-post" "saml_idp_initiated_sso_url_name": "sales-post"
} }
}, },
{
"name": "http://localhost:8082/sales-post2/",
"enabled": true,
"fullScopeAllowed": true,
"protocol": "saml",
"baseUrl": "http://localhost:8082/sales-post2",
"redirectUris": [
"http://localhost:8082/sales-post2/*"
],
"attributes": {
"saml.authnstatement": "true",
"saml_assertion_consumer_url_post": "http://localhost:8082/sales-post2/saml",
"saml_single_logout_service_url_post": "http://localhost:8082/sales-post2/saml",
"saml_idp_initiated_sso_url_name": "sales-post2",
"saml_idp_initiated_sso_relay_state": "redirectTo=/foo"
}
},
{
"name": "http://localhost:8082/input-portal/",
"enabled": true,
"fullScopeAllowed": true,
"protocol": "saml",
"baseUrl": "http://localhost:8082/input-portal/",
"redirectUris": [
"http://localhost:8082/input-portal/*"
],
"attributes": {
"saml.authnstatement": "true",
"saml_assertion_consumer_url_post": "http://localhost:8082/input-portal/saml",
"saml_single_logout_service_url_post": "http://localhost:8082/input-portal/saml"
}
},
{ {
"name": "http://localhost:8082/sales-post-sig/", "name": "http://localhost:8082/sales-post-sig/",
"enabled": true, "enabled": true,
@ -95,10 +127,10 @@
"http://localhost:8082/sales-post-sig/*" "http://localhost:8082/sales-post-sig/*"
], ],
"attributes": { "attributes": {
"saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig/", "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig/saml",
"saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig/", "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig/saml",
"saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig/", "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig/saml",
"saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig/", "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig/saml",
"saml.server.signature": "true", "saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA256", "saml.signature.algorithm": "RSA_SHA256",
"saml.client.signature": "true", "saml.client.signature": "true",
@ -112,15 +144,15 @@
"protocol": "saml", "protocol": "saml",
"fullScopeAllowed": true, "fullScopeAllowed": true,
"baseUrl": "http://localhost:8082/sales-post-sig-transient", "baseUrl": "http://localhost:8082/sales-post-sig-transient",
"adminUrl": "http://localhost:8082/sales-post-sig-transient", "adminUrl": "http://localhost:8082/sales-post-sig-transient/saml",
"redirectUris": [ "redirectUris": [
"http://localhost:8082/sales-post-sig-transient/*" "http://localhost:8082/sales-post-sig-transient/*"
], ],
"attributes": { "attributes": {
"saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-transient/", "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-transient/saml",
"saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-transient/", "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-transient/saml",
"saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-transient/", "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-transient/saml",
"saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-transient/", "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-transient/saml",
"saml.server.signature": "true", "saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA256", "saml.signature.algorithm": "RSA_SHA256",
"saml.client.signature": "true", "saml.client.signature": "true",
@ -138,10 +170,10 @@
"http://localhost:8082/sales-post-sig-persistent/*" "http://localhost:8082/sales-post-sig-persistent/*"
], ],
"attributes": { "attributes": {
"saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-persistent/", "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-persistent/saml",
"saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-persistent/", "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-persistent/saml",
"saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-persistent/", "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-persistent/saml",
"saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-persistent/", "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-persistent/saml",
"saml.server.signature": "true", "saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA256", "saml.signature.algorithm": "RSA_SHA256",
"saml.client.signature": "true", "saml.client.signature": "true",
@ -155,17 +187,17 @@
"protocol": "saml", "protocol": "saml",
"fullScopeAllowed": true, "fullScopeAllowed": true,
"baseUrl": "http://localhost:8082/sales-post-sig-email", "baseUrl": "http://localhost:8082/sales-post-sig-email",
"adminUrl": "http://localhost:8082/sales-post-sig-email", "adminUrl": "http://localhost:8082/sales-post-sig-email/saml",
"redirectUris": [ "redirectUris": [
"http://localhost:8082/sales-post-sig-email/*" "http://localhost:8082/sales-post-sig-email/*"
], ],
"attributes": { "attributes": {
"saml_force_name_id_format": "true", "saml_force_name_id_format": "true",
"saml_name_id_format": "email", "saml_name_id_format": "email",
"saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-email/", "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-email/saml",
"saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-email/", "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-email/saml",
"saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-email/", "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-email/saml",
"saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-email/", "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-email/saml",
"saml.server.signature": "true", "saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA256", "saml.signature.algorithm": "RSA_SHA256",
"saml.client.signature": "true", "saml.client.signature": "true",
@ -179,7 +211,7 @@
"protocol": "saml", "protocol": "saml",
"fullScopeAllowed": true, "fullScopeAllowed": true,
"baseUrl": "http://localhost:8082/bad-realm-sales-post-sig/", "baseUrl": "http://localhost:8082/bad-realm-sales-post-sig/",
"adminUrl": "http://localhost:8082/bad-realm-sales-post-sig/", "adminUrl": "http://localhost:8082/bad-realm-sales-post-sig/saml",
"redirectUris": [ "redirectUris": [
"http://localhost:8082/bad-realm-sales-post-sig/*" "http://localhost:8082/bad-realm-sales-post-sig/*"
], ],
@ -196,7 +228,7 @@
"protocol": "saml", "protocol": "saml",
"fullScopeAllowed": true, "fullScopeAllowed": true,
"baseUrl": "http://localhost:8082/bad-client-sales-post-sig/", "baseUrl": "http://localhost:8082/bad-client-sales-post-sig/",
"adminUrl": "http://localhost:8082/bad-client-sales-post-sig/", "adminUrl": "http://localhost:8082/bad-client-sales-post-sig/saml",
"redirectUris": [ "redirectUris": [
"http://localhost:8082/bad-client-sales-post-sig/*" "http://localhost:8082/bad-client-sales-post-sig/*"
], ],
@ -217,10 +249,10 @@
"http://localhost:8082/sales-post-enc/*" "http://localhost:8082/sales-post-enc/*"
], ],
"attributes": { "attributes": {
"saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-enc/", "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-enc/saml",
"saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-enc/", "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-enc/saml",
"saml_single_logout_service_url_post": "http://localhost:8082/sales-post-enc/", "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-enc/saml",
"saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-enc/", "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-enc/saml",
"saml.server.signature": "true", "saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA512", "saml.signature.algorithm": "RSA_SHA512",
"saml.client.signature": "true", "saml.client.signature": "true",
@ -239,7 +271,7 @@
"redirectUris": [ "redirectUris": [
"http://localhost:8082/employee-sig/*" "http://localhost:8082/employee-sig/*"
], ],
"adminUrl": "http://localhost:8082/employee-sig/", "adminUrl": "http://localhost:8082/employee-sig/saml",
"attributes": { "attributes": {
"saml.server.signature": "true", "saml.server.signature": "true",
"saml.client.signature": "true", "saml.client.signature": "true",
@ -257,7 +289,7 @@
"redirectUris": [ "redirectUris": [
"http://localhost:8082/employee/*" "http://localhost:8082/employee/*"
], ],
"adminUrl": "http://localhost:8082/employee/", "adminUrl": "http://localhost:8082/employee/saml",
"attributes": { "attributes": {
"saml.authnstatement": "true" "saml.authnstatement": "true"
}, },
@ -307,7 +339,7 @@
"redirectUris": [ "redirectUris": [
"http://localhost:8082/employee2/*" "http://localhost:8082/employee2/*"
], ],
"adminUrl": "http://localhost:8082/employee2/", "adminUrl": "http://localhost:8082/employee2/saml",
"attributes": { "attributes": {
"saml.authnstatement": "true" "saml.authnstatement": "true"
}, },
@ -359,10 +391,10 @@
"http://localhost:8082/employee-sig-front/*" "http://localhost:8082/employee-sig-front/*"
], ],
"attributes": { "attributes": {
"saml_assertion_consumer_url_post": "http://localhost:8082/employee-sig-front/", "saml_assertion_consumer_url_post": "http://localhost:8082/employee-sig-front/saml",
"saml_assertion_consumer_url_redirect": "http://localhost:8082/employee-sig-front/", "saml_assertion_consumer_url_redirect": "http://localhost:8082/employee-sig-front/saml",
"saml_single_logout_service_url_post": "http://localhost:8082/employee-sig-front/", "saml_single_logout_service_url_post": "http://localhost:8082/employee-sig-front/saml",
"saml_single_logout_service_url_redirect": "http://localhost:8082/employee-sig-front/", "saml_single_logout_service_url_redirect": "http://localhost:8082/employee-sig-front/saml",
"saml.server.signature": "true", "saml.server.signature": "true",
"saml.client.signature": "true", "saml.client.signature": "true",
"saml.signature.algorithm": "RSA_SHA1", "saml.signature.algorithm": "RSA_SHA1",

12
testsuite/jetty/jetty92/src/test/java/org/keycloak/testsuite/JettySamlTest.java
View file

@ -70,6 +70,8 @@ public class JettySamlTest {
File base = new File(dir.getFile()).getParentFile(); File base = new File(dir.getFile()).getParentFile();
//list.add(new WebAppContext(new File(base, "customer-portal").toString(), "/customer-portal")); //list.add(new WebAppContext(new File(base, "customer-portal").toString(), "/customer-portal"));
list.add(new WebAppContext(new File(base, "simple-post").toString(), "/sales-post")); list.add(new WebAppContext(new File(base, "simple-post").toString(), "/sales-post"));
list.add(new WebAppContext(new File(base, "simple-post2").toString(), "/sales-post2"));
list.add(new WebAppContext(new File(base, "simple-input").toString(), "/input-portal"));
list.add(new WebAppContext(new File(base, "signed-post").toString(), "/sales-post-sig")); list.add(new WebAppContext(new File(base, "signed-post").toString(), "/sales-post-sig"));
list.add(new WebAppContext(new File(base, "signed-post-email").toString(), "/sales-post-sig-email")); list.add(new WebAppContext(new File(base, "signed-post-email").toString(), "/sales-post-sig-email"));
list.add(new WebAppContext(new File(base, "signed-post-transient").toString(), "/sales-post-sig-transient")); list.add(new WebAppContext(new File(base, "signed-post-transient").toString(), "/sales-post-sig-transient"));
@ -103,6 +105,16 @@ public class JettySamlTest {
} catch (Exception e) {} } catch (Exception e) {}
} }
@Test
public void testSavedPostRequest() throws Exception {
testStrategy.testSavedPostRequest();
}
@Test
public void testPostSimpleLoginLogoutIdpInitiatedRedirectTo() {
testStrategy.testPostSimpleLoginLogoutIdpInitiatedRedirectTo();
}
@Test @Test
public void testErrorHandling() throws Exception { public void testErrorHandling() throws Exception {
testStrategy.testErrorHandling(); testStrategy.testErrorHandling();

29
testsuite/jetty/jetty92/src/test/resources/keycloak-saml/simple-input/WEB-INF/jetty-web.xml Executable file
View file

@ -0,0 +1,29 @@
<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd">
<Configure class="org.eclipse.jetty.webapp.WebAppContext">
<Get name="securityHandler">
<Set name="authenticator">
<New class="org.keycloak.adapters.saml.jetty.KeycloakSamlAuthenticator">
<!--
<Set name="adapterConfig">
<New class="org.keycloak.representations.adapters.config.AdapterConfig">
<Set name="realm">tomcat</Set>
<Set name="resource">customer-portal</Set>
<Set name="authServerUrl">http://localhost:8081/auth</Set>
<Set name="sslRequired">external</Set>
<Set name="credentials">
<Map>
<Entry>
<Item>secret</Item>
<Item>password</Item>
</Entry>
</Map>
</Set>
<Set name="realmKey">MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB</Set>
</New>
</Set>
-->
</New>
</Set>
</Get>
</Configure>

24
testsuite/jetty/jetty92/src/test/resources/keycloak-saml/simple-input/WEB-INF/keycloak-saml.xml Executable file
View file

@ -0,0 +1,24 @@
<keycloak-saml-adapter>
<SP entityID="http://localhost:8082/input-portal/"
sslPolicy="EXTERNAL"
nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
logoutPage="/logout.jsp"
forceAuthentication="false">
<PrincipalNameMapping policy="FROM_NAME_ID"/>
<RoleIdentifiers>
<Attribute name="Role"/>
</RoleIdentifiers>
<IDP entityID="idp">
<SingleSignOnService requestBinding="POST"
bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
/>
<SingleLogoutService
requestBinding="POST"
responseBinding="POST"
postBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
redirectBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
/>
</IDP>
</SP>
</keycloak-saml-adapter>

43
testsuite/jetty/jetty92/src/test/resources/keycloak-saml/simple-input/WEB-INF/web.xml Executable file
View file

@ -0,0 +1,43 @@
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<module-name>adapter-test</module-name>
<servlet>
<servlet-name>SendUsernameServlet</servlet-name>
<servlet-class>org.keycloak.testsuite.keycloaksaml.InputServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>SendUsernameServlet</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>Users</web-resource-name>
<url-pattern>/secured/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>demo</realm-name>
<form-login-config>
<form-login-page>/error.html</form-login-page>
<form-error-page>/error.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>manager</role-name>
</security-role>
<security-role>
<role-name>el-jefe</role-name>
</security-role>
</web-app>

29
testsuite/jetty/jetty92/src/test/resources/keycloak-saml/simple-post2/WEB-INF/jetty-web.xml Executable file
View file

@ -0,0 +1,29 @@
<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd">
<Configure class="org.eclipse.jetty.webapp.WebAppContext">
<Get name="securityHandler">
<Set name="authenticator">
<New class="org.keycloak.adapters.saml.jetty.KeycloakSamlAuthenticator">
<!--
<Set name="adapterConfig">
<New class="org.keycloak.representations.adapters.config.AdapterConfig">
<Set name="realm">tomcat</Set>
<Set name="resource">customer-portal</Set>
<Set name="authServerUrl">http://localhost:8081/auth</Set>
<Set name="sslRequired">external</Set>
<Set name="credentials">
<Map>
<Entry>
<Item>secret</Item>
<Item>password</Item>
</Entry>
</Map>
</Set>
<Set name="realmKey">MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB</Set>
</New>
</Set>
-->
</New>
</Set>
</Get>
</Configure>

24
testsuite/jetty/jetty92/src/test/resources/keycloak-saml/simple-post2/WEB-INF/keycloak-saml.xml Executable file
View file

@ -0,0 +1,24 @@
<keycloak-saml-adapter>
<SP entityID="http://localhost:8082/sales-post2/"
sslPolicy="EXTERNAL"
nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
logoutPage="/logout.jsp"
forceAuthentication="false">
<PrincipalNameMapping policy="FROM_NAME_ID"/>
<RoleIdentifiers>
<Attribute name="Role"/>
</RoleIdentifiers>
<IDP entityID="idp">
<SingleSignOnService requestBinding="POST"
bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
/>
<SingleLogoutService
requestBinding="POST"
responseBinding="POST"
postBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
redirectBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
/>
</IDP>
</SP>
</keycloak-saml-adapter>

43
testsuite/jetty/jetty92/src/test/resources/keycloak-saml/simple-post2/WEB-INF/web.xml Executable file
View file

@ -0,0 +1,43 @@
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<module-name>adapter-test</module-name>
<servlet>
<servlet-name>SendUsernameServlet</servlet-name>
<servlet-class>org.keycloak.testsuite.keycloaksaml.SendUsernameServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>SendUsernameServlet</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>Users</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>demo</realm-name>
<form-login-config>
<form-login-page>/error.html</form-login-page>
<form-error-page>/error.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>manager</role-name>
</security-role>
<security-role>
<role-name>el-jefe</role-name>
</security-role>
</web-app>

4
testsuite/jetty/jetty92/src/test/resources/keycloak-saml/sp-metadata.xml
View file

@ -7,9 +7,9 @@
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol http://schemas.xmlsoap.org/ws/2003/07/secext"> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol http://schemas.xmlsoap.org/ws/2003/07/secext">
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient
</NameIDFormat> </NameIDFormat>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/"/> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/saml"/>
<AssertionConsumerService <AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/saml"
index="1" isDefault="true" /> index="1" isDefault="true" />
<KeyDescriptor use="signing"> <KeyDescriptor use="signing">
<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"> <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">

102
testsuite/jetty/jetty92/src/test/resources/keycloak-saml/testsaml.json
View file

@ -78,13 +78,45 @@
], ],
"attributes": { "attributes": {
"saml.authnstatement": "true", "saml.authnstatement": "true",
"saml_assertion_consumer_url_post": "http://localhost:8082/sales-post/", "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post/saml",
"saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post/", "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post/saml",
"saml_single_logout_service_url_post": "http://localhost:8082/sales-post/", "saml_single_logout_service_url_post": "http://localhost:8082/sales-post/saml",
"saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post/", "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post/saml",
"saml_idp_initiated_sso_url_name": "sales-post" "saml_idp_initiated_sso_url_name": "sales-post"
} }
}, },
{
"name": "http://localhost:8082/sales-post2/",
"enabled": true,
"fullScopeAllowed": true,
"protocol": "saml",
"baseUrl": "http://localhost:8082/sales-post2",
"redirectUris": [
"http://localhost:8082/sales-post2/*"
],
"attributes": {
"saml.authnstatement": "true",
"saml_assertion_consumer_url_post": "http://localhost:8082/sales-post2/saml",
"saml_single_logout_service_url_post": "http://localhost:8082/sales-post2/saml",
"saml_idp_initiated_sso_url_name": "sales-post2",
"saml_idp_initiated_sso_relay_state": "redirectTo=/foo"
}
},
{
"name": "http://localhost:8082/input-portal/",
"enabled": true,
"fullScopeAllowed": true,
"protocol": "saml",
"baseUrl": "http://localhost:8082/input-portal/",
"redirectUris": [
"http://localhost:8082/input-portal/*"
],
"attributes": {
"saml.authnstatement": "true",
"saml_assertion_consumer_url_post": "http://localhost:8082/input-portal/saml",
"saml_single_logout_service_url_post": "http://localhost:8082/input-portal/saml"
}
},
{ {
"name": "http://localhost:8082/sales-post-sig/", "name": "http://localhost:8082/sales-post-sig/",
"enabled": true, "enabled": true,
@ -95,10 +127,10 @@
"http://localhost:8082/sales-post-sig/*" "http://localhost:8082/sales-post-sig/*"
], ],
"attributes": { "attributes": {
"saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig/", "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig/saml",
"saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig/", "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig/saml",
"saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig/", "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig/saml",
"saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig/", "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig/saml",
"saml.server.signature": "true", "saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA256", "saml.signature.algorithm": "RSA_SHA256",
"saml.client.signature": "true", "saml.client.signature": "true",
@ -112,15 +144,15 @@
"protocol": "saml", "protocol": "saml",
"fullScopeAllowed": true, "fullScopeAllowed": true,
"baseUrl": "http://localhost:8082/sales-post-sig-transient", "baseUrl": "http://localhost:8082/sales-post-sig-transient",
"adminUrl": "http://localhost:8082/sales-post-sig-transient", "adminUrl": "http://localhost:8082/sales-post-sig-transient/saml",
"redirectUris": [ "redirectUris": [
"http://localhost:8082/sales-post-sig-transient/*" "http://localhost:8082/sales-post-sig-transient/*"
], ],
"attributes": { "attributes": {
"saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-transient/", "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-transient/saml",
"saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-transient/", "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-transient/saml",
"saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-transient/", "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-transient/saml",
"saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-transient/", "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-transient/saml",
"saml.server.signature": "true", "saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA256", "saml.signature.algorithm": "RSA_SHA256",
"saml.client.signature": "true", "saml.client.signature": "true",
@ -138,10 +170,10 @@
"http://localhost:8082/sales-post-sig-persistent/*" "http://localhost:8082/sales-post-sig-persistent/*"
], ],
"attributes": { "attributes": {
"saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-persistent/", "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-persistent/saml",
"saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-persistent/", "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-persistent/saml",
"saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-persistent/", "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-persistent/saml",
"saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-persistent/", "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-persistent/saml",
"saml.server.signature": "true", "saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA256", "saml.signature.algorithm": "RSA_SHA256",
"saml.client.signature": "true", "saml.client.signature": "true",
@ -155,17 +187,17 @@
"protocol": "saml", "protocol": "saml",
"fullScopeAllowed": true, "fullScopeAllowed": true,
"baseUrl": "http://localhost:8082/sales-post-sig-email", "baseUrl": "http://localhost:8082/sales-post-sig-email",
"adminUrl": "http://localhost:8082/sales-post-sig-email", "adminUrl": "http://localhost:8082/sales-post-sig-email/saml",
"redirectUris": [ "redirectUris": [
"http://localhost:8082/sales-post-sig-email/*" "http://localhost:8082/sales-post-sig-email/*"
], ],
"attributes": { "attributes": {
"saml_force_name_id_format": "true", "saml_force_name_id_format": "true",
"saml_name_id_format": "email", "saml_name_id_format": "email",
"saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-email/", "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-email/saml",
"saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-email/", "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-email/saml",
"saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-email/", "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-email/saml",
"saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-email/", "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-email/saml",
"saml.server.signature": "true", "saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA256", "saml.signature.algorithm": "RSA_SHA256",
"saml.client.signature": "true", "saml.client.signature": "true",
@ -179,7 +211,7 @@
"protocol": "saml", "protocol": "saml",
"fullScopeAllowed": true, "fullScopeAllowed": true,
"baseUrl": "http://localhost:8082/bad-realm-sales-post-sig/", "baseUrl": "http://localhost:8082/bad-realm-sales-post-sig/",
"adminUrl": "http://localhost:8082/bad-realm-sales-post-sig/", "adminUrl": "http://localhost:8082/bad-realm-sales-post-sig/saml",
"redirectUris": [ "redirectUris": [
"http://localhost:8082/bad-realm-sales-post-sig/*" "http://localhost:8082/bad-realm-sales-post-sig/*"
], ],
@ -196,7 +228,7 @@
"protocol": "saml", "protocol": "saml",
"fullScopeAllowed": true, "fullScopeAllowed": true,
"baseUrl": "http://localhost:8082/bad-client-sales-post-sig/", "baseUrl": "http://localhost:8082/bad-client-sales-post-sig/",
"adminUrl": "http://localhost:8082/bad-client-sales-post-sig/", "adminUrl": "http://localhost:8082/bad-client-sales-post-sig/saml",
"redirectUris": [ "redirectUris": [
"http://localhost:8082/bad-client-sales-post-sig/*" "http://localhost:8082/bad-client-sales-post-sig/*"
], ],
@ -217,10 +249,10 @@
"http://localhost:8082/sales-post-enc/*" "http://localhost:8082/sales-post-enc/*"
], ],
"attributes": { "attributes": {
"saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-enc/", "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-enc/saml",
"saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-enc/", "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-enc/saml",
"saml_single_logout_service_url_post": "http://localhost:8082/sales-post-enc/", "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-enc/saml",
"saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-enc/", "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-enc/saml",
"saml.server.signature": "true", "saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA512", "saml.signature.algorithm": "RSA_SHA512",
"saml.client.signature": "true", "saml.client.signature": "true",
@ -239,7 +271,7 @@
"redirectUris": [ "redirectUris": [
"http://localhost:8082/employee-sig/*" "http://localhost:8082/employee-sig/*"
], ],
"adminUrl": "http://localhost:8082/employee-sig/", "adminUrl": "http://localhost:8082/employee-sig/saml",
"attributes": { "attributes": {
"saml.server.signature": "true", "saml.server.signature": "true",
"saml.client.signature": "true", "saml.client.signature": "true",
@ -257,7 +289,7 @@
"redirectUris": [ "redirectUris": [
"http://localhost:8082/employee/*" "http://localhost:8082/employee/*"
], ],
"adminUrl": "http://localhost:8082/employee/", "adminUrl": "http://localhost:8082/employee/saml",
"attributes": { "attributes": {
"saml.authnstatement": "true" "saml.authnstatement": "true"
}, },
@ -307,7 +339,7 @@
"redirectUris": [ "redirectUris": [
"http://localhost:8082/employee2/*" "http://localhost:8082/employee2/*"
], ],
"adminUrl": "http://localhost:8082/employee2/", "adminUrl": "http://localhost:8082/employee2/saml",
"attributes": { "attributes": {
"saml.authnstatement": "true" "saml.authnstatement": "true"
}, },
@ -359,10 +391,10 @@
"http://localhost:8082/employee-sig-front/*" "http://localhost:8082/employee-sig-front/*"
], ],
"attributes": { "attributes": {
"saml_assertion_consumer_url_post": "http://localhost:8082/employee-sig-front/", "saml_assertion_consumer_url_post": "http://localhost:8082/employee-sig-front/saml",
"saml_assertion_consumer_url_redirect": "http://localhost:8082/employee-sig-front/", "saml_assertion_consumer_url_redirect": "http://localhost:8082/employee-sig-front/saml",
"saml_single_logout_service_url_post": "http://localhost:8082/employee-sig-front/", "saml_single_logout_service_url_post": "http://localhost:8082/employee-sig-front/saml",
"saml_single_logout_service_url_redirect": "http://localhost:8082/employee-sig-front/", "saml_single_logout_service_url_redirect": "http://localhost:8082/employee-sig-front/saml",
"saml.server.signature": "true", "saml.server.signature": "true",
"saml.client.signature": "true", "saml.client.signature": "true",
"saml.signature.algorithm": "RSA_SHA1", "saml.signature.algorithm": "RSA_SHA1",

12
testsuite/tomcat6/src/test/java/org/keycloak/testsuite/TomcatSamlTest.java
View file

@ -61,6 +61,8 @@ public class TomcatSamlTest {
System.setProperty("app.server.base.url", "http://localhost:8082"); System.setProperty("app.server.base.url", "http://localhost:8082");
System.setProperty("my.host.name", "localhost"); System.setProperty("my.host.name", "localhost");
tomcat.deploySaml("/sales-post", "simple-post"); tomcat.deploySaml("/sales-post", "simple-post");
tomcat.deploySaml("/sales-post2", "simple-post2");
tomcat.deploySaml("/input-portal", "simple-input");
tomcat.deploySaml("/sales-post-sig", "signed-post"); tomcat.deploySaml("/sales-post-sig", "signed-post");
tomcat.deploySaml("/sales-post-sig-email", "signed-post-email"); tomcat.deploySaml("/sales-post-sig-email", "signed-post-email");
tomcat.deploySaml("/sales-post-sig-transient", "signed-post-transient"); tomcat.deploySaml("/sales-post-sig-transient", "signed-post-transient");
@ -87,6 +89,16 @@ public class TomcatSamlTest {
@Rule @Rule
public SamlAdapterTestStrategy testStrategy = new SamlAdapterTestStrategy("http://localhost:8081/auth", "http://localhost:8082", keycloakRule); public SamlAdapterTestStrategy testStrategy = new SamlAdapterTestStrategy("http://localhost:8081/auth", "http://localhost:8082", keycloakRule);
@Test
public void testSavedPostRequest() throws Exception {
testStrategy.testSavedPostRequest();
}
@Test
public void testPostSimpleLoginLogoutIdpInitiatedRedirectTo() {
testStrategy.testPostSimpleLoginLogoutIdpInitiatedRedirectTo();
}
@Test @Test
public void testPostSimpleLoginLogout() { public void testPostSimpleLoginLogout() {
testStrategy.testPostSimpleLoginLogout(); testStrategy.testPostSimpleLoginLogout();

24
testsuite/tomcat6/src/test/resources/keycloak-saml/simple-input/WEB-INF/keycloak-saml.xml Executable file
View file

@ -0,0 +1,24 @@
<keycloak-saml-adapter>
<SP entityID="http://localhost:8082/input-portal/"
sslPolicy="EXTERNAL"
nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
logoutPage="/logout.jsp"
forceAuthentication="false">
<PrincipalNameMapping policy="FROM_NAME_ID"/>
<RoleIdentifiers>
<Attribute name="Role"/>
</RoleIdentifiers>
<IDP entityID="idp">
<SingleSignOnService requestBinding="POST"
bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
/>
<SingleLogoutService
requestBinding="POST"
responseBinding="POST"
postBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
redirectBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
/>
</IDP>
</SP>
</keycloak-saml-adapter>

43
testsuite/tomcat6/src/test/resources/keycloak-saml/simple-input/WEB-INF/web.xml Executable file
View file

@ -0,0 +1,43 @@
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<module-name>adapter-test</module-name>
<servlet>
<servlet-name>SendUsernameServlet</servlet-name>
<servlet-class>org.keycloak.testsuite.keycloaksaml.InputServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>SendUsernameServlet</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>Users</web-resource-name>
<url-pattern>/secured/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>demo</realm-name>
<form-login-config>
<form-login-page>/error.html</form-login-page>
<form-error-page>/error.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>manager</role-name>
</security-role>
<security-role>
<role-name>el-jefe</role-name>
</security-role>
</web-app>

24
testsuite/tomcat6/src/test/resources/keycloak-saml/simple-post2/WEB-INF/keycloak-saml.xml Executable file
View file

@ -0,0 +1,24 @@
<keycloak-saml-adapter>
<SP entityID="http://localhost:8082/sales-post2/"
sslPolicy="EXTERNAL"
nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
logoutPage="/logout.jsp"
forceAuthentication="false">
<PrincipalNameMapping policy="FROM_NAME_ID"/>
<RoleIdentifiers>
<Attribute name="Role"/>
</RoleIdentifiers>
<IDP entityID="idp">
<SingleSignOnService requestBinding="POST"
bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
/>
<SingleLogoutService
requestBinding="POST"
responseBinding="POST"
postBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
redirectBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
/>
</IDP>
</SP>
</keycloak-saml-adapter>

43
testsuite/tomcat6/src/test/resources/keycloak-saml/simple-post2/WEB-INF/web.xml Executable file
View file

@ -0,0 +1,43 @@
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<module-name>adapter-test</module-name>
<servlet>
<servlet-name>SendUsernameServlet</servlet-name>
<servlet-class>org.keycloak.testsuite.keycloaksaml.SendUsernameServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>SendUsernameServlet</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>Users</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>demo</realm-name>
<form-login-config>
<form-login-page>/error.html</form-login-page>
<form-error-page>/error.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>manager</role-name>
</security-role>
<security-role>
<role-name>el-jefe</role-name>
</security-role>
</web-app>

4
testsuite/tomcat6/src/test/resources/keycloak-saml/sp-metadata.xml
View file

@ -7,9 +7,9 @@
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol http://schemas.xmlsoap.org/ws/2003/07/secext"> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol http://schemas.xmlsoap.org/ws/2003/07/secext">
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient
</NameIDFormat> </NameIDFormat>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/"/> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/saml"/>
<AssertionConsumerService <AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/saml"
index="1" isDefault="true" /> index="1" isDefault="true" />
<KeyDescriptor use="signing"> <KeyDescriptor use="signing">
<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"> <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">

102
testsuite/tomcat6/src/test/resources/keycloak-saml/testsaml.json
View file

@ -78,13 +78,45 @@
], ],
"attributes": { "attributes": {
"saml.authnstatement": "true", "saml.authnstatement": "true",
"saml_assertion_consumer_url_post": "http://localhost:8082/sales-post/", "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post/saml",
"saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post/", "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post/saml",
"saml_single_logout_service_url_post": "http://localhost:8082/sales-post/", "saml_single_logout_service_url_post": "http://localhost:8082/sales-post/saml",
"saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post/", "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post/saml",
"saml_idp_initiated_sso_url_name": "sales-post" "saml_idp_initiated_sso_url_name": "sales-post"
} }
}, },
{
"name": "http://localhost:8082/sales-post2/",
"enabled": true,
"fullScopeAllowed": true,
"protocol": "saml",
"baseUrl": "http://localhost:8082/sales-post2",
"redirectUris": [
"http://localhost:8082/sales-post2/*"
],
"attributes": {
"saml.authnstatement": "true",
"saml_assertion_consumer_url_post": "http://localhost:8082/sales-post2/saml",
"saml_single_logout_service_url_post": "http://localhost:8082/sales-post2/saml",
"saml_idp_initiated_sso_url_name": "sales-post2",
"saml_idp_initiated_sso_relay_state": "redirectTo=/foo"
}
},
{
"name": "http://localhost:8082/input-portal/",
"enabled": true,
"fullScopeAllowed": true,
"protocol": "saml",
"baseUrl": "http://localhost:8082/input-portal/",
"redirectUris": [
"http://localhost:8082/input-portal/*"
],
"attributes": {
"saml.authnstatement": "true",
"saml_assertion_consumer_url_post": "http://localhost:8082/input-portal/saml",
"saml_single_logout_service_url_post": "http://localhost:8082/input-portal/saml"
}
},
{ {
"name": "http://localhost:8082/sales-post-sig/", "name": "http://localhost:8082/sales-post-sig/",
"enabled": true, "enabled": true,
@ -95,10 +127,10 @@
"http://localhost:8082/sales-post-sig/*" "http://localhost:8082/sales-post-sig/*"
], ],
"attributes": { "attributes": {
"saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig/", "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig/saml",
"saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig/", "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig/saml",
"saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig/", "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig/saml",
"saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig/", "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig/saml",
"saml.server.signature": "true", "saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA256", "saml.signature.algorithm": "RSA_SHA256",
"saml.client.signature": "true", "saml.client.signature": "true",
@ -112,15 +144,15 @@
"protocol": "saml", "protocol": "saml",
"fullScopeAllowed": true, "fullScopeAllowed": true,
"baseUrl": "http://localhost:8082/sales-post-sig-transient", "baseUrl": "http://localhost:8082/sales-post-sig-transient",
"adminUrl": "http://localhost:8082/sales-post-sig-transient", "adminUrl": "http://localhost:8082/sales-post-sig-transient/saml",
"redirectUris": [ "redirectUris": [
"http://localhost:8082/sales-post-sig-transient/*" "http://localhost:8082/sales-post-sig-transient/*"
], ],
"attributes": { "attributes": {
"saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-transient/", "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-transient/saml",
"saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-transient/", "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-transient/saml",
"saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-transient/", "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-transient/saml",
"saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-transient/", "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-transient/saml",
"saml.server.signature": "true", "saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA256", "saml.signature.algorithm": "RSA_SHA256",
"saml.client.signature": "true", "saml.client.signature": "true",
@ -138,10 +170,10 @@
"http://localhost:8082/sales-post-sig-persistent/*" "http://localhost:8082/sales-post-sig-persistent/*"
], ],
"attributes": { "attributes": {
"saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-persistent/", "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-persistent/saml",
"saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-persistent/", "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-persistent/saml",
"saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-persistent/", "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-persistent/saml",
"saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-persistent/", "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-persistent/saml",
"saml.server.signature": "true", "saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA256", "saml.signature.algorithm": "RSA_SHA256",
"saml.client.signature": "true", "saml.client.signature": "true",
@ -155,17 +187,17 @@
"protocol": "saml", "protocol": "saml",
"fullScopeAllowed": true, "fullScopeAllowed": true,
"baseUrl": "http://localhost:8082/sales-post-sig-email", "baseUrl": "http://localhost:8082/sales-post-sig-email",
"adminUrl": "http://localhost:8082/sales-post-sig-email", "adminUrl": "http://localhost:8082/sales-post-sig-email/saml",
"redirectUris": [ "redirectUris": [
"http://localhost:8082/sales-post-sig-email/*" "http://localhost:8082/sales-post-sig-email/*"
], ],
"attributes": { "attributes": {
"saml_force_name_id_format": "true", "saml_force_name_id_format": "true",
"saml_name_id_format": "email", "saml_name_id_format": "email",
"saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-email/", "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-email/saml",
"saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-email/", "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-email/saml",
"saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-email/", "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-email/saml",
"saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-email/", "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-email/saml",
"saml.server.signature": "true", "saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA256", "saml.signature.algorithm": "RSA_SHA256",
"saml.client.signature": "true", "saml.client.signature": "true",
@ -179,7 +211,7 @@
"protocol": "saml", "protocol": "saml",
"fullScopeAllowed": true, "fullScopeAllowed": true,
"baseUrl": "http://localhost:8082/bad-realm-sales-post-sig/", "baseUrl": "http://localhost:8082/bad-realm-sales-post-sig/",
"adminUrl": "http://localhost:8082/bad-realm-sales-post-sig/", "adminUrl": "http://localhost:8082/bad-realm-sales-post-sig/saml",
"redirectUris": [ "redirectUris": [
"http://localhost:8082/bad-realm-sales-post-sig/*" "http://localhost:8082/bad-realm-sales-post-sig/*"
], ],
@ -196,7 +228,7 @@
"protocol": "saml", "protocol": "saml",
"fullScopeAllowed": true, "fullScopeAllowed": true,
"baseUrl": "http://localhost:8082/bad-client-sales-post-sig/", "baseUrl": "http://localhost:8082/bad-client-sales-post-sig/",
"adminUrl": "http://localhost:8082/bad-client-sales-post-sig/", "adminUrl": "http://localhost:8082/bad-client-sales-post-sig/saml",
"redirectUris": [ "redirectUris": [
"http://localhost:8082/bad-client-sales-post-sig/*" "http://localhost:8082/bad-client-sales-post-sig/*"
], ],
@ -217,10 +249,10 @@
"http://localhost:8082/sales-post-enc/*" "http://localhost:8082/sales-post-enc/*"
], ],
"attributes": { "attributes": {
"saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-enc/", "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-enc/saml",
"saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-enc/", "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-enc/saml",
"saml_single_logout_service_url_post": "http://localhost:8082/sales-post-enc/", "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-enc/saml",
"saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-enc/", "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-enc/saml",
"saml.server.signature": "true", "saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA512", "saml.signature.algorithm": "RSA_SHA512",
"saml.client.signature": "true", "saml.client.signature": "true",
@ -239,7 +271,7 @@
"redirectUris": [ "redirectUris": [
"http://localhost:8082/employee-sig/*" "http://localhost:8082/employee-sig/*"
], ],
"adminUrl": "http://localhost:8082/employee-sig/", "adminUrl": "http://localhost:8082/employee-sig/saml",
"attributes": { "attributes": {
"saml.server.signature": "true", "saml.server.signature": "true",
"saml.client.signature": "true", "saml.client.signature": "true",
@ -257,7 +289,7 @@
"redirectUris": [ "redirectUris": [
"http://localhost:8082/employee/*" "http://localhost:8082/employee/*"
], ],
"adminUrl": "http://localhost:8082/employee/", "adminUrl": "http://localhost:8082/employee/saml",
"attributes": { "attributes": {
"saml.authnstatement": "true" "saml.authnstatement": "true"
}, },
@ -307,7 +339,7 @@
"redirectUris": [ "redirectUris": [
"http://localhost:8082/employee2/*" "http://localhost:8082/employee2/*"
], ],
"adminUrl": "http://localhost:8082/employee2/", "adminUrl": "http://localhost:8082/employee2/saml",
"attributes": { "attributes": {
"saml.authnstatement": "true" "saml.authnstatement": "true"
}, },
@ -359,10 +391,10 @@
"http://localhost:8082/employee-sig-front/*" "http://localhost:8082/employee-sig-front/*"
], ],
"attributes": { "attributes": {
"saml_assertion_consumer_url_post": "http://localhost:8082/employee-sig-front/", "saml_assertion_consumer_url_post": "http://localhost:8082/employee-sig-front/saml",
"saml_assertion_consumer_url_redirect": "http://localhost:8082/employee-sig-front/", "saml_assertion_consumer_url_redirect": "http://localhost:8082/employee-sig-front/saml",
"saml_single_logout_service_url_post": "http://localhost:8082/employee-sig-front/", "saml_single_logout_service_url_post": "http://localhost:8082/employee-sig-front/saml",
"saml_single_logout_service_url_redirect": "http://localhost:8082/employee-sig-front/", "saml_single_logout_service_url_redirect": "http://localhost:8082/employee-sig-front/saml",
"saml.server.signature": "true", "saml.server.signature": "true",
"saml.client.signature": "true", "saml.client.signature": "true",
"saml.signature.algorithm": "RSA_SHA1", "saml.signature.algorithm": "RSA_SHA1",

10
testsuite/tomcat7/src/test/java/org/keycloak/testsuite/TomcatSamlTest.java
View file

@ -78,6 +78,8 @@ public class TomcatSamlTest {
tomcat.addWebapp("/bad-client-sales-post-sig", new File(base, "bad-client-signed-post").toString()); tomcat.addWebapp("/bad-client-sales-post-sig", new File(base, "bad-client-signed-post").toString());
tomcat.addWebapp("/bad-realm-sales-post-sig", new File(base, "bad-realm-signed-post").toString()); tomcat.addWebapp("/bad-realm-sales-post-sig", new File(base, "bad-realm-signed-post").toString());
tomcat.addWebapp("/sales-post-enc", new File(base, "encrypted-post").toString()); tomcat.addWebapp("/sales-post-enc", new File(base, "encrypted-post").toString());
tomcat.addWebapp("/sales-post2", new File(base, "simple-post2").toString());
tomcat.addWebapp("/input-portal", new File(base, "simple-input").toString());
SamlAdapterTestStrategy.uploadSP("http://localhost:8081/auth"); SamlAdapterTestStrategy.uploadSP("http://localhost:8081/auth");
@ -90,6 +92,14 @@ public class TomcatSamlTest {
tomcat.stop(); tomcat.stop();
tomcat.destroy(); tomcat.destroy();
} }
@Test
public void testSavedPostRequest() throws Exception {
testStrategy.testSavedPostRequest();
}
@Test
public void testPostSimpleLoginLogoutIdpInitiatedRedirectTo() {
testStrategy.testPostSimpleLoginLogoutIdpInitiatedRedirectTo();
}
@Test @Test

3
testsuite/tomcat7/src/test/resources/keycloak-saml/simple-input/META-INF/context.xml Executable file
View file

@ -0,0 +1,3 @@
<Context path="/customer-portal">
<Valve className="org.keycloak.adapters.saml.tomcat.SamlAuthenticatorValve"/>
</Context>

24
testsuite/tomcat7/src/test/resources/keycloak-saml/simple-input/WEB-INF/keycloak-saml.xml Executable file
View file

@ -0,0 +1,24 @@
<keycloak-saml-adapter>
<SP entityID="http://localhost:8082/input-portal/"
sslPolicy="EXTERNAL"
nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
logoutPage="/logout.jsp"
forceAuthentication="false">
<PrincipalNameMapping policy="FROM_NAME_ID"/>
<RoleIdentifiers>
<Attribute name="Role"/>
</RoleIdentifiers>
<IDP entityID="idp">
<SingleSignOnService requestBinding="POST"
bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
/>
<SingleLogoutService
requestBinding="POST"
responseBinding="POST"
postBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
redirectBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
/>
</IDP>
</SP>
</keycloak-saml-adapter>

43
testsuite/tomcat7/src/test/resources/keycloak-saml/simple-input/WEB-INF/web.xml Executable file
View file

@ -0,0 +1,43 @@
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<module-name>adapter-test</module-name>
<servlet>
<servlet-name>SendUsernameServlet</servlet-name>
<servlet-class>org.keycloak.testsuite.keycloaksaml.InputServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>SendUsernameServlet</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>Users</web-resource-name>
<url-pattern>/secured/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>demo</realm-name>
<form-login-config>
<form-login-page>/error.html</form-login-page>
<form-error-page>/error.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>manager</role-name>
</security-role>
<security-role>
<role-name>el-jefe</role-name>
</security-role>
</web-app>

3
testsuite/tomcat7/src/test/resources/keycloak-saml/simple-post2/META-INF/context.xml Executable file
View file

@ -0,0 +1,3 @@
<Context path="/customer-portal">
<Valve className="org.keycloak.adapters.saml.tomcat.SamlAuthenticatorValve"/>
</Context>

24
testsuite/tomcat7/src/test/resources/keycloak-saml/simple-post2/WEB-INF/keycloak-saml.xml Executable file
View file

@ -0,0 +1,24 @@
<keycloak-saml-adapter>
<SP entityID="http://localhost:8082/sales-post2/"
sslPolicy="EXTERNAL"
nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
logoutPage="/logout.jsp"
forceAuthentication="false">
<PrincipalNameMapping policy="FROM_NAME_ID"/>
<RoleIdentifiers>
<Attribute name="Role"/>
</RoleIdentifiers>
<IDP entityID="idp">
<SingleSignOnService requestBinding="POST"
bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
/>
<SingleLogoutService
requestBinding="POST"
responseBinding="POST"
postBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
redirectBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
/>
</IDP>
</SP>
</keycloak-saml-adapter>

43
testsuite/tomcat7/src/test/resources/keycloak-saml/simple-post2/WEB-INF/web.xml Executable file
View file

@ -0,0 +1,43 @@
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<module-name>adapter-test</module-name>
<servlet>
<servlet-name>SendUsernameServlet</servlet-name>
<servlet-class>org.keycloak.testsuite.keycloaksaml.SendUsernameServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>SendUsernameServlet</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>Users</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>demo</realm-name>
<form-login-config>
<form-login-page>/error.html</form-login-page>
<form-error-page>/error.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>manager</role-name>
</security-role>
<security-role>
<role-name>el-jefe</role-name>
</security-role>
</web-app>

4
testsuite/tomcat7/src/test/resources/keycloak-saml/sp-metadata.xml
View file

@ -7,9 +7,9 @@
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol http://schemas.xmlsoap.org/ws/2003/07/secext"> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol http://schemas.xmlsoap.org/ws/2003/07/secext">
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient
</NameIDFormat> </NameIDFormat>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/"/> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/saml"/>
<AssertionConsumerService <AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/saml"
index="1" isDefault="true" /> index="1" isDefault="true" />
<KeyDescriptor use="signing"> <KeyDescriptor use="signing">
<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"> <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">

102
testsuite/tomcat7/src/test/resources/keycloak-saml/testsaml.json
View file

@ -78,13 +78,45 @@
], ],
"attributes": { "attributes": {
"saml.authnstatement": "true", "saml.authnstatement": "true",
"saml_assertion_consumer_url_post": "http://localhost:8082/sales-post/", "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post/saml",
"saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post/", "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post/saml",
"saml_single_logout_service_url_post": "http://localhost:8082/sales-post/", "saml_single_logout_service_url_post": "http://localhost:8082/sales-post/saml",
"saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post/", "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post/saml",
"saml_idp_initiated_sso_url_name": "sales-post" "saml_idp_initiated_sso_url_name": "sales-post"
} }
}, },
{
"name": "http://localhost:8082/sales-post2/",
"enabled": true,
"fullScopeAllowed": true,
"protocol": "saml",
"baseUrl": "http://localhost:8082/sales-post2",
"redirectUris": [
"http://localhost:8082/sales-post2/*"
],
"attributes": {
"saml.authnstatement": "true",
"saml_assertion_consumer_url_post": "http://localhost:8082/sales-post2/saml",
"saml_single_logout_service_url_post": "http://localhost:8082/sales-post2/saml",
"saml_idp_initiated_sso_url_name": "sales-post2",
"saml_idp_initiated_sso_relay_state": "redirectTo=/foo"
}
},
{
"name": "http://localhost:8082/input-portal/",
"enabled": true,
"fullScopeAllowed": true,
"protocol": "saml",
"baseUrl": "http://localhost:8082/input-portal/",
"redirectUris": [
"http://localhost:8082/input-portal/*"
],
"attributes": {
"saml.authnstatement": "true",
"saml_assertion_consumer_url_post": "http://localhost:8082/input-portal/saml",
"saml_single_logout_service_url_post": "http://localhost:8082/input-portal/saml"
}
},
{ {
"name": "http://localhost:8082/sales-post-sig/", "name": "http://localhost:8082/sales-post-sig/",
"enabled": true, "enabled": true,
@ -95,10 +127,10 @@
"http://localhost:8082/sales-post-sig/*" "http://localhost:8082/sales-post-sig/*"
], ],
"attributes": { "attributes": {
"saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig/", "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig/saml",
"saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig/", "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig/saml",
"saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig/", "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig/saml",
"saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig/", "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig/saml",
"saml.server.signature": "true", "saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA256", "saml.signature.algorithm": "RSA_SHA256",
"saml.client.signature": "true", "saml.client.signature": "true",
@ -112,15 +144,15 @@
"protocol": "saml", "protocol": "saml",
"fullScopeAllowed": true, "fullScopeAllowed": true,
"baseUrl": "http://localhost:8082/sales-post-sig-transient", "baseUrl": "http://localhost:8082/sales-post-sig-transient",
"adminUrl": "http://localhost:8082/sales-post-sig-transient", "adminUrl": "http://localhost:8082/sales-post-sig-transient/saml",
"redirectUris": [ "redirectUris": [
"http://localhost:8082/sales-post-sig-transient/*" "http://localhost:8082/sales-post-sig-transient/*"
], ],
"attributes": { "attributes": {
"saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-transient/", "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-transient/saml",
"saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-transient/", "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-transient/saml",
"saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-transient/", "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-transient/saml",
"saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-transient/", "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-transient/saml",
"saml.server.signature": "true", "saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA256", "saml.signature.algorithm": "RSA_SHA256",
"saml.client.signature": "true", "saml.client.signature": "true",
@ -138,10 +170,10 @@
"http://localhost:8082/sales-post-sig-persistent/*" "http://localhost:8082/sales-post-sig-persistent/*"
], ],
"attributes": { "attributes": {
"saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-persistent/", "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-persistent/saml",
"saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-persistent/", "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-persistent/saml",
"saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-persistent/", "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-persistent/saml",
"saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-persistent/", "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-persistent/saml",
"saml.server.signature": "true", "saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA256", "saml.signature.algorithm": "RSA_SHA256",
"saml.client.signature": "true", "saml.client.signature": "true",
@ -155,17 +187,17 @@
"protocol": "saml", "protocol": "saml",
"fullScopeAllowed": true, "fullScopeAllowed": true,
"baseUrl": "http://localhost:8082/sales-post-sig-email", "baseUrl": "http://localhost:8082/sales-post-sig-email",
"adminUrl": "http://localhost:8082/sales-post-sig-email", "adminUrl": "http://localhost:8082/sales-post-sig-email/saml",
"redirectUris": [ "redirectUris": [
"http://localhost:8082/sales-post-sig-email/*" "http://localhost:8082/sales-post-sig-email/*"
], ],
"attributes": { "attributes": {
"saml_force_name_id_format": "true", "saml_force_name_id_format": "true",
"saml_name_id_format": "email", "saml_name_id_format": "email",
"saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-email/", "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-email/saml",
"saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-email/", "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-email/saml",
"saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-email/", "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-email/saml",
"saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-email/", "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-email/saml",
"saml.server.signature": "true", "saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA256", "saml.signature.algorithm": "RSA_SHA256",
"saml.client.signature": "true", "saml.client.signature": "true",
@ -179,7 +211,7 @@
"protocol": "saml", "protocol": "saml",
"fullScopeAllowed": true, "fullScopeAllowed": true,
"baseUrl": "http://localhost:8082/bad-realm-sales-post-sig/", "baseUrl": "http://localhost:8082/bad-realm-sales-post-sig/",
"adminUrl": "http://localhost:8082/bad-realm-sales-post-sig/", "adminUrl": "http://localhost:8082/bad-realm-sales-post-sig/saml",
"redirectUris": [ "redirectUris": [
"http://localhost:8082/bad-realm-sales-post-sig/*" "http://localhost:8082/bad-realm-sales-post-sig/*"
], ],
@ -196,7 +228,7 @@
"protocol": "saml", "protocol": "saml",
"fullScopeAllowed": true, "fullScopeAllowed": true,
"baseUrl": "http://localhost:8082/bad-client-sales-post-sig/", "baseUrl": "http://localhost:8082/bad-client-sales-post-sig/",
"adminUrl": "http://localhost:8082/bad-client-sales-post-sig/", "adminUrl": "http://localhost:8082/bad-client-sales-post-sig/saml",
"redirectUris": [ "redirectUris": [
"http://localhost:8082/bad-client-sales-post-sig/*" "http://localhost:8082/bad-client-sales-post-sig/*"
], ],
@ -217,10 +249,10 @@
"http://localhost:8082/sales-post-enc/*" "http://localhost:8082/sales-post-enc/*"
], ],
"attributes": { "attributes": {
"saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-enc/", "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-enc/saml",
"saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-enc/", "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-enc/saml",
"saml_single_logout_service_url_post": "http://localhost:8082/sales-post-enc/", "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-enc/saml",
"saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-enc/", "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-enc/saml",
"saml.server.signature": "true", "saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA512", "saml.signature.algorithm": "RSA_SHA512",
"saml.client.signature": "true", "saml.client.signature": "true",
@ -239,7 +271,7 @@
"redirectUris": [ "redirectUris": [
"http://localhost:8082/employee-sig/*" "http://localhost:8082/employee-sig/*"
], ],
"adminUrl": "http://localhost:8082/employee-sig/", "adminUrl": "http://localhost:8082/employee-sig/saml",
"attributes": { "attributes": {
"saml.server.signature": "true", "saml.server.signature": "true",
"saml.client.signature": "true", "saml.client.signature": "true",
@ -257,7 +289,7 @@
"redirectUris": [ "redirectUris": [
"http://localhost:8082/employee/*" "http://localhost:8082/employee/*"
], ],
"adminUrl": "http://localhost:8082/employee/", "adminUrl": "http://localhost:8082/employee/saml",
"attributes": { "attributes": {
"saml.authnstatement": "true" "saml.authnstatement": "true"
}, },
@ -307,7 +339,7 @@
"redirectUris": [ "redirectUris": [
"http://localhost:8082/employee2/*" "http://localhost:8082/employee2/*"
], ],
"adminUrl": "http://localhost:8082/employee2/", "adminUrl": "http://localhost:8082/employee2/saml",
"attributes": { "attributes": {
"saml.authnstatement": "true" "saml.authnstatement": "true"
}, },
@ -359,10 +391,10 @@
"http://localhost:8082/employee-sig-front/*" "http://localhost:8082/employee-sig-front/*"
], ],
"attributes": { "attributes": {
"saml_assertion_consumer_url_post": "http://localhost:8082/employee-sig-front/", "saml_assertion_consumer_url_post": "http://localhost:8082/employee-sig-front/saml",
"saml_assertion_consumer_url_redirect": "http://localhost:8082/employee-sig-front/", "saml_assertion_consumer_url_redirect": "http://localhost:8082/employee-sig-front/saml",
"saml_single_logout_service_url_post": "http://localhost:8082/employee-sig-front/", "saml_single_logout_service_url_post": "http://localhost:8082/employee-sig-front/saml",
"saml_single_logout_service_url_redirect": "http://localhost:8082/employee-sig-front/", "saml_single_logout_service_url_redirect": "http://localhost:8082/employee-sig-front/saml",
"saml.server.signature": "true", "saml.server.signature": "true",
"saml.client.signature": "true", "saml.client.signature": "true",
"saml.signature.algorithm": "RSA_SHA1", "saml.signature.algorithm": "RSA_SHA1",

12
testsuite/tomcat8/src/test/java/org/keycloak/testsuite/TomcatSamlTest.java
View file

@ -64,6 +64,8 @@ public class TomcatSamlTest {
URL dir = TomcatSamlTest.class.getResource("/keycloak-saml/testsaml.json"); URL dir = TomcatSamlTest.class.getResource("/keycloak-saml/testsaml.json");
File base = new File(dir.getFile()).getParentFile(); File base = new File(dir.getFile()).getParentFile();
tomcat.addWebapp("/sales-post", new File(base, "simple-post").toString()); tomcat.addWebapp("/sales-post", new File(base, "simple-post").toString());
tomcat.addWebapp("/sales-post2", new File(base, "simple-post2").toString());
tomcat.addWebapp("/input-portal", new File(base, "simple-input").toString());
tomcat.addWebapp("/sales-post-sig", new File(base, "signed-post").toString()); tomcat.addWebapp("/sales-post-sig", new File(base, "signed-post").toString());
tomcat.addWebapp("/sales-post-sig-email", new File(base, "signed-post-email").toString()); tomcat.addWebapp("/sales-post-sig-email", new File(base, "signed-post-email").toString());
tomcat.addWebapp("/sales-post-sig-transient", new File(base, "signed-post-transient").toString()); tomcat.addWebapp("/sales-post-sig-transient", new File(base, "signed-post-transient").toString());
@ -91,6 +93,16 @@ public class TomcatSamlTest {
@Rule @Rule
public SamlAdapterTestStrategy testStrategy = new SamlAdapterTestStrategy("http://localhost:8081/auth", "http://localhost:8082", keycloakRule); public SamlAdapterTestStrategy testStrategy = new SamlAdapterTestStrategy("http://localhost:8081/auth", "http://localhost:8082", keycloakRule);
@Test
public void testSavedPostRequest() throws Exception {
testStrategy.testSavedPostRequest();
}
@Test
public void testPostSimpleLoginLogoutIdpInitiatedRedirectTo() {
testStrategy.testPostSimpleLoginLogoutIdpInitiatedRedirectTo();
}
@Test @Test
public void testErrorHandling() throws Exception { public void testErrorHandling() throws Exception {
testStrategy.testErrorHandling(); testStrategy.testErrorHandling();

3
testsuite/tomcat8/src/test/resources/keycloak-saml/simple-input/META-INF/context.xml Executable file
View file

@ -0,0 +1,3 @@
<Context path="/customer-portal">
<Valve className="org.keycloak.adapters.saml.tomcat.SamlAuthenticatorValve"/>
</Context>

24
testsuite/tomcat8/src/test/resources/keycloak-saml/simple-input/WEB-INF/keycloak-saml.xml Executable file
View file

@ -0,0 +1,24 @@
<keycloak-saml-adapter>
<SP entityID="http://localhost:8082/input-portal/"
sslPolicy="EXTERNAL"
nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
logoutPage="/logout.jsp"
forceAuthentication="false">
<PrincipalNameMapping policy="FROM_NAME_ID"/>
<RoleIdentifiers>
<Attribute name="Role"/>
</RoleIdentifiers>
<IDP entityID="idp">
<SingleSignOnService requestBinding="POST"
bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
/>
<SingleLogoutService
requestBinding="POST"
responseBinding="POST"
postBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
redirectBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
/>
</IDP>
</SP>
</keycloak-saml-adapter>

43
testsuite/tomcat8/src/test/resources/keycloak-saml/simple-input/WEB-INF/web.xml Executable file
View file

@ -0,0 +1,43 @@
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<module-name>adapter-test</module-name>
<servlet>
<servlet-name>SendUsernameServlet</servlet-name>
<servlet-class>org.keycloak.testsuite.keycloaksaml.InputServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>SendUsernameServlet</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>Users</web-resource-name>
<url-pattern>/secured/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>demo</realm-name>
<form-login-config>
<form-login-page>/error.html</form-login-page>
<form-error-page>/error.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>manager</role-name>
</security-role>
<security-role>
<role-name>el-jefe</role-name>
</security-role>
</web-app>

3
testsuite/tomcat8/src/test/resources/keycloak-saml/simple-post2/META-INF/context.xml Executable file
View file

@ -0,0 +1,3 @@
<Context path="/customer-portal">
<Valve className="org.keycloak.adapters.saml.tomcat.SamlAuthenticatorValve"/>
</Context>

24
testsuite/tomcat8/src/test/resources/keycloak-saml/simple-post2/WEB-INF/keycloak-saml.xml Executable file
View file

@ -0,0 +1,24 @@
<keycloak-saml-adapter>
<SP entityID="http://localhost:8082/sales-post2/"
sslPolicy="EXTERNAL"
nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
logoutPage="/logout.jsp"
forceAuthentication="false">
<PrincipalNameMapping policy="FROM_NAME_ID"/>
<RoleIdentifiers>
<Attribute name="Role"/>
</RoleIdentifiers>
<IDP entityID="idp">
<SingleSignOnService requestBinding="POST"
bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
/>
<SingleLogoutService
requestBinding="POST"
responseBinding="POST"
postBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
redirectBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
/>
</IDP>
</SP>
</keycloak-saml-adapter>

43
testsuite/tomcat8/src/test/resources/keycloak-saml/simple-post2/WEB-INF/web.xml Executable file
View file

@ -0,0 +1,43 @@
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<module-name>adapter-test</module-name>
<servlet>
<servlet-name>SendUsernameServlet</servlet-name>
<servlet-class>org.keycloak.testsuite.keycloaksaml.SendUsernameServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>SendUsernameServlet</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>Users</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>demo</realm-name>
<form-login-config>
<form-login-page>/error.html</form-login-page>
<form-error-page>/error.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>manager</role-name>
</security-role>
<security-role>
<role-name>el-jefe</role-name>
</security-role>
</web-app>

4
testsuite/tomcat8/src/test/resources/keycloak-saml/sp-metadata.xml
View file

@ -7,9 +7,9 @@
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol http://schemas.xmlsoap.org/ws/2003/07/secext"> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol http://schemas.xmlsoap.org/ws/2003/07/secext">
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient
</NameIDFormat> </NameIDFormat>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/"/> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/saml"/>
<AssertionConsumerService <AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/saml"
index="1" isDefault="true" /> index="1" isDefault="true" />
<KeyDescriptor use="signing"> <KeyDescriptor use="signing">
<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"> <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">

102
testsuite/tomcat8/src/test/resources/keycloak-saml/testsaml.json
View file

@ -78,13 +78,45 @@
], ],
"attributes": { "attributes": {
"saml.authnstatement": "true", "saml.authnstatement": "true",
"saml_assertion_consumer_url_post": "http://localhost:8082/sales-post/", "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post/saml",
"saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post/", "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post/saml",
"saml_single_logout_service_url_post": "http://localhost:8082/sales-post/", "saml_single_logout_service_url_post": "http://localhost:8082/sales-post/saml",
"saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post/", "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post/saml",
"saml_idp_initiated_sso_url_name": "sales-post" "saml_idp_initiated_sso_url_name": "sales-post"
} }
}, },
{
"name": "http://localhost:8082/sales-post2/",
"enabled": true,
"fullScopeAllowed": true,
"protocol": "saml",
"baseUrl": "http://localhost:8082/sales-post2",
"redirectUris": [
"http://localhost:8082/sales-post2/*"
],
"attributes": {
"saml.authnstatement": "true",
"saml_assertion_consumer_url_post": "http://localhost:8082/sales-post2/saml",
"saml_single_logout_service_url_post": "http://localhost:8082/sales-post2/saml",
"saml_idp_initiated_sso_url_name": "sales-post2",
"saml_idp_initiated_sso_relay_state": "redirectTo=/foo"
}
},
{
"name": "http://localhost:8082/input-portal/",
"enabled": true,
"fullScopeAllowed": true,
"protocol": "saml",
"baseUrl": "http://localhost:8082/input-portal/",
"redirectUris": [
"http://localhost:8082/input-portal/*"
],
"attributes": {
"saml.authnstatement": "true",
"saml_assertion_consumer_url_post": "http://localhost:8082/input-portal/saml",
"saml_single_logout_service_url_post": "http://localhost:8082/input-portal/saml"
}
},
{ {
"name": "http://localhost:8082/sales-post-sig/", "name": "http://localhost:8082/sales-post-sig/",
"enabled": true, "enabled": true,
@ -95,10 +127,10 @@
"http://localhost:8082/sales-post-sig/*" "http://localhost:8082/sales-post-sig/*"
], ],
"attributes": { "attributes": {
"saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig/", "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig/saml",
"saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig/", "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig/saml",
"saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig/", "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig/saml",
"saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig/", "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig/saml",
"saml.server.signature": "true", "saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA256", "saml.signature.algorithm": "RSA_SHA256",
"saml.client.signature": "true", "saml.client.signature": "true",
@ -112,15 +144,15 @@
"protocol": "saml", "protocol": "saml",
"fullScopeAllowed": true, "fullScopeAllowed": true,
"baseUrl": "http://localhost:8082/sales-post-sig-transient", "baseUrl": "http://localhost:8082/sales-post-sig-transient",
"adminUrl": "http://localhost:8082/sales-post-sig-transient", "adminUrl": "http://localhost:8082/sales-post-sig-transient/saml",
"redirectUris": [ "redirectUris": [
"http://localhost:8082/sales-post-sig-transient/*" "http://localhost:8082/sales-post-sig-transient/*"
], ],
"attributes": { "attributes": {
"saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-transient/", "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-transient/saml",
"saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-transient/", "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-transient/saml",
"saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-transient/", "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-transient/saml",
"saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-transient/", "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-transient/saml",
"saml.server.signature": "true", "saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA256", "saml.signature.algorithm": "RSA_SHA256",
"saml.client.signature": "true", "saml.client.signature": "true",
@ -138,10 +170,10 @@
"http://localhost:8082/sales-post-sig-persistent/*" "http://localhost:8082/sales-post-sig-persistent/*"
], ],
"attributes": { "attributes": {
"saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-persistent/", "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-persistent/saml",
"saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-persistent/", "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-persistent/saml",
"saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-persistent/", "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-persistent/saml",
"saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-persistent/", "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-persistent/saml",
"saml.server.signature": "true", "saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA256", "saml.signature.algorithm": "RSA_SHA256",
"saml.client.signature": "true", "saml.client.signature": "true",
@ -155,17 +187,17 @@
"protocol": "saml", "protocol": "saml",
"fullScopeAllowed": true, "fullScopeAllowed": true,
"baseUrl": "http://localhost:8082/sales-post-sig-email", "baseUrl": "http://localhost:8082/sales-post-sig-email",
"adminUrl": "http://localhost:8082/sales-post-sig-email", "adminUrl": "http://localhost:8082/sales-post-sig-email/saml",
"redirectUris": [ "redirectUris": [
"http://localhost:8082/sales-post-sig-email/*" "http://localhost:8082/sales-post-sig-email/*"
], ],
"attributes": { "attributes": {
"saml_force_name_id_format": "true", "saml_force_name_id_format": "true",
"saml_name_id_format": "email", "saml_name_id_format": "email",
"saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-email/", "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-email/saml",
"saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-email/", "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-email/saml",
"saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-email/", "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-email/saml",
"saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-email/", "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-email/saml",
"saml.server.signature": "true", "saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA256", "saml.signature.algorithm": "RSA_SHA256",
"saml.client.signature": "true", "saml.client.signature": "true",
@ -179,7 +211,7 @@
"protocol": "saml", "protocol": "saml",
"fullScopeAllowed": true, "fullScopeAllowed": true,
"baseUrl": "http://localhost:8082/bad-realm-sales-post-sig/", "baseUrl": "http://localhost:8082/bad-realm-sales-post-sig/",
"adminUrl": "http://localhost:8082/bad-realm-sales-post-sig/", "adminUrl": "http://localhost:8082/bad-realm-sales-post-sig/saml",
"redirectUris": [ "redirectUris": [
"http://localhost:8082/bad-realm-sales-post-sig/*" "http://localhost:8082/bad-realm-sales-post-sig/*"
], ],
@ -196,7 +228,7 @@
"protocol": "saml", "protocol": "saml",
"fullScopeAllowed": true, "fullScopeAllowed": true,
"baseUrl": "http://localhost:8082/bad-client-sales-post-sig/", "baseUrl": "http://localhost:8082/bad-client-sales-post-sig/",
"adminUrl": "http://localhost:8082/bad-client-sales-post-sig/", "adminUrl": "http://localhost:8082/bad-client-sales-post-sig/saml",
"redirectUris": [ "redirectUris": [
"http://localhost:8082/bad-client-sales-post-sig/*" "http://localhost:8082/bad-client-sales-post-sig/*"
], ],
@ -217,10 +249,10 @@
"http://localhost:8082/sales-post-enc/*" "http://localhost:8082/sales-post-enc/*"
], ],
"attributes": { "attributes": {
"saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-enc/", "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-enc/saml",
"saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-enc/", "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-enc/saml",
"saml_single_logout_service_url_post": "http://localhost:8082/sales-post-enc/", "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-enc/saml",
"saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-enc/", "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-enc/saml",
"saml.server.signature": "true", "saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA512", "saml.signature.algorithm": "RSA_SHA512",
"saml.client.signature": "true", "saml.client.signature": "true",
@ -239,7 +271,7 @@
"redirectUris": [ "redirectUris": [
"http://localhost:8082/employee-sig/*" "http://localhost:8082/employee-sig/*"
], ],
"adminUrl": "http://localhost:8082/employee-sig/", "adminUrl": "http://localhost:8082/employee-sig/saml",
"attributes": { "attributes": {
"saml.server.signature": "true", "saml.server.signature": "true",
"saml.client.signature": "true", "saml.client.signature": "true",
@ -257,7 +289,7 @@
"redirectUris": [ "redirectUris": [
"http://localhost:8082/employee/*" "http://localhost:8082/employee/*"
], ],
"adminUrl": "http://localhost:8082/employee/", "adminUrl": "http://localhost:8082/employee/saml",
"attributes": { "attributes": {
"saml.authnstatement": "true" "saml.authnstatement": "true"
}, },
@ -307,7 +339,7 @@
"redirectUris": [ "redirectUris": [
"http://localhost:8082/employee2/*" "http://localhost:8082/employee2/*"
], ],
"adminUrl": "http://localhost:8082/employee2/", "adminUrl": "http://localhost:8082/employee2/saml",
"attributes": { "attributes": {
"saml.authnstatement": "true" "saml.authnstatement": "true"
}, },
@ -359,10 +391,10 @@
"http://localhost:8082/employee-sig-front/*" "http://localhost:8082/employee-sig-front/*"
], ],
"attributes": { "attributes": {
"saml_assertion_consumer_url_post": "http://localhost:8082/employee-sig-front/", "saml_assertion_consumer_url_post": "http://localhost:8082/employee-sig-front/saml",
"saml_assertion_consumer_url_redirect": "http://localhost:8082/employee-sig-front/", "saml_assertion_consumer_url_redirect": "http://localhost:8082/employee-sig-front/saml",
"saml_single_logout_service_url_post": "http://localhost:8082/employee-sig-front/", "saml_single_logout_service_url_post": "http://localhost:8082/employee-sig-front/saml",
"saml_single_logout_service_url_redirect": "http://localhost:8082/employee-sig-front/", "saml_single_logout_service_url_redirect": "http://localhost:8082/employee-sig-front/saml",
"saml.server.signature": "true", "saml.server.signature": "true",
"saml.client.signature": "true", "saml.client.signature": "true",
"saml.signature.algorithm": "RSA_SHA1", "saml.signature.algorithm": "RSA_SHA1",