From 71f0db0837840b2af913ad0b2e21871b2d3e0994 Mon Sep 17 00:00:00 2001 From: Frederik Libert Date: Fri, 12 May 2017 12:25:50 +0200 Subject: [PATCH 1/2] KEYCLOAK-4897 SAML Adapter fails to validate signature on encrypted assertion. --- .../AbstractSamlAuthenticationHandler.java | 49 +++++++++++++++++-- 1 file changed, 44 insertions(+), 5 deletions(-) diff --git a/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/profile/AbstractSamlAuthenticationHandler.java b/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/profile/AbstractSamlAuthenticationHandler.java index 550eeeb616..5721b038a9 100644 --- a/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/profile/AbstractSamlAuthenticationHandler.java +++ b/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/profile/AbstractSamlAuthenticationHandler.java @@ -53,10 +53,12 @@ import org.keycloak.saml.SAML2AuthnRequestBuilder; import org.keycloak.saml.SAMLRequestParser; import org.keycloak.saml.SignatureAlgorithm; import org.keycloak.saml.common.constants.GeneralConstants; +import org.keycloak.saml.common.constants.JBossSAMLConstants; import org.keycloak.saml.common.constants.JBossSAMLURIConstants; import org.keycloak.saml.common.exceptions.ConfigurationException; import org.keycloak.saml.common.exceptions.ProcessingException; import org.keycloak.saml.common.util.Base64; +import org.keycloak.saml.common.util.DocumentUtil; import org.keycloak.saml.processing.api.saml.v2.sig.SAML2Signature; import org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder; import org.keycloak.saml.processing.core.saml.v2.util.AssertionUtil; @@ -74,10 +76,14 @@ import java.security.PublicKey; import java.security.Signature; import java.security.SignatureException; import java.util.*; + +import javax.xml.namespace.QName; + import org.keycloak.dom.saml.v2.SAML2Object; import org.keycloak.dom.saml.v2.protocol.ExtensionsType; import org.keycloak.rotation.KeyLocator; import org.keycloak.saml.processing.core.util.KeycloakKeySamlExtensionGenerator; +import org.keycloak.saml.processing.core.util.XMLEncryptionUtil; /** * @@ -210,7 +216,7 @@ public abstract class AbstractSamlAuthenticationHandler implements SamlAuthentic return AuthOutcome.FAILED; } } - return handleLoginResponse((ResponseType) statusResponse, postBinding, onCreateSession); + return handleLoginResponse(holder, postBinding, onCreateSession); } finally { sessionStore.setCurrentAction(SamlSessionStore.CurrentAction.NONE); } @@ -312,7 +318,8 @@ public abstract class AbstractSamlAuthenticationHandler implements SamlAuthentic return false; } - protected AuthOutcome handleLoginResponse(final ResponseType responseType, boolean postBinding, OnSessionCreated onCreateSession) { + protected AuthOutcome handleLoginResponse(SAMLDocumentHolder responseHolder, boolean postBinding, OnSessionCreated onCreateSession) { + final ResponseType responseType = (ResponseType) responseHolder.getSamlObject(); AssertionType assertion = null; if (! isSuccessfulSamlResponse(responseType) || responseType.getAssertions() == null || responseType.getAssertions().isEmpty()) { challenge = new AuthChallenge() { @@ -357,11 +364,12 @@ public abstract class AbstractSamlAuthenticationHandler implements SamlAuthentic if (deployment.getIDP().getSingleSignOnService().validateAssertionSignature()) { try { - validateSamlSignature(new SAMLDocumentHolder(AssertionUtil.asDocument(assertion)), postBinding, GeneralConstants.SAML_RESPONSE_KEY); + validateSamlSignature(new SAMLDocumentHolder(buildAssertionDocument(responseHolder, assertion)), postBinding, GeneralConstants.SAML_RESPONSE_KEY); } catch (VerificationException e) { log.error("Failed to verify saml assertion signature", e); challenge = new AuthChallenge() { + @Override public boolean challenge(HttpFacade exchange) { SamlAuthenticationError error = new SamlAuthenticationError(SamlAuthenticationError.Reason.INVALID_SIGNATURE, responseType); @@ -376,8 +384,24 @@ public abstract class AbstractSamlAuthenticationHandler implements SamlAuthentic } }; return AuthOutcome.FAILED; - } catch (ProcessingException e) { - e.printStackTrace(); + } catch (Exception e) { + log.error("Error processing validation of SAML assertion: " + e.getMessage()); + challenge = new AuthChallenge() { + + @Override + public boolean challenge(HttpFacade exchange) { + SamlAuthenticationError error = new SamlAuthenticationError(SamlAuthenticationError.Reason.EXTRACTION_FAILURE); + exchange.getRequest().setError(error); + exchange.getResponse().sendError(403); + return true; + } + + @Override + public int getResponseCode() { + return 403; + } + }; + return AuthOutcome.FAILED; } } @@ -480,6 +504,21 @@ public abstract class AbstractSamlAuthenticationHandler implements SamlAuthentic && Objects.equals(responseType.getStatus().getStatusCode().getValue().toString(), JBossSAMLURIConstants.STATUS_SUCCESS.get()); } + private Document buildAssertionDocument(final SAMLDocumentHolder responseHolder, AssertionType assertion) throws ConfigurationException, ProcessingException { + Element encryptedAssertion = org.keycloak.saml.common.util.DocumentUtil.getElement(responseHolder.getSamlDocument(), new QName(JBossSAMLConstants.ENCRYPTED_ASSERTION.get())); + if (encryptedAssertion != null) { + // encrypted assertion. + // We'll need to decrypt it first. + Document encryptedAssertionDocument = DocumentUtil.createDocument(); + encryptedAssertionDocument.appendChild(encryptedAssertionDocument.importNode(encryptedAssertion, true)); + Element assertionElement = XMLEncryptionUtil.decryptElementInDocument(encryptedAssertionDocument, deployment.getDecryptionKey()); + Document assertionDocument = DocumentUtil.createDocument(); + assertionDocument.appendChild(assertionDocument.importNode(assertionElement, true)); + return assertionDocument; + } + return AssertionUtil.asDocument(assertion); + } + private String getAttributeValue(Object attrValue) { String value = null; if (attrValue instanceof String) { From 10c9e0f00f46b04c95a05b7671283cacbd36fe5d Mon Sep 17 00:00:00 2001 From: Hynek Mlnarik Date: Wed, 17 May 2017 10:45:38 +0200 Subject: [PATCH 2/2] KEYCLOAK-4897 Tests for assertion-only signatures with encrypted assertions --- .../adapter/page/SalesPostEncServlet.java | 1 + ...SalesPostEncSignAssertionsOnlyServlet.java | 40 +++++++++++ .../util/ClientAttributeUpdater.java | 55 +++++++++++++++ .../testsuite/util/RealmAttributeUpdater.java | 55 +++++++++++++++ .../AbstractSAMLFilterServletAdapterTest.java | 2 + .../AbstractSAMLServletsAdapterTest.java | 32 +++++++-- .../WEB-INF/keycloak-saml.xml | 65 ++++++++++++++++++ .../WEB-INF/keystore.jks | Bin 0 -> 1707 bytes .../adapter-test/keycloak-saml/testsaml.json | 19 +++++ 9 files changed, 265 insertions(+), 4 deletions(-) create mode 100644 testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/adapter/page/SalesPostEncSignAssertionsOnlyServlet.java create mode 100644 testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/ClientAttributeUpdater.java create mode 100644 testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/RealmAttributeUpdater.java create mode 100644 testsuite/integration-arquillian/tests/base/src/test/resources/adapter-test/keycloak-saml/sales-post-enc-sign-assertions-only/WEB-INF/keycloak-saml.xml create mode 100644 testsuite/integration-arquillian/tests/base/src/test/resources/adapter-test/keycloak-saml/sales-post-enc-sign-assertions-only/WEB-INF/keystore.jks diff --git a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/adapter/page/SalesPostEncServlet.java b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/adapter/page/SalesPostEncServlet.java index 874b1e892d..82a29fefc4 100644 --- a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/adapter/page/SalesPostEncServlet.java +++ b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/adapter/page/SalesPostEncServlet.java @@ -27,6 +27,7 @@ import java.net.URL; */ public class SalesPostEncServlet extends SAMLServlet { public static final String DEPLOYMENT_NAME = "sales-post-enc"; + public static final String CLIENT_NAME = "http://localhost:8081/sales-post-enc/"; @ArquillianResource @OperateOnDeployment(DEPLOYMENT_NAME) diff --git a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/adapter/page/SalesPostEncSignAssertionsOnlyServlet.java b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/adapter/page/SalesPostEncSignAssertionsOnlyServlet.java new file mode 100644 index 0000000000..cb44ac2f56 --- /dev/null +++ b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/adapter/page/SalesPostEncSignAssertionsOnlyServlet.java @@ -0,0 +1,40 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.keycloak.testsuite.adapter.page; + +import org.jboss.arquillian.container.test.api.OperateOnDeployment; +import org.jboss.arquillian.test.api.ArquillianResource; + +import java.net.URL; + +/** + * @author mhajas + */ +public class SalesPostEncSignAssertionsOnlyServlet extends SAMLServlet { + public static final String DEPLOYMENT_NAME = "sales-post-enc-sign-assertions-only"; + public static final String CLIENT_NAME = "http://localhost:8081/sales-post-enc-sign-assertions-only/"; + + @ArquillianResource + @OperateOnDeployment(DEPLOYMENT_NAME) + private URL url; + + @Override + public URL getInjectedUrl() { + return url; + } +} diff --git a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/ClientAttributeUpdater.java b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/ClientAttributeUpdater.java new file mode 100644 index 0000000000..d3effb9d7e --- /dev/null +++ b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/ClientAttributeUpdater.java @@ -0,0 +1,55 @@ +package org.keycloak.testsuite.util; + +import org.keycloak.admin.client.resource.ClientResource; +import org.keycloak.representations.idm.ClientRepresentation; +import java.io.Closeable; +import java.util.HashMap; +import java.util.Map; + +/** + * + * @author hmlnarik + */ +public class ClientAttributeUpdater { + + private final Map originalAttributes = new HashMap<>(); + + private final ClientResource clientResource; + + private final ClientRepresentation rep; + + public ClientAttributeUpdater(ClientResource clientResource) { + this.clientResource = clientResource; + this.rep = clientResource.toRepresentation(); + if (this.rep.getAttributes() == null) { + this.rep.setAttributes(new HashMap<>()); + } + } + + public ClientAttributeUpdater setAttribute(String name, String value) { + if (! originalAttributes.containsKey(name)) { + this.originalAttributes.put(name, this.rep.getAttributes().put(name, value)); + } else { + this.rep.getAttributes().put(name, value); + } + return this; + } + + public ClientAttributeUpdater removeAttribute(String name) { + if (! originalAttributes.containsKey(name)) { + this.originalAttributes.put(name, this.rep.getAttributes().put(name, null)); + } else { + this.rep.getAttributes().put(name, null); + } + return this; + } + + public Closeable update() { + clientResource.update(rep); + + return () -> { + rep.getAttributes().putAll(originalAttributes); + clientResource.update(rep); + }; + } +} diff --git a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/RealmAttributeUpdater.java b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/RealmAttributeUpdater.java new file mode 100644 index 0000000000..909bfcab18 --- /dev/null +++ b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/RealmAttributeUpdater.java @@ -0,0 +1,55 @@ +package org.keycloak.testsuite.util; + +import org.keycloak.admin.client.resource.RealmResource; +import org.keycloak.representations.idm.RealmRepresentation; +import java.io.Closeable; +import java.util.HashMap; +import java.util.Map; + +/** + * + * @author hmlnarik + */ +public class RealmAttributeUpdater { + + private final Map originalAttributes = new HashMap<>(); + + private final RealmResource realmResource; + + private final RealmRepresentation rep; + + public RealmAttributeUpdater(RealmResource realmResource) { + this.realmResource = realmResource; + this.rep = realmResource.toRepresentation(); + if (this.rep.getAttributes() == null) { + this.rep.setAttributes(new HashMap<>()); + } + } + + public RealmAttributeUpdater setAttribute(String name, String value) { + if (! originalAttributes.containsKey(name)) { + this.originalAttributes.put(name, this.rep.getAttributes().put(name, value)); + } else { + this.rep.getAttributes().put(name, value); + } + return this; + } + + public RealmAttributeUpdater removeAttribute(String name) { + if (! originalAttributes.containsKey(name)) { + this.originalAttributes.put(name, this.rep.getAttributes().put(name, null)); + } else { + this.rep.getAttributes().put(name, null); + } + return this; + } + + public Closeable update() { + realmResource.update(rep); + + return () -> { + rep.getAttributes().putAll(originalAttributes); + realmResource.update(rep); + }; + } +} diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/AbstractSAMLFilterServletAdapterTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/AbstractSAMLFilterServletAdapterTest.java index ce92fb8bd4..70ef8202bf 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/AbstractSAMLFilterServletAdapterTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/AbstractSAMLFilterServletAdapterTest.java @@ -24,6 +24,7 @@ public abstract class AbstractSAMLFilterServletAdapterTest extends AbstractSAMLS salesMetadataServletPage.checkRoles(true); salesPostServletPage.checkRoles(true); salesPostEncServletPage.checkRoles(true); + salesPostEncSignAssertionsOnlyServletPage.checkRoles(true); salesPostSigServletPage.checkRoles(true); salesPostPassiveServletPage.checkRoles(true); salesPostSigPersistentServletPage.checkRoles(true); @@ -56,6 +57,7 @@ public abstract class AbstractSAMLFilterServletAdapterTest extends AbstractSAMLS salesMetadataServletPage.checkRoles(false); salesPostServletPage.checkRoles(false); salesPostEncServletPage.checkRoles(false); + salesPostEncSignAssertionsOnlyServletPage.checkRoles(false); salesPostSigServletPage.checkRoles(false); salesPostPassiveServletPage.checkRoles(false); salesPostSigEmailServletPage.checkRoles(false); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/AbstractSAMLServletsAdapterTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/AbstractSAMLServletsAdapterTest.java index 2795a2d21c..ecf48bf850 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/AbstractSAMLServletsAdapterTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/AbstractSAMLServletsAdapterTest.java @@ -86,14 +86,13 @@ import javax.xml.validation.Schema; import javax.xml.validation.SchemaFactory; import javax.xml.validation.Validator; import java.io.ByteArrayInputStream; +import java.io.Closeable; import java.io.IOException; import java.net.URI; import java.net.URL; import java.security.KeyPair; import java.security.PublicKey; -import java.util.LinkedHashMap; -import java.util.List; -import java.util.Map; +import java.util.*; import java.util.stream.Collectors; import static org.hamcrest.Matchers.*; @@ -107,7 +106,6 @@ import static org.keycloak.testsuite.util.IOUtil.loadXML; import static org.keycloak.testsuite.util.IOUtil.modifyDocElementAttribute; import static org.keycloak.testsuite.util.Matchers.bodyHC; import static org.keycloak.testsuite.util.Matchers.statusCodeIsHC; -import static org.keycloak.testsuite.util.SamlClient.Binding.POST; import static org.keycloak.testsuite.util.SamlClient.idpInitiatedLogin; import static org.keycloak.testsuite.util.SamlClient.login; import static org.keycloak.testsuite.util.URLAssert.assertCurrentUrlStartsWith; @@ -156,6 +154,9 @@ public abstract class AbstractSAMLServletsAdapterTest extends AbstractServletsAd @Page protected SalesPostEncServlet salesPostEncServletPage; + @Page + protected SalesPostEncSignAssertionsOnlyServlet salesPostEncSignAssertionsOnlyServletPage; + @Page protected SalesPostPassiveServlet salesPostPassiveServletPage; @@ -259,6 +260,11 @@ public abstract class AbstractSAMLServletsAdapterTest extends AbstractServletsAd return samlServletDeployment(SalesPostEncServlet.DEPLOYMENT_NAME, SendUsernameServlet.class); } + @Deployment(name = SalesPostEncSignAssertionsOnlyServlet.DEPLOYMENT_NAME) + protected static WebArchive salesPostEncSignAssertionsOnly() { + return samlServletDeployment(SalesPostEncSignAssertionsOnlyServlet.DEPLOYMENT_NAME, SendUsernameServlet.class); + } + @Deployment(name = SalesPostPassiveServlet.DEPLOYMENT_NAME) protected static WebArchive salesPostPassive() { return samlServletDeployment(SalesPostPassiveServlet.DEPLOYMENT_NAME, SendUsernameServlet.class); @@ -625,6 +631,24 @@ public abstract class AbstractSAMLServletsAdapterTest extends AbstractServletsAd testSuccessfulAndUnauthorizedLogin(salesPostEncServletPage, testRealmSAMLPostLoginPage); } + @Test + public void salesPostEncSignedAssertionsOnlyTest() throws Exception { + testSuccessfulAndUnauthorizedLogin(salesPostEncSignAssertionsOnlyServletPage, testRealmSAMLPostLoginPage); + } + + @Test + public void salesPostEncSignedAssertionsAndDocumentTest() throws Exception { + ClientRepresentation salesPostEncClient = testRealmResource().clients().findByClientId(SalesPostEncServlet.CLIENT_NAME).get(0); + try (Closeable client = new ClientAttributeUpdater(testRealmResource().clients().get(salesPostEncClient.getId())) + .setAttribute(SamlConfigAttributes.SAML_ASSERTION_SIGNATURE, "true") + .setAttribute(SamlConfigAttributes.SAML_SERVER_SIGNATURE, "true") + .update()) { + testSuccessfulAndUnauthorizedLogin(salesPostEncServletPage, testRealmSAMLPostLoginPage); + } finally { + salesPostEncServletPage.logout(); + } + } + @Test public void salesPostPassiveTest() { salesPostPassiveServletPage.navigateTo(); diff --git a/testsuite/integration-arquillian/tests/base/src/test/resources/adapter-test/keycloak-saml/sales-post-enc-sign-assertions-only/WEB-INF/keycloak-saml.xml b/testsuite/integration-arquillian/tests/base/src/test/resources/adapter-test/keycloak-saml/sales-post-enc-sign-assertions-only/WEB-INF/keycloak-saml.xml new file mode 100644 index 0000000000..39df7d9199 --- /dev/null +++ b/testsuite/integration-arquillian/tests/base/src/test/resources/adapter-test/keycloak-saml/sales-post-enc-sign-assertions-only/WEB-INF/keycloak-saml.xml @@ -0,0 +1,65 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/testsuite/integration-arquillian/tests/base/src/test/resources/adapter-test/keycloak-saml/sales-post-enc-sign-assertions-only/WEB-INF/keystore.jks b/testsuite/integration-arquillian/tests/base/src/test/resources/adapter-test/keycloak-saml/sales-post-enc-sign-assertions-only/WEB-INF/keystore.jks new file mode 100644 index 0000000000000000000000000000000000000000..822162ceafcff816168fc3f807f89fd92b3a5b50 GIT binary patch literal 1707 zcmezO_TO6u1_mZ5W@J#!C@Cqh($~+)PfpCq$S*FjvM{hP&@WERNiEhb0P=NH^OE%$ z7#KYz6Cck2>fCM6#I)UjkBv*4jgf^>i%F1?k(Gg^iD_}UrK(uopPZv*t2wL8A259| zI`aN?JiEB@-|zCT62!dE<>@TxeEi#`qr%MakaWne8HuU8&Rf+!eJZ~A)@+%b=gTI3 z}t}Kh9&n=xJALY&1%rE5Xtj}?DT3ccM zzLjyk;p>IxtN$4~rTF4^4ps*5w|#qJs2RvHVwb2&4HHT}G6mX>j_ zB+o}SspL-?$AXY9wxY~mM~*v+D~M|>%H*l2iZEQN!al!g#~+h?y&1C}=&v$5_+O5# zR%d3~n;*41-+Z&%&i3i$*)(=Ral;#RLfz^&PQ6<Qk@kn?I8f zjIOE4xjuWt#>U7;qK%6d3)%2m14Fs+o7Q&E9j))cZvD$~6VY z`K(_`wXXQUxM_Mhr?CS~BYT&SjNF;a8)T1v<|-EnYKW znfn*>D>c8X3LLs5P1|ff&b-t-VNq&;?Vioj(ITpk3UflLeQh3Y6*TpjZ^9VuFHMb&eJmqcO-J4oF zbGD7s$43iWZ3{J-+7!AQT!5*bk%2Wr&(y#Y$hu+B#CQdWZJF4BsXJ^AhXF4er&gOs z+jm|@Ms8LH0|P@n106QzP!?uk;oH(zciJ^g^nW2f1fr(j^IIj_mYh+{=MTUuu z^O0Qz%xcVyy$lA8olK3547cC;aN0S}4X#t{Je7LzSJmIl-oix>zqec}-c+>ys(RVH z%*jd*@*R%6abo$sQfPD2n-yw*WGopk6&-$JdYffp?5A2WsirksU*>P)Yuy^;GoQJ7 z@}8NwKluez+rJxDUkvYCeEasf4VtEsceWo(l%IaPF2wP{WQH&M1AlD0;(AL+lZly; zff3nxz(8XLy31$n$L6n$@yBQXo_hZr(=E$&mcrE~rH(K5#ERZ8I&Z#b+bUs;BU`Pz zr8c>A&r6AWl)yGM&1vQb4o#I_oh|BOuXM~qyRWUTO*ItA>|5^}DX-3=CvY~Copog} z|N5DNGK~)=UHQ|pwxdD&?wy#ue6r zd2BP!>`mM!Yq(`!TJbIuv&C2Ewm#AOA#+G!JDbt5!_jU6S)7>#?>v{JPHTJiyvVW5 zru?pR{_i>e0}k$(tnC;r5oa2-Tz}z$Rl!j?$69MXo#%*GVPaaoN$;=8DZBZLmV5R~ zRC>-U{#CZmc$=BE5M#KQAhT%8+^_n$VvLhZT`uC}-UE*l?{^AlWvh6deKg5YY<{so z^Q;Vw9PO7U<@L_LnB4EW+5EY0g8J|5$c6=1gidY{vHttw(t18eyGrhp*H{h&Mm|5) z%XjibrSU~}U-!N`MaQ7}%Tf>4p1ZBL@64UmmXiN}_-uXncfFnNCXPLmB^?rPC~tmt e?8L6K8&o7B!`iO)afL5ud@^C)tPg?}*4Y3Vufd)G literal 0 HcmV?d00001 diff --git a/testsuite/integration-arquillian/tests/base/src/test/resources/adapter-test/keycloak-saml/testsaml.json b/testsuite/integration-arquillian/tests/base/src/test/resources/adapter-test/keycloak-saml/testsaml.json index 25e1f21d29..e1901298d2 100755 --- a/testsuite/integration-arquillian/tests/base/src/test/resources/adapter-test/keycloak-saml/testsaml.json +++ b/testsuite/integration-arquillian/tests/base/src/test/resources/adapter-test/keycloak-saml/testsaml.json @@ -331,6 +331,25 @@ "saml.encryption.certificate": "MIIB1DCCAT0CBgFJGVacCDANBgkqhkiG9w0BAQsFADAwMS4wLAYDVQQDEyVodHRwOi8vbG9jYWxob3N0OjgwODAvc2FsZXMtcG9zdC1lbmMvMB4XDTE0MTAxNjE0MjA0NloXDTI0MTAxNjE0MjIyNlowMDEuMCwGA1UEAxMlaHR0cDovL2xvY2FsaG9zdDo4MDgwL3NhbGVzLXBvc3QtZW5jLzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2+5MCT5BnVN+IYnKZcH6ev1pjXGi4feE0nOycq/VJ3aeaZMi4G9AxOxCBPupErOC7Kgm/Bw5AdJyw+Q12wSRXfJ9FhqCrLXpb7YOhbVSTJ8De5O8mW35DxAlh/cxe9FXjqPb286wKTUZ3LfGYR+X235UQeCTAPS/Ufi21EXaEikCAwEAATANBgkqhkiG9w0BAQsFAAOBgQBMrfGD9QFfx5v7ld/OAto5rjkTe3R1Qei8XRXfcs83vLaqEzjEtTuLGrJEi55kXuJgBpVmQpnwCCkkjSy0JxbqLDdVi9arfWUxEGmOr01ZHycELhDNaQcFqVMPr5kRHIHgktT8hK2IgCvd3Fy9/JCgUgCPxKfhwecyEOKxUc857g==" } }, + { + "clientId": "http://localhost:8081/sales-post-enc-sign-assertions-only/", + "enabled": true, + "protocol": "saml", + "fullScopeAllowed": true, + "baseUrl": "http://localhost:8080/sales-post-enc-sign-assertions-only", + "redirectUris": [ + ], + "attributes": { + "saml.server.signature": "false", + "saml.assertion.signature": "true", + "saml.signature.algorithm": "RSA_SHA512", + "saml.client.signature": "true", + "saml.encrypt": "true", + "saml.authnstatement": "true", + "saml.signing.certificate": "MIIB1DCCAT0CBgFJGVacCDANBgkqhkiG9w0BAQsFADAwMS4wLAYDVQQDEyVodHRwOi8vbG9jYWxob3N0OjgwODAvc2FsZXMtcG9zdC1lbmMvMB4XDTE0MTAxNjE0MjA0NloXDTI0MTAxNjE0MjIyNlowMDEuMCwGA1UEAxMlaHR0cDovL2xvY2FsaG9zdDo4MDgwL3NhbGVzLXBvc3QtZW5jLzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2+5MCT5BnVN+IYnKZcH6ev1pjXGi4feE0nOycq/VJ3aeaZMi4G9AxOxCBPupErOC7Kgm/Bw5AdJyw+Q12wSRXfJ9FhqCrLXpb7YOhbVSTJ8De5O8mW35DxAlh/cxe9FXjqPb286wKTUZ3LfGYR+X235UQeCTAPS/Ufi21EXaEikCAwEAATANBgkqhkiG9w0BAQsFAAOBgQBMrfGD9QFfx5v7ld/OAto5rjkTe3R1Qei8XRXfcs83vLaqEzjEtTuLGrJEi55kXuJgBpVmQpnwCCkkjSy0JxbqLDdVi9arfWUxEGmOr01ZHycELhDNaQcFqVMPr5kRHIHgktT8hK2IgCvd3Fy9/JCgUgCPxKfhwecyEOKxUc857g==", + "saml.encryption.certificate": "MIIB1DCCAT0CBgFJGVacCDANBgkqhkiG9w0BAQsFADAwMS4wLAYDVQQDEyVodHRwOi8vbG9jYWxob3N0OjgwODAvc2FsZXMtcG9zdC1lbmMvMB4XDTE0MTAxNjE0MjA0NloXDTI0MTAxNjE0MjIyNlowMDEuMCwGA1UEAxMlaHR0cDovL2xvY2FsaG9zdDo4MDgwL3NhbGVzLXBvc3QtZW5jLzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2+5MCT5BnVN+IYnKZcH6ev1pjXGi4feE0nOycq/VJ3aeaZMi4G9AxOxCBPupErOC7Kgm/Bw5AdJyw+Q12wSRXfJ9FhqCrLXpb7YOhbVSTJ8De5O8mW35DxAlh/cxe9FXjqPb286wKTUZ3LfGYR+X235UQeCTAPS/Ufi21EXaEikCAwEAATANBgkqhkiG9w0BAQsFAAOBgQBMrfGD9QFfx5v7ld/OAto5rjkTe3R1Qei8XRXfcs83vLaqEzjEtTuLGrJEi55kXuJgBpVmQpnwCCkkjSy0JxbqLDdVi9arfWUxEGmOr01ZHycELhDNaQcFqVMPr5kRHIHgktT8hK2IgCvd3Fy9/JCgUgCPxKfhwecyEOKxUc857g==" + } + }, { "clientId": "http://localhost:8081/employee-sig/", "enabled": true,