KEYCLOAK-4033

2016-12-05 10:15:55 -05:00 · 2016-12-05 10:15:55 -05:00 · d354aa1f62
commit d354aa1f62
parent d7df86d6d0
1 changed files with 14 additions and 9 deletions
--- a/services/src/main/java/org/keycloak/protocol/saml/installation/SamlIDPDescriptorClientInstallation.java
+++ b/services/src/main/java/org/keycloak/protocol/saml/installation/SamlIDPDescriptorClientInstallation.java
@ -46,6 +46,7 @@ public class SamlIDPDescriptorClientInstallation implements ClientInstallationPr
    public static String getIDPDescriptorForClient(KeycloakSession session, RealmModel realm, ClientModel client, URI serverBaseUri) {
        SamlClient samlClient = new SamlClient(client);
        String idpEntityId = RealmsResource.realmBaseUrl(UriBuilder.fromUri(serverBaseUri)).build(realm.getName()).toString();
+        String bindUrl = RealmsResource.protocolUrl(UriBuilder.fromUri(serverBaseUri)).build(realm.getName(), SamlProtocol.LOGIN_PROTOCOL).toString();
        StringBuilder sb = new StringBuilder();
        sb.append("<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n"
          + "<EntityDescriptor entityID=\"").append(idpEntityId).append("\"\n"
@ -56,6 +57,17 @@ public class SamlIDPDescriptorClientInstallation implements ClientInstallationPr
          .append(samlClient.requiresClientSignature())
          .append("\"\n"
            + "      protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\">\n");
+
+        // logout service
+        sb.append("      <SingleLogoutService\n"
+                + "         Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\"\n"
+                + "         Location=\"").append(bindUrl).append("\" />\n");
+        if (! samlClient.forcePostBinding()) {
+            sb.append("      <SingleLogoutService\n"
+                    + "         Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\"\n"
+                    + "         Location=\"").append(bindUrl).append("\" />\n");
+        }
+        // nameid format
        if (samlClient.forceNameIDFormat() && samlClient.getNameIDFormat() != null) {
            sb.append("   <NameIDFormat>").append(samlClient.getNameIDFormat()).append("</NameIDFormat>\n");
        } else {
@ -64,7 +76,7 @@ public class SamlIDPDescriptorClientInstallation implements ClientInstallationPr
              + "   <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>\n"
              + "   <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>\n");
        }
-        String bindUrl = RealmsResource.protocolUrl(UriBuilder.fromUri(serverBaseUri)).build(realm.getName(), SamlProtocol.LOGIN_PROTOCOL).toString();
+        // sign on service
        sb.append("\n"
          + "      <SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\"\n"
          + "         Location=\"").append(bindUrl).append("\" />\n");
@ -73,15 +85,8 @@ public class SamlIDPDescriptorClientInstallation implements ClientInstallationPr
             + "         Location=\"").append(bindUrl).append("\" />\n");

        }
-        sb.append("      <SingleLogoutService\n"
-          + "         Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\"\n"
-          + "         Location=\"").append(bindUrl).append("\" />\n");
-        if (! samlClient.forcePostBinding()) {
-            sb.append("      <SingleLogoutService\n"
-              + "         Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\"\n"
-              + "         Location=\"").append(bindUrl).append("\" />\n");
-        }

+        // keys
        Set<KeyMetadata> keys = new TreeSet<>((o1, o2) -> o1.getStatus() == o2.getStatus() // Status can be only PASSIVE OR ACTIVE, push PASSIVE to end of list
          ? (int) (o2.getProviderPriority() - o1.getProviderPriority())
          : (o1.getStatus() == KeyMetadata.Status.PASSIVE ? 1 : -1));