From d6f56e58c11adb7f0c43290581533a0e89c4e521 Mon Sep 17 00:00:00 2001
From: Benjamin Bentmann <benjamin.bentmann@udo.edu>
Date: Wed, 23 Oct 2019 23:32:27 +0200
Subject: [PATCH] KEYCLOAK-11806 Fix SAML adapter to not fail upon receiving a
 login response without the optional Destination attribute

---
 .../AbstractSamlAuthenticationHandler.java    |  6 ++++--
 .../servlet/SAMLServletAdapterTest.java       | 21 +++++++++++++++++++
 2 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/profile/AbstractSamlAuthenticationHandler.java b/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/profile/AbstractSamlAuthenticationHandler.java
index c96bed25fd..2034bf6f87 100644
--- a/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/profile/AbstractSamlAuthenticationHandler.java
+++ b/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/profile/AbstractSamlAuthenticationHandler.java
@@ -348,8 +348,10 @@ public abstract class AbstractSamlAuthenticationHandler implements SamlAuthentic
             try {
                 cvb.clockSkewInMillis(deployment.getIDP().getAllowedClockSkew());
                 cvb.addAllowedAudience(URI.create(deployment.getEntityID()));
-                // getDestination has been validated to match request URL already so it matches SAML endpoint
-                cvb.addAllowedAudience(URI.create(responseType.getDestination()));
+                if (responseType.getDestination() != null) {
+                  // getDestination has been validated to match request URL already so it matches SAML endpoint
+                  cvb.addAllowedAudience(URI.create(responseType.getDestination()));
+                }
             } catch (IllegalArgumentException ex) {
                 // warning has been already emitted in DeploymentBuilder
             }
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/SAMLServletAdapterTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/SAMLServletAdapterTest.java
index bc4acd7edd..828e735eb9 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/SAMLServletAdapterTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/SAMLServletAdapterTest.java
@@ -1593,6 +1593,27 @@ public class SAMLServletAdapterTest extends AbstractSAMLServletAdapterTest {
           });
     }
 
+    @Test
+    public void testDestinationUnset() throws Exception {
+        new SamlClientBuilder()
+          .navigateTo(employee2ServletPage.toString())
+          .processSamlResponse(Binding.POST).build()
+          .login().user(bburkeUser).build()
+          .processSamlResponse(Binding.POST)
+            .transformDocument(responseDoc -> {
+                responseDoc.getDocumentElement().removeAttribute("Destination");
+                return responseDoc;
+            })
+            .build()
+
+          .navigateTo(employee2ServletPage.toString())
+
+          .execute(r -> {
+              Assert.assertThat(r, statusCodeIsHC(Response.Status.OK));
+              Assert.assertThat(r, bodyHC(containsString("principal=")));
+          });
+    }
+
     // KEYCLOAK-4329
     @Test
     public void testEmptyKeyInfoElement() {