KEYCLOAK-11806 Fix SAML adapter to not fail upon receiving a login response without the optional Destination attribute

This commit is contained in:
Benjamin Bentmann 2019-10-23 23:32:27 +02:00 committed by Hynek Mlnařík
parent dda0f68b46
commit d6f56e58c1
2 changed files with 25 additions and 2 deletions

View file

@ -348,8 +348,10 @@ public abstract class AbstractSamlAuthenticationHandler implements SamlAuthentic
try { try {
cvb.clockSkewInMillis(deployment.getIDP().getAllowedClockSkew()); cvb.clockSkewInMillis(deployment.getIDP().getAllowedClockSkew());
cvb.addAllowedAudience(URI.create(deployment.getEntityID())); cvb.addAllowedAudience(URI.create(deployment.getEntityID()));
if (responseType.getDestination() != null) {
// getDestination has been validated to match request URL already so it matches SAML endpoint // getDestination has been validated to match request URL already so it matches SAML endpoint
cvb.addAllowedAudience(URI.create(responseType.getDestination())); cvb.addAllowedAudience(URI.create(responseType.getDestination()));
}
} catch (IllegalArgumentException ex) { } catch (IllegalArgumentException ex) {
// warning has been already emitted in DeploymentBuilder // warning has been already emitted in DeploymentBuilder
} }

View file

@ -1593,6 +1593,27 @@ public class SAMLServletAdapterTest extends AbstractSAMLServletAdapterTest {
}); });
} }
@Test
public void testDestinationUnset() throws Exception {
new SamlClientBuilder()
.navigateTo(employee2ServletPage.toString())
.processSamlResponse(Binding.POST).build()
.login().user(bburkeUser).build()
.processSamlResponse(Binding.POST)
.transformDocument(responseDoc -> {
responseDoc.getDocumentElement().removeAttribute("Destination");
return responseDoc;
})
.build()
.navigateTo(employee2ServletPage.toString())
.execute(r -> {
Assert.assertThat(r, statusCodeIsHC(Response.Status.OK));
Assert.assertThat(r, bodyHC(containsString("principal=")));
});
}
// KEYCLOAK-4329 // KEYCLOAK-4329
@Test @Test
public void testEmptyKeyInfoElement() { public void testEmptyKeyInfoElement() {