KEYCLOAK-11806 Fix SAML adapter to not fail upon receiving a login response without the optional Destination attribute
This commit is contained in:
parent
dda0f68b46
commit
d6f56e58c1
2 changed files with 25 additions and 2 deletions
|
@ -348,8 +348,10 @@ public abstract class AbstractSamlAuthenticationHandler implements SamlAuthentic
|
||||||
try {
|
try {
|
||||||
cvb.clockSkewInMillis(deployment.getIDP().getAllowedClockSkew());
|
cvb.clockSkewInMillis(deployment.getIDP().getAllowedClockSkew());
|
||||||
cvb.addAllowedAudience(URI.create(deployment.getEntityID()));
|
cvb.addAllowedAudience(URI.create(deployment.getEntityID()));
|
||||||
|
if (responseType.getDestination() != null) {
|
||||||
// getDestination has been validated to match request URL already so it matches SAML endpoint
|
// getDestination has been validated to match request URL already so it matches SAML endpoint
|
||||||
cvb.addAllowedAudience(URI.create(responseType.getDestination()));
|
cvb.addAllowedAudience(URI.create(responseType.getDestination()));
|
||||||
|
}
|
||||||
} catch (IllegalArgumentException ex) {
|
} catch (IllegalArgumentException ex) {
|
||||||
// warning has been already emitted in DeploymentBuilder
|
// warning has been already emitted in DeploymentBuilder
|
||||||
}
|
}
|
||||||
|
|
|
@ -1593,6 +1593,27 @@ public class SAMLServletAdapterTest extends AbstractSAMLServletAdapterTest {
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testDestinationUnset() throws Exception {
|
||||||
|
new SamlClientBuilder()
|
||||||
|
.navigateTo(employee2ServletPage.toString())
|
||||||
|
.processSamlResponse(Binding.POST).build()
|
||||||
|
.login().user(bburkeUser).build()
|
||||||
|
.processSamlResponse(Binding.POST)
|
||||||
|
.transformDocument(responseDoc -> {
|
||||||
|
responseDoc.getDocumentElement().removeAttribute("Destination");
|
||||||
|
return responseDoc;
|
||||||
|
})
|
||||||
|
.build()
|
||||||
|
|
||||||
|
.navigateTo(employee2ServletPage.toString())
|
||||||
|
|
||||||
|
.execute(r -> {
|
||||||
|
Assert.assertThat(r, statusCodeIsHC(Response.Status.OK));
|
||||||
|
Assert.assertThat(r, bodyHC(containsString("principal=")));
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
// KEYCLOAK-4329
|
// KEYCLOAK-4329
|
||||||
@Test
|
@Test
|
||||||
public void testEmptyKeyInfoElement() {
|
public void testEmptyKeyInfoElement() {
|
||||||
|
|
Loading…
Reference in a new issue