libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases 1 Packages Activity Actions

KEYCLOAK-11806 Fix SAML adapter to not fail upon receiving a login response without the optional Destination attribute

Browse source
This commit is contained in:
Benjamin Bentmann 2019-10-23 23:32:27 +02:00 committed by Hynek Mlnařík
parent dda0f68b46
commit d6f56e58c1
2 changed files with 25 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
adapters/saml/core/src/main/java/org/keycloak/adapters/saml/profile/AbstractSamlAuthenticationHandler.java
View file

@ -348,8 +348,10 @@ public abstract class AbstractSamlAuthenticationHandler implements SamlAuthentic
try { try {
cvb.clockSkewInMillis(deployment.getIDP().getAllowedClockSkew()); cvb.clockSkewInMillis(deployment.getIDP().getAllowedClockSkew());
cvb.addAllowedAudience(URI.create(deployment.getEntityID())); cvb.addAllowedAudience(URI.create(deployment.getEntityID()));
// getDestination has been validated to match request URL already so it matches SAML endpoint if (responseType.getDestination() != null) {
cvb.addAllowedAudience(URI.create(responseType.getDestination())); // getDestination has been validated to match request URL already so it matches SAML endpoint
cvb.addAllowedAudience(URI.create(responseType.getDestination()));
}
} catch (IllegalArgumentException ex) { } catch (IllegalArgumentException ex) {
// warning has been already emitted in DeploymentBuilder // warning has been already emitted in DeploymentBuilder
} }

21
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/SAMLServletAdapterTest.java
View file

@ -1593,6 +1593,27 @@ public class SAMLServletAdapterTest extends AbstractSAMLServletAdapterTest {
}); });
} }
@Test
public void testDestinationUnset() throws Exception {
new SamlClientBuilder()
.navigateTo(employee2ServletPage.toString())
.processSamlResponse(Binding.POST).build()
.login().user(bburkeUser).build()
.processSamlResponse(Binding.POST)
.transformDocument(responseDoc -> {
responseDoc.getDocumentElement().removeAttribute("Destination");
return responseDoc;
})
.build()
.navigateTo(employee2ServletPage.toString())
.execute(r -> {
Assert.assertThat(r, statusCodeIsHC(Response.Status.OK));
Assert.assertThat(r, bodyHC(containsString("principal=")));
});
}
// KEYCLOAK-4329 // KEYCLOAK-4329
@Test @Test
public void testEmptyKeyInfoElement() { public void testEmptyKeyInfoElement() {