KEYCLOAK-1861 Allow setting of signature algorithm when signing SAML AuthnRequests to IDPs

This commit is contained in:
Dane Barentine 2015-09-17 13:27:35 -07:00
parent 9dc54815eb
commit db20fd9eeb
5 changed files with 40 additions and 0 deletions

View file

@ -250,6 +250,7 @@ public class SAMLEndpoint {
builder.relayState(relayState);
if (config.isWantAuthnRequestsSigned()) {
builder.signWith(realm.getPrivateKey(), realm.getPublicKey(), realm.getCertificate())
.signatureAlgorithm(provider.getSignatureAlgorithm())
.signDocument();
}
try {

View file

@ -36,6 +36,7 @@ import org.keycloak.models.UserSessionModel;
import org.keycloak.protocol.saml.SAML2AuthnRequestBuilder;
import org.keycloak.protocol.saml.SAML2LogoutRequestBuilder;
import org.keycloak.protocol.saml.SAML2NameIDPolicyBuilder;
import org.keycloak.protocol.saml.SignatureAlgorithm;
import org.keycloak.saml.common.constants.GeneralConstants;
import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
import org.keycloak.saml.common.exceptions.ConfigurationException;
@ -110,6 +111,7 @@ public class SAMLIdentityProvider extends AbstractIdentityProvider<SAMLIdentityP
KeyPair keypair = new KeyPair(publicKey, privateKey);
authnRequestBuilder.signWith(keypair);
authnRequestBuilder.signatureAlgorithm(getSignatureAlgorithm());
authnRequestBuilder.signDocument();
}
@ -196,6 +198,7 @@ public class SAMLIdentityProvider extends AbstractIdentityProvider<SAMLIdentityP
.relayState(userSession.getId());
if (getConfig().isWantAuthnRequestsSigned()) {
logoutBuilder.signWith(realm.getPrivateKey(), realm.getPublicKey(), realm.getCertificate())
.signatureAlgorithm(getSignatureAlgorithm())
.signDocument();
}
return logoutBuilder;
@ -245,4 +248,13 @@ public class SAMLIdentityProvider extends AbstractIdentityProvider<SAMLIdentityP
"</EntityDescriptor>\n";
return Response.ok(descriptor, MediaType.APPLICATION_XML_TYPE).build();
}
public SignatureAlgorithm getSignatureAlgorithm() {
String alg = getConfig().getSignatureAlgorithm();
if (alg != null) {
SignatureAlgorithm algorithm = SignatureAlgorithm.valueOf(alg);
if (algorithm != null) return algorithm;
}
return SignatureAlgorithm.RSA_SHA256;
}
}

View file

@ -87,6 +87,14 @@ public class SAMLIdentityProviderConfig extends IdentityProviderModel {
getConfig().put("wantAuthnRequestsSigned", String.valueOf(wantAuthnRequestsSigned));
}
public String getSignatureAlgorithm() {
return getConfig().get("signatureAlgorithm");
}
public void setSignatureAlgorithm(String signatureAlgorithm) {
getConfig().put("signatureAlgorithm", signatureAlgorithm);
}
public String getEncryptionPublicKey() {
return getConfig().get("encryptionPublicKey");
}

View file

@ -693,10 +693,17 @@ module.controller('RealmIdentityProviderCtrl', function($scope, $filter, $upload
}
];
$scope.signatureAlgorithms = [
"RSA_SHA1",
"RSA_SHA256",
"RSA_SHA512",
"DSA_SHA1"
];
if (instance && instance.alias) {
} else {
$scope.identityProvider.config.nameIDPolicyFormat = $scope.nameIdFormats[0].format;
$scope.identityProvider.config.signatureAlgorithm = $scope.signatureAlgorithms[1];
$scope.identityProvider.updateProfileFirstLoginMode = "off";
}
}

View file

@ -135,6 +135,18 @@
</div>
<kc-tooltip> Indicates whether the identity provider expects signed a AuthnRequest.</kc-tooltip>
</div>
<div class="form-group" data-ng-show="identityProvider.config.wantAuthnRequestsSigned == 'true'">
<label class="col-md-2 control-label" for="signatureAlgorithm">Signature Algorithm</label>
<div class="col-sm-6">
<div>
<select class="form-control" id="signatureAlgorithm"
ng-model="identityProvider.config.signatureAlgorithm"
ng-options="alg for alg in signatureAlgorithms">
</select>
</div>
</div>
<kc-tooltip>The signature algorithm to use to sign documents.</kc-tooltip>
</div>
<div class="form-group">
<label class="col-md-2 control-label" for="forceAuthn">Force Authentication</label>
<div class="col-md-6">