Merge pull request #910 from patriot1burke/master
saml persistent and transient id support
This commit is contained in:
Bill Burke
commit
dc94fac9f5
19 changed files with 281 additions and 44 deletions
|
|
@ -22,9 +22,11 @@ import java.net.URI;
|
|||
*/
|
||||
public class SAML2LogoutRequestBuilder extends SAML2BindingBuilder<SAML2LogoutRequestBuilder> {
|
||||
protected String userPrincipal;
|
||||
protected String userPrincipalFormat;
|
||||
|
||||
public SAML2LogoutRequestBuilder userPrincipal(String userPrincipal) {
|
||||
this.userPrincipal = userPrincipal;
|
||||
public SAML2LogoutRequestBuilder userPrincipal(String nameID, String nameIDformat) {
|
||||
this.userPrincipal = nameID;
|
||||
this.userPrincipalFormat = nameIDformat;
|
||||
return this;
|
||||
}
|
||||
|
||||
|
|
@ -51,7 +53,7 @@ public class SAML2LogoutRequestBuilder extends SAML2BindingBuilder<SAML2LogoutRe
|
|||
NameIDType nameID = new NameIDType();
|
||||
nameID.setValue(userPrincipal);
|
||||
//Deal with NameID Format
|
||||
String nameIDFormat = JBossSAMLURIConstants.NAMEID_FORMAT_PERSISTENT.get();
|
||||
String nameIDFormat = userPrincipalFormat;
|
||||
nameID.setFormat(URI.create(nameIDFormat));
|
||||
lort.setNameID(nameID);
|
||||
|
||||
|
|
|
|||
|
|
@ -28,6 +28,7 @@ import javax.ws.rs.core.HttpHeaders;
|
|||
import javax.ws.rs.core.Response;
|
||||
import javax.ws.rs.core.UriInfo;
|
||||
import java.security.PublicKey;
|
||||
import java.util.UUID;
|
||||
|
||||
/**
|
||||
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
|
||||
|
|
@ -54,7 +55,10 @@ public class SamlProtocol implements LoginProtocol {
|
|||
public static final String SAML_ENCRYPT = "saml.encrypt";
|
||||
public static final String SAML_FORCE_POST_BINDING = "saml.force.post.binding";
|
||||
public static final String SAML_REQUEST_ID = "SAML_REQUEST_ID";
|
||||
public static final String SAML_NAME_ID = "SAML_NAME_ID";
|
||||
public static final String SAML_NAME_ID_FORMAT = "SAML_NAME_ID_FORMAT";
|
||||
public static final String SAML_DEFAULT_NAMEID_FORMAT = JBossSAMLURIConstants.NAMEID_FORMAT_UNSPECIFIED.get();
|
||||
public static final String SAML_PERSISTENT_NAME_ID_FOR = "saml.persistent.name.id.for";
|
||||
|
||||
protected KeycloakSession session;
|
||||
|
||||
|
|
@ -125,12 +129,25 @@ public class SamlProtocol implements LoginProtocol {
|
|||
}
|
||||
|
||||
protected String getNameId(String nameIdFormat, ClientSessionModel clientSession, UserSessionModel userSession) {
|
||||
if(nameIdFormat.equals(JBossSAMLURIConstants.NAMEID_FORMAT_EMAIL.get())) {
|
||||
if (nameIdFormat.equals(JBossSAMLURIConstants.NAMEID_FORMAT_EMAIL.get())) {
|
||||
return userSession.getUser().getEmail();
|
||||
} else if(nameIdFormat.equals(JBossSAMLURIConstants.NAMEID_FORMAT_TRANSIENT.get())) {
|
||||
// "G-" stands for "generated" Add this for the slight possibility of collisions.
|
||||
return "G-" + UUID.randomUUID().toString();
|
||||
} else if(nameIdFormat.equals(JBossSAMLURIConstants.NAMEID_FORMAT_PERSISTENT.get())) {
|
||||
// generate a persistent user id specifically for each client.
|
||||
UserModel user = userSession.getUser();
|
||||
String name = SAML_PERSISTENT_NAME_ID_FOR + "." + clientSession.getClient().getClientId();
|
||||
String samlPersistentId = user.getAttribute(name);
|
||||
if (samlPersistentId != null) return samlPersistentId;
|
||||
// "G-" stands for "generated"
|
||||
samlPersistentId = "G-" + UUID.randomUUID().toString();
|
||||
user.setAttribute(name, samlPersistentId);
|
||||
return samlPersistentId;
|
||||
} else if(nameIdFormat.equals(JBossSAMLURIConstants.NAMEID_FORMAT_UNSPECIFIED.get())){
|
||||
// TODO: Support for persistent NameID (pseudo-random identifier persisted in user object)
|
||||
return userSession.getUser().getUsername();
|
||||
} else {
|
||||
// TODO: Support for persistent NameID (pseudo-random identifier persisted in user object)
|
||||
return userSession.getUser().getUsername();
|
||||
}
|
||||
}
|
||||
|
|
@ -146,6 +163,11 @@ public class SamlProtocol implements LoginProtocol {
|
|||
String nameIdFormat = getNameIdFormat(clientSession);
|
||||
String nameId = getNameId(nameIdFormat, clientSession, userSession);
|
||||
|
||||
// save NAME_ID and format in clientSession as they may be persistent or transient or email and not username
|
||||
// we'll need to send this back on a logout
|
||||
clientSession.setNote(SAML_NAME_ID, nameId);
|
||||
clientSession.setNote(SAML_NAME_ID_FORMAT, nameIdFormat);
|
||||
|
||||
SALM2LoginResponseBuilder builder = new SALM2LoginResponseBuilder();
|
||||
builder.requestID(requestID)
|
||||
.relayState(relayState)
|
||||
|
|
@ -256,8 +278,9 @@ public class SamlProtocol implements LoginProtocol {
|
|||
ApplicationModel app = (ApplicationModel)client;
|
||||
if (app.getManagementUrl() == null) return;
|
||||
|
||||
// build userPrincipal with subject used at login
|
||||
SAML2LogoutRequestBuilder logoutBuilder = new SAML2LogoutRequestBuilder()
|
||||
.userPrincipal(userSession.getUser().getUsername())
|
||||
.userPrincipal(clientSession.getNote(SAML_NAME_ID), clientSession.getNote(SAML_NAME_ID_FORMAT))
|
||||
.destination(client.getClientId());
|
||||
if (requiresRealmSignature(client)) {
|
||||
logoutBuilder.signatureAlgorithm(getSignatureAlgorithm(client))
|
||||
|
|
|
|||
|
|
@ -246,6 +246,7 @@ public class SamlService {
|
|||
private boolean isSupportedNameIdFormat(String nameIdFormat) {
|
||||
if (nameIdFormat.equals(JBossSAMLURIConstants.NAMEID_FORMAT_EMAIL.get()) ||
|
||||
nameIdFormat.equals(JBossSAMLURIConstants.NAMEID_FORMAT_TRANSIENT.get()) ||
|
||||
nameIdFormat.equals(JBossSAMLURIConstants.NAMEID_FORMAT_PERSISTENT.get()) ||
|
||||
nameIdFormat.equals(JBossSAMLURIConstants.NAMEID_FORMAT_UNSPECIFIED.get())) {
|
||||
return true;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -5,7 +5,8 @@
|
|||
<EntityDescriptor entityID="${idp.entityID}">
|
||||
<IDPSSODescriptor WantAuthnRequestsSigned="true"
|
||||
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
|
||||
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
|
||||
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
|
||||
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
|
||||
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
|
||||
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
|
||||
|
||||
|
|
|
|||
|
|
@ -49,6 +49,9 @@ public class SamlBindingTest {
|
|||
|
||||
initializeSamlSecuredWar("/saml/simple-post", "/sales-post", "post.war", classLoader);
|
||||
initializeSamlSecuredWar("/saml/signed-post", "/sales-post-sig", "post-sig.war", classLoader);
|
||||
initializeSamlSecuredWar("/saml/signed-post-email", "/sales-post-sig-email", "post-sig-email.war", classLoader);
|
||||
initializeSamlSecuredWar("/saml/signed-post-transient", "/sales-post-sig-transient", "post-sig-transient.war", classLoader);
|
||||
initializeSamlSecuredWar("/saml/signed-post-persistent", "/sales-post-sig-persistent", "post-sig-persistent.war", classLoader);
|
||||
initializeSamlSecuredWar("/saml/signed-metadata", "/sales-metadata", "post-metadata.war", classLoader);
|
||||
initializeSamlSecuredWar("/saml/signed-get", "/employee-sig", "employee-sig.war", classLoader);
|
||||
initializeSamlSecuredWar("/saml/bad-client-signed-post", "/bad-client-sales-post-sig", "bad-client-post-sig.war", classLoader);
|
||||
|
|
@ -99,6 +102,44 @@ public class SamlBindingTest {
|
|||
driver.navigate().to("http://localhost:8081/sales-post-sig?GLO=true");
|
||||
Assert.assertEquals(driver.getCurrentUrl(), "http://localhost:8081/auth/realms/demo/protocol/saml");
|
||||
|
||||
}
|
||||
@Test
|
||||
public void testPostSignedLoginLogoutTransientNameID() {
|
||||
driver.navigate().to("http://localhost:8081/sales-post-sig-transient/");
|
||||
Assert.assertEquals(driver.getCurrentUrl(), "http://localhost:8081/auth/realms/demo/protocol/saml");
|
||||
loginPage.login("bburke", "password");
|
||||
Assert.assertEquals(driver.getCurrentUrl(), "http://localhost:8081/sales-post-sig-transient/");
|
||||
System.out.println(driver.getPageSource());
|
||||
Assert.assertFalse(driver.getPageSource().contains("bburke"));
|
||||
Assert.assertTrue(driver.getPageSource().contains("principal=G-"));
|
||||
driver.navigate().to("http://localhost:8081/sales-post-sig-transient?GLO=true");
|
||||
Assert.assertEquals(driver.getCurrentUrl(), "http://localhost:8081/auth/realms/demo/protocol/saml");
|
||||
|
||||
}
|
||||
@Test
|
||||
public void testPostSignedLoginLogoutPersistentNameID() {
|
||||
driver.navigate().to("http://localhost:8081/sales-post-sig-persistent/");
|
||||
Assert.assertEquals(driver.getCurrentUrl(), "http://localhost:8081/auth/realms/demo/protocol/saml");
|
||||
loginPage.login("bburke", "password");
|
||||
Assert.assertEquals(driver.getCurrentUrl(), "http://localhost:8081/sales-post-sig-persistent/");
|
||||
System.out.println(driver.getPageSource());
|
||||
Assert.assertFalse(driver.getPageSource().contains("bburke"));
|
||||
Assert.assertTrue(driver.getPageSource().contains("principal=G-"));
|
||||
driver.navigate().to("http://localhost:8081/sales-post-sig-persistent?GLO=true");
|
||||
Assert.assertEquals(driver.getCurrentUrl(), "http://localhost:8081/auth/realms/demo/protocol/saml");
|
||||
|
||||
}
|
||||
@Test
|
||||
public void testPostSignedLoginLogoutEmailNameID() {
|
||||
driver.navigate().to("http://localhost:8081/sales-post-sig-email/");
|
||||
Assert.assertEquals(driver.getCurrentUrl(), "http://localhost:8081/auth/realms/demo/protocol/saml");
|
||||
loginPage.login("bburke", "password");
|
||||
Assert.assertEquals(driver.getCurrentUrl(), "http://localhost:8081/sales-post-sig-email/");
|
||||
System.out.println(driver.getPageSource());
|
||||
Assert.assertTrue(driver.getPageSource().contains("principal=bburke@redhat.com"));
|
||||
driver.navigate().to("http://localhost:8081/sales-post-sig-email?GLO=true");
|
||||
Assert.assertEquals(driver.getCurrentUrl(), "http://localhost:8081/auth/realms/demo/protocol/saml");
|
||||
|
||||
}
|
||||
@Test
|
||||
public void testRedirectSignedLoginLogout() {
|
||||
|
|
|
|||
|
|
@ -36,6 +36,7 @@ public abstract class SamlKeycloakRule extends AbstractKeycloakRule {
|
|||
resp.setContentType("text/plain");
|
||||
OutputStream stream = resp.getOutputStream();
|
||||
Principal principal = req.getUserPrincipal();
|
||||
stream.write("principal=".getBytes());
|
||||
if (principal == null) {
|
||||
stream.write("null".getBytes());
|
||||
return;
|
||||
|
|
@ -48,6 +49,7 @@ public abstract class SamlKeycloakRule extends AbstractKeycloakRule {
|
|||
resp.setContentType("text/plain");
|
||||
OutputStream stream = resp.getOutputStream();
|
||||
Principal principal = req.getUserPrincipal();
|
||||
stream.write("principal=".getBytes());
|
||||
if (principal == null) {
|
||||
stream.write("null".getBytes());
|
||||
return;
|
||||
|
|
|
|||
|
|
@ -19,8 +19,10 @@
|
|||
<Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
|
||||
<Handler
|
||||
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
|
||||
<Handler
|
||||
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />
|
||||
<Handler
|
||||
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler">
|
||||
<Option Key="NAMEID_FORMAT" Value="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
|
||||
</Handler>
|
||||
<Handler
|
||||
class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
|
||||
<Handler
|
||||
|
|
|
|||
|
|
@ -18,8 +18,10 @@
|
|||
<Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
|
||||
<Handler
|
||||
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
|
||||
<Handler
|
||||
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />
|
||||
<Handler
|
||||
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler">
|
||||
<Option Key="NAMEID_FORMAT" Value="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
|
||||
</Handler>
|
||||
<Handler
|
||||
class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
|
||||
<Handler
|
||||
|
|
|
|||
|
|
@ -19,8 +19,10 @@
|
|||
<Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
|
||||
<Handler
|
||||
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
|
||||
<Handler
|
||||
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />
|
||||
<Handler
|
||||
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler">
|
||||
<Option Key="NAMEID_FORMAT" Value="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
|
||||
</Handler>
|
||||
<Handler
|
||||
class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
|
||||
<Handler
|
||||
|
|
|
|||
Binary file not shown.
|
|
@ -0,0 +1,33 @@
|
|||
<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
|
||||
<PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1"
|
||||
ServerEnvironment="tomcat" BindingType="POST" SupportsSignatures="true">
|
||||
<IdentityURL>${idp-sig.url::http://localhost:8081/auth/realms/demo/protocol/saml}
|
||||
</IdentityURL>
|
||||
<ServiceURL>${sales-post-sig.url::http://localhost:8081/sales-post-sig-email/}
|
||||
</ServiceURL>
|
||||
<KeyProvider
|
||||
ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager">
|
||||
<Auth Key="KeyStoreURL" Value="saml/signed-post/WEB-INF/keystore.jks"/>
|
||||
<Auth Key="KeyStorePass" Value="store123"/>
|
||||
<Auth Key="SigningKeyPass" Value="test123"/>
|
||||
<Auth Key="SigningKeyAlias" Value="http://localhost:8080/sales-post-sig/"/>
|
||||
<ValidatingAlias Key="localhost" Value="demo"/>
|
||||
<ValidatingAlias Key="127.0.0.1" Value="demo"/>
|
||||
</KeyProvider>
|
||||
|
||||
</PicketLinkSP>
|
||||
<Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
|
||||
<Handler
|
||||
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler"/>
|
||||
<Handler
|
||||
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler">
|
||||
<Option Key="NAMEID_FORMAT" Value="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/>
|
||||
</Handler>
|
||||
<Handler
|
||||
class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler"/>
|
||||
<Handler
|
||||
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureGenerationHandler"/>
|
||||
<Handler
|
||||
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler"/>
|
||||
</Handlers>
|
||||
</PicketLink>
|
||||
Binary file not shown.
|
|
@ -0,0 +1,33 @@
|
|||
<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
|
||||
<PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1"
|
||||
ServerEnvironment="tomcat" BindingType="POST" SupportsSignatures="true">
|
||||
<IdentityURL>${idp-sig.url::http://localhost:8081/auth/realms/demo/protocol/saml}
|
||||
</IdentityURL>
|
||||
<ServiceURL>${sales-post-sig.url::http://localhost:8081/sales-post-sig-persistent/}
|
||||
</ServiceURL>
|
||||
<KeyProvider
|
||||
ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager">
|
||||
<Auth Key="KeyStoreURL" Value="saml/signed-post/WEB-INF/keystore.jks"/>
|
||||
<Auth Key="KeyStorePass" Value="store123"/>
|
||||
<Auth Key="SigningKeyPass" Value="test123"/>
|
||||
<Auth Key="SigningKeyAlias" Value="http://localhost:8080/sales-post-sig/"/>
|
||||
<ValidatingAlias Key="localhost" Value="demo"/>
|
||||
<ValidatingAlias Key="127.0.0.1" Value="demo"/>
|
||||
</KeyProvider>
|
||||
|
||||
</PicketLinkSP>
|
||||
<Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
|
||||
<Handler
|
||||
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler"/>
|
||||
<Handler
|
||||
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler">
|
||||
<Option Key="NAMEID_FORMAT" Value="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
|
||||
</Handler>
|
||||
<Handler
|
||||
class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler"/>
|
||||
<Handler
|
||||
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureGenerationHandler"/>
|
||||
<Handler
|
||||
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler"/>
|
||||
</Handlers>
|
||||
</PicketLink>
|
||||
Binary file not shown.
|
|
@ -0,0 +1,33 @@
|
|||
<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
|
||||
<PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1"
|
||||
ServerEnvironment="tomcat" BindingType="POST" SupportsSignatures="true">
|
||||
<IdentityURL>${idp-sig.url::http://localhost:8081/auth/realms/demo/protocol/saml}
|
||||
</IdentityURL>
|
||||
<ServiceURL>${sales-post-sig.url::http://localhost:8081/sales-post-sig-transient/}
|
||||
</ServiceURL>
|
||||
<KeyProvider
|
||||
ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager">
|
||||
<Auth Key="KeyStoreURL" Value="saml/signed-post/WEB-INF/keystore.jks"/>
|
||||
<Auth Key="KeyStorePass" Value="store123"/>
|
||||
<Auth Key="SigningKeyPass" Value="test123"/>
|
||||
<Auth Key="SigningKeyAlias" Value="http://localhost:8080/sales-post-sig/"/>
|
||||
<ValidatingAlias Key="localhost" Value="demo"/>
|
||||
<ValidatingAlias Key="127.0.0.1" Value="demo"/>
|
||||
</KeyProvider>
|
||||
|
||||
</PicketLinkSP>
|
||||
<Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
|
||||
<Handler
|
||||
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler"/>
|
||||
<Handler
|
||||
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler">
|
||||
<Option Key="NAMEID_FORMAT" Value="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
|
||||
</Handler>
|
||||
<Handler
|
||||
class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler"/>
|
||||
<Handler
|
||||
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureGenerationHandler"/>
|
||||
<Handler
|
||||
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler"/>
|
||||
</Handlers>
|
||||
</PicketLink>
|
||||
|
|
@ -1,31 +1,33 @@
|
|||
<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
|
||||
<PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1"
|
||||
ServerEnvironment="tomcat" BindingType="POST" SupportsSignatures="true">
|
||||
<IdentityURL>${idp-sig.url::http://localhost:8081/auth/realms/demo/protocol/saml}
|
||||
</IdentityURL>
|
||||
<ServiceURL>${sales-post-sig.url::http://localhost:8081/sales-post-sig/}
|
||||
</ServiceURL>
|
||||
<KeyProvider
|
||||
ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager">
|
||||
<Auth Key="KeyStoreURL" Value="saml/signed-post/WEB-INF/keystore.jks" />
|
||||
<Auth Key="KeyStorePass" Value="store123" />
|
||||
<Auth Key="SigningKeyPass" Value="test123" />
|
||||
<Auth Key="SigningKeyAlias" Value="http://localhost:8080/sales-post-sig/" />
|
||||
<ValidatingAlias Key="localhost" Value="demo" />
|
||||
<ValidatingAlias Key="127.0.0.1" Value="demo" />
|
||||
</KeyProvider>
|
||||
<PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1"
|
||||
ServerEnvironment="tomcat" BindingType="POST" SupportsSignatures="true">
|
||||
<IdentityURL>${idp-sig.url::http://localhost:8081/auth/realms/demo/protocol/saml}
|
||||
</IdentityURL>
|
||||
<ServiceURL>${sales-post-sig.url::http://localhost:8081/sales-post-sig/}
|
||||
</ServiceURL>
|
||||
<KeyProvider
|
||||
ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager">
|
||||
<Auth Key="KeyStoreURL" Value="saml/signed-post/WEB-INF/keystore.jks"/>
|
||||
<Auth Key="KeyStorePass" Value="store123"/>
|
||||
<Auth Key="SigningKeyPass" Value="test123"/>
|
||||
<Auth Key="SigningKeyAlias" Value="http://localhost:8080/sales-post-sig/"/>
|
||||
<ValidatingAlias Key="localhost" Value="demo"/>
|
||||
<ValidatingAlias Key="127.0.0.1" Value="demo"/>
|
||||
</KeyProvider>
|
||||
|
||||
</PicketLinkSP>
|
||||
<Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
|
||||
<Handler
|
||||
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
|
||||
<Handler
|
||||
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />
|
||||
<Handler
|
||||
class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
|
||||
<Handler
|
||||
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureGenerationHandler" />
|
||||
<Handler
|
||||
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler" />
|
||||
</Handlers>
|
||||
</PicketLinkSP>
|
||||
<Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
|
||||
<Handler
|
||||
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler"/>
|
||||
<Handler
|
||||
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler">
|
||||
<Option Key="NAMEID_FORMAT" Value="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
|
||||
</Handler>
|
||||
<Handler
|
||||
class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler"/>
|
||||
<Handler
|
||||
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureGenerationHandler"/>
|
||||
<Handler
|
||||
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler"/>
|
||||
</Handlers>
|
||||
</PicketLink>
|
||||
|
|
|
|||
|
|
@ -10,7 +10,8 @@
|
|||
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
|
||||
<Handler
|
||||
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler">
|
||||
|
||||
|
||||
<Option Key="NAMEID_FORMAT" Value="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
|
||||
<Option Key="ASSERTION_SESSION_ATTRIBUTE_NAME" Value="org.picketlink.sp.assertion"/>
|
||||
|
||||
</Handler>
|
||||
|
|
|
|||
|
|
@ -12,8 +12,10 @@
|
|||
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler" />
|
||||
<Handler
|
||||
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
|
||||
<Handler
|
||||
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />
|
||||
<Handler
|
||||
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler">
|
||||
<Option Key="NAMEID_FORMAT" Value="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
|
||||
</Handler>
|
||||
<Handler
|
||||
class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
|
||||
</Handlers>
|
||||
|
|
|
|||
|
|
@ -61,6 +61,63 @@
|
|||
"saml.signing.certificate": "MIIB1DCCAT0CBgFJGP5dZDANBgkqhkiG9w0BAQsFADAwMS4wLAYDVQQDEyVodHRwOi8vbG9jYWxob3N0OjgwODAvc2FsZXMtcG9zdC1zaWcvMB4XDTE0MTAxNjEyNDQyM1oXDTI0MTAxNjEyNDYwM1owMDEuMCwGA1UEAxMlaHR0cDovL2xvY2FsaG9zdDo4MDgwL3NhbGVzLXBvc3Qtc2lnLzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1RvGu8RjemSJA23nnMksoHA37MqY1DDTxOECY4rPAd9egr7GUNIXE0y1MokaR5R2crNpN8RIRwR8phQtQDjXL82c6W+NLQISxztarQJ7rdNJIYwHY0d5ri1XRpDP8zAuxubPYiMAVYcDkIcvlbBpwh/dRM5I2eElRK+eSiaMkCUCAwEAATANBgkqhkiG9w0BAQsFAAOBgQCLms6htnPaY69k1ntm9a5jgwSn/K61cdai8R8B0ccY7zvinn9AfRD7fiROQpFyY29wKn8WCLrJ86NBXfgFUGyR5nLNHVy3FghE36N2oHy53uichieMxffE6vhkKJ4P8ChfJMMOZlmCPsQPDvjoAghHt4mriFiQgRdPgIy/zDjSNw=="
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "http://localhost:8081/sales-post-sig-transient/",
|
||||
"enabled": true,
|
||||
"protocol": "saml",
|
||||
"fullScopeAllowed": true,
|
||||
"baseUrl": "http://localhost:8081/sales-post-sig-transient",
|
||||
"adminUrl": "http://localhost:8081/sales-post-sig-transient",
|
||||
"redirectUris": [
|
||||
"http://localhost:8081/sales-post-sig-transient/*"
|
||||
],
|
||||
"attributes": {
|
||||
"saml.server.signature": "true",
|
||||
"saml.signature.algorithm": "RSA_SHA256",
|
||||
"saml.client.signature": "true",
|
||||
"saml.authnstatement": "true",
|
||||
"saml.signing.private.key": "MIICWwIBAAKBgQDVG8a7xGN6ZIkDbeecySygcDfsypjUMNPE4QJjis8B316CvsZQ0hcTTLUyiRpHlHZys2k3xEhHBHymFC1AONcvzZzpb40tAhLHO1qtAnut00khjAdjR3muLVdGkM/zMC7G5s9iIwBVhwOQhy+VsGnCH91EzkjZ4SVEr55KJoyQJQIDAQABAoGADaTtoG/+foOZUiLjRWKL/OmyavK9vjgyFtThNkZY4qHOh0h3og0RdSbgIxAsIpEa1FUwU2W5yvI6mNeJ3ibFgCgcxqPk6GkAC7DWfQfdQ8cS+dCuaFTs8ObIQEvU50YzeNPiiFxRA+MnauCUXaKm/PnDfjd4tPgru7XZvlGh0wECQQDsBbN2cKkBKpr/b5oJiBcBaSZtWiMNuYBDn9x8uORj+Gy/49BUIMHF2EWyxOWz6ocP5YiynNRkPe21Zus7PEr1AkEA5yWQOkxUTIg43s4pxNSeHtL+Ebqcg54lY2xOQK0yufxUVZI8ODctAKmVBMiCKpU3mZQquOaQicuGtocpgxlScQI/YM31zZ5nsxLGf/5GL6KhzPJT0IYn2nk7IoFu7bjn9BjwgcPurpLA52TNMYWQsTqAKwT6DEhG1NaRqNWNpb4VAkBehObAYBwMm5udyHIeEc+CzUalm0iLLa0eRdiN7AUVNpCJ2V2Uo0NcxPux1AgeP5xXydXafDXYkwhINWcNO9qRAkEA58ckAC5loUGwU5dLaugsGH/a2Q8Ac8bmPglwfCstYDpl8Gp/eimb1eKyvDEELOhyImAv4/uZV9wN85V0xZXWsw==",
|
||||
"saml.signing.certificate": "MIIB1DCCAT0CBgFJGP5dZDANBgkqhkiG9w0BAQsFADAwMS4wLAYDVQQDEyVodHRwOi8vbG9jYWxob3N0OjgwODAvc2FsZXMtcG9zdC1zaWcvMB4XDTE0MTAxNjEyNDQyM1oXDTI0MTAxNjEyNDYwM1owMDEuMCwGA1UEAxMlaHR0cDovL2xvY2FsaG9zdDo4MDgwL3NhbGVzLXBvc3Qtc2lnLzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1RvGu8RjemSJA23nnMksoHA37MqY1DDTxOECY4rPAd9egr7GUNIXE0y1MokaR5R2crNpN8RIRwR8phQtQDjXL82c6W+NLQISxztarQJ7rdNJIYwHY0d5ri1XRpDP8zAuxubPYiMAVYcDkIcvlbBpwh/dRM5I2eElRK+eSiaMkCUCAwEAATANBgkqhkiG9w0BAQsFAAOBgQCLms6htnPaY69k1ntm9a5jgwSn/K61cdai8R8B0ccY7zvinn9AfRD7fiROQpFyY29wKn8WCLrJ86NBXfgFUGyR5nLNHVy3FghE36N2oHy53uichieMxffE6vhkKJ4P8ChfJMMOZlmCPsQPDvjoAghHt4mriFiQgRdPgIy/zDjSNw=="
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "http://localhost:8081/sales-post-sig-persistent/",
|
||||
"enabled": true,
|
||||
"protocol": "saml",
|
||||
"fullScopeAllowed": true,
|
||||
"baseUrl": "http://localhost:8081/sales-post-sig-persistent",
|
||||
"adminUrl": "http://localhost:8081/sales-post-sig-persistent",
|
||||
"redirectUris": [
|
||||
"http://localhost:8081/sales-post-sig-persistent/*"
|
||||
],
|
||||
"attributes": {
|
||||
"saml.server.signature": "true",
|
||||
"saml.signature.algorithm": "RSA_SHA256",
|
||||
"saml.client.signature": "true",
|
||||
"saml.authnstatement": "true",
|
||||
"saml.signing.private.key": "MIICWwIBAAKBgQDVG8a7xGN6ZIkDbeecySygcDfsypjUMNPE4QJjis8B316CvsZQ0hcTTLUyiRpHlHZys2k3xEhHBHymFC1AONcvzZzpb40tAhLHO1qtAnut00khjAdjR3muLVdGkM/zMC7G5s9iIwBVhwOQhy+VsGnCH91EzkjZ4SVEr55KJoyQJQIDAQABAoGADaTtoG/+foOZUiLjRWKL/OmyavK9vjgyFtThNkZY4qHOh0h3og0RdSbgIxAsIpEa1FUwU2W5yvI6mNeJ3ibFgCgcxqPk6GkAC7DWfQfdQ8cS+dCuaFTs8ObIQEvU50YzeNPiiFxRA+MnauCUXaKm/PnDfjd4tPgru7XZvlGh0wECQQDsBbN2cKkBKpr/b5oJiBcBaSZtWiMNuYBDn9x8uORj+Gy/49BUIMHF2EWyxOWz6ocP5YiynNRkPe21Zus7PEr1AkEA5yWQOkxUTIg43s4pxNSeHtL+Ebqcg54lY2xOQK0yufxUVZI8ODctAKmVBMiCKpU3mZQquOaQicuGtocpgxlScQI/YM31zZ5nsxLGf/5GL6KhzPJT0IYn2nk7IoFu7bjn9BjwgcPurpLA52TNMYWQsTqAKwT6DEhG1NaRqNWNpb4VAkBehObAYBwMm5udyHIeEc+CzUalm0iLLa0eRdiN7AUVNpCJ2V2Uo0NcxPux1AgeP5xXydXafDXYkwhINWcNO9qRAkEA58ckAC5loUGwU5dLaugsGH/a2Q8Ac8bmPglwfCstYDpl8Gp/eimb1eKyvDEELOhyImAv4/uZV9wN85V0xZXWsw==",
|
||||
"saml.signing.certificate": "MIIB1DCCAT0CBgFJGP5dZDANBgkqhkiG9w0BAQsFADAwMS4wLAYDVQQDEyVodHRwOi8vbG9jYWxob3N0OjgwODAvc2FsZXMtcG9zdC1zaWcvMB4XDTE0MTAxNjEyNDQyM1oXDTI0MTAxNjEyNDYwM1owMDEuMCwGA1UEAxMlaHR0cDovL2xvY2FsaG9zdDo4MDgwL3NhbGVzLXBvc3Qtc2lnLzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1RvGu8RjemSJA23nnMksoHA37MqY1DDTxOECY4rPAd9egr7GUNIXE0y1MokaR5R2crNpN8RIRwR8phQtQDjXL82c6W+NLQISxztarQJ7rdNJIYwHY0d5ri1XRpDP8zAuxubPYiMAVYcDkIcvlbBpwh/dRM5I2eElRK+eSiaMkCUCAwEAATANBgkqhkiG9w0BAQsFAAOBgQCLms6htnPaY69k1ntm9a5jgwSn/K61cdai8R8B0ccY7zvinn9AfRD7fiROQpFyY29wKn8WCLrJ86NBXfgFUGyR5nLNHVy3FghE36N2oHy53uichieMxffE6vhkKJ4P8ChfJMMOZlmCPsQPDvjoAghHt4mriFiQgRdPgIy/zDjSNw=="
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "http://localhost:8081/sales-post-sig-email/",
|
||||
"enabled": true,
|
||||
"protocol": "saml",
|
||||
"fullScopeAllowed": true,
|
||||
"baseUrl": "http://localhost:8081/sales-post-sig-email",
|
||||
"adminUrl": "http://localhost:8081/sales-post-sig-email",
|
||||
"redirectUris": [
|
||||
"http://localhost:8081/sales-post-sig-email/*"
|
||||
],
|
||||
"attributes": {
|
||||
"saml.server.signature": "true",
|
||||
"saml.signature.algorithm": "RSA_SHA256",
|
||||
"saml.client.signature": "true",
|
||||
"saml.authnstatement": "true",
|
||||
"saml.signing.private.key": "MIICWwIBAAKBgQDVG8a7xGN6ZIkDbeecySygcDfsypjUMNPE4QJjis8B316CvsZQ0hcTTLUyiRpHlHZys2k3xEhHBHymFC1AONcvzZzpb40tAhLHO1qtAnut00khjAdjR3muLVdGkM/zMC7G5s9iIwBVhwOQhy+VsGnCH91EzkjZ4SVEr55KJoyQJQIDAQABAoGADaTtoG/+foOZUiLjRWKL/OmyavK9vjgyFtThNkZY4qHOh0h3og0RdSbgIxAsIpEa1FUwU2W5yvI6mNeJ3ibFgCgcxqPk6GkAC7DWfQfdQ8cS+dCuaFTs8ObIQEvU50YzeNPiiFxRA+MnauCUXaKm/PnDfjd4tPgru7XZvlGh0wECQQDsBbN2cKkBKpr/b5oJiBcBaSZtWiMNuYBDn9x8uORj+Gy/49BUIMHF2EWyxOWz6ocP5YiynNRkPe21Zus7PEr1AkEA5yWQOkxUTIg43s4pxNSeHtL+Ebqcg54lY2xOQK0yufxUVZI8ODctAKmVBMiCKpU3mZQquOaQicuGtocpgxlScQI/YM31zZ5nsxLGf/5GL6KhzPJT0IYn2nk7IoFu7bjn9BjwgcPurpLA52TNMYWQsTqAKwT6DEhG1NaRqNWNpb4VAkBehObAYBwMm5udyHIeEc+CzUalm0iLLa0eRdiN7AUVNpCJ2V2Uo0NcxPux1AgeP5xXydXafDXYkwhINWcNO9qRAkEA58ckAC5loUGwU5dLaugsGH/a2Q8Ac8bmPglwfCstYDpl8Gp/eimb1eKyvDEELOhyImAv4/uZV9wN85V0xZXWsw==",
|
||||
"saml.signing.certificate": "MIIB1DCCAT0CBgFJGP5dZDANBgkqhkiG9w0BAQsFADAwMS4wLAYDVQQDEyVodHRwOi8vbG9jYWxob3N0OjgwODAvc2FsZXMtcG9zdC1zaWcvMB4XDTE0MTAxNjEyNDQyM1oXDTI0MTAxNjEyNDYwM1owMDEuMCwGA1UEAxMlaHR0cDovL2xvY2FsaG9zdDo4MDgwL3NhbGVzLXBvc3Qtc2lnLzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1RvGu8RjemSJA23nnMksoHA37MqY1DDTxOECY4rPAd9egr7GUNIXE0y1MokaR5R2crNpN8RIRwR8phQtQDjXL82c6W+NLQISxztarQJ7rdNJIYwHY0d5ri1XRpDP8zAuxubPYiMAVYcDkIcvlbBpwh/dRM5I2eElRK+eSiaMkCUCAwEAATANBgkqhkiG9w0BAQsFAAOBgQCLms6htnPaY69k1ntm9a5jgwSn/K61cdai8R8B0ccY7zvinn9AfRD7fiROQpFyY29wKn8WCLrJ86NBXfgFUGyR5nLNHVy3FghE36N2oHy53uichieMxffE6vhkKJ4P8ChfJMMOZlmCPsQPDvjoAghHt4mriFiQgRdPgIy/zDjSNw=="
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "http://localhost:8081/bad-realm-sales-post-sig/",
|
||||
"enabled": true,
|
||||
|
|
|
|||
Loading…
Reference in a new issue