Merge pull request #910 from patriot1burke/master
saml persistent and transient id support
This commit is contained in:
commit
dc94fac9f5
19 changed files with 281 additions and 44 deletions
|
@ -22,9 +22,11 @@ import java.net.URI;
|
||||||
*/
|
*/
|
||||||
public class SAML2LogoutRequestBuilder extends SAML2BindingBuilder<SAML2LogoutRequestBuilder> {
|
public class SAML2LogoutRequestBuilder extends SAML2BindingBuilder<SAML2LogoutRequestBuilder> {
|
||||||
protected String userPrincipal;
|
protected String userPrincipal;
|
||||||
|
protected String userPrincipalFormat;
|
||||||
|
|
||||||
public SAML2LogoutRequestBuilder userPrincipal(String userPrincipal) {
|
public SAML2LogoutRequestBuilder userPrincipal(String nameID, String nameIDformat) {
|
||||||
this.userPrincipal = userPrincipal;
|
this.userPrincipal = nameID;
|
||||||
|
this.userPrincipalFormat = nameIDformat;
|
||||||
return this;
|
return this;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -51,7 +53,7 @@ public class SAML2LogoutRequestBuilder extends SAML2BindingBuilder<SAML2LogoutRe
|
||||||
NameIDType nameID = new NameIDType();
|
NameIDType nameID = new NameIDType();
|
||||||
nameID.setValue(userPrincipal);
|
nameID.setValue(userPrincipal);
|
||||||
//Deal with NameID Format
|
//Deal with NameID Format
|
||||||
String nameIDFormat = JBossSAMLURIConstants.NAMEID_FORMAT_PERSISTENT.get();
|
String nameIDFormat = userPrincipalFormat;
|
||||||
nameID.setFormat(URI.create(nameIDFormat));
|
nameID.setFormat(URI.create(nameIDFormat));
|
||||||
lort.setNameID(nameID);
|
lort.setNameID(nameID);
|
||||||
|
|
||||||
|
|
|
@ -28,6 +28,7 @@ import javax.ws.rs.core.HttpHeaders;
|
||||||
import javax.ws.rs.core.Response;
|
import javax.ws.rs.core.Response;
|
||||||
import javax.ws.rs.core.UriInfo;
|
import javax.ws.rs.core.UriInfo;
|
||||||
import java.security.PublicKey;
|
import java.security.PublicKey;
|
||||||
|
import java.util.UUID;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
|
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
|
||||||
|
@ -54,7 +55,10 @@ public class SamlProtocol implements LoginProtocol {
|
||||||
public static final String SAML_ENCRYPT = "saml.encrypt";
|
public static final String SAML_ENCRYPT = "saml.encrypt";
|
||||||
public static final String SAML_FORCE_POST_BINDING = "saml.force.post.binding";
|
public static final String SAML_FORCE_POST_BINDING = "saml.force.post.binding";
|
||||||
public static final String SAML_REQUEST_ID = "SAML_REQUEST_ID";
|
public static final String SAML_REQUEST_ID = "SAML_REQUEST_ID";
|
||||||
|
public static final String SAML_NAME_ID = "SAML_NAME_ID";
|
||||||
|
public static final String SAML_NAME_ID_FORMAT = "SAML_NAME_ID_FORMAT";
|
||||||
public static final String SAML_DEFAULT_NAMEID_FORMAT = JBossSAMLURIConstants.NAMEID_FORMAT_UNSPECIFIED.get();
|
public static final String SAML_DEFAULT_NAMEID_FORMAT = JBossSAMLURIConstants.NAMEID_FORMAT_UNSPECIFIED.get();
|
||||||
|
public static final String SAML_PERSISTENT_NAME_ID_FOR = "saml.persistent.name.id.for";
|
||||||
|
|
||||||
protected KeycloakSession session;
|
protected KeycloakSession session;
|
||||||
|
|
||||||
|
@ -128,9 +132,22 @@ public class SamlProtocol implements LoginProtocol {
|
||||||
if (nameIdFormat.equals(JBossSAMLURIConstants.NAMEID_FORMAT_EMAIL.get())) {
|
if (nameIdFormat.equals(JBossSAMLURIConstants.NAMEID_FORMAT_EMAIL.get())) {
|
||||||
return userSession.getUser().getEmail();
|
return userSession.getUser().getEmail();
|
||||||
} else if(nameIdFormat.equals(JBossSAMLURIConstants.NAMEID_FORMAT_TRANSIENT.get())) {
|
} else if(nameIdFormat.equals(JBossSAMLURIConstants.NAMEID_FORMAT_TRANSIENT.get())) {
|
||||||
|
// "G-" stands for "generated" Add this for the slight possibility of collisions.
|
||||||
|
return "G-" + UUID.randomUUID().toString();
|
||||||
|
} else if(nameIdFormat.equals(JBossSAMLURIConstants.NAMEID_FORMAT_PERSISTENT.get())) {
|
||||||
|
// generate a persistent user id specifically for each client.
|
||||||
|
UserModel user = userSession.getUser();
|
||||||
|
String name = SAML_PERSISTENT_NAME_ID_FOR + "." + clientSession.getClient().getClientId();
|
||||||
|
String samlPersistentId = user.getAttribute(name);
|
||||||
|
if (samlPersistentId != null) return samlPersistentId;
|
||||||
|
// "G-" stands for "generated"
|
||||||
|
samlPersistentId = "G-" + UUID.randomUUID().toString();
|
||||||
|
user.setAttribute(name, samlPersistentId);
|
||||||
|
return samlPersistentId;
|
||||||
|
} else if(nameIdFormat.equals(JBossSAMLURIConstants.NAMEID_FORMAT_UNSPECIFIED.get())){
|
||||||
|
// TODO: Support for persistent NameID (pseudo-random identifier persisted in user object)
|
||||||
return userSession.getUser().getUsername();
|
return userSession.getUser().getUsername();
|
||||||
} else {
|
} else {
|
||||||
// TODO: Support for persistent NameID (pseudo-random identifier persisted in user object)
|
|
||||||
return userSession.getUser().getUsername();
|
return userSession.getUser().getUsername();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -146,6 +163,11 @@ public class SamlProtocol implements LoginProtocol {
|
||||||
String nameIdFormat = getNameIdFormat(clientSession);
|
String nameIdFormat = getNameIdFormat(clientSession);
|
||||||
String nameId = getNameId(nameIdFormat, clientSession, userSession);
|
String nameId = getNameId(nameIdFormat, clientSession, userSession);
|
||||||
|
|
||||||
|
// save NAME_ID and format in clientSession as they may be persistent or transient or email and not username
|
||||||
|
// we'll need to send this back on a logout
|
||||||
|
clientSession.setNote(SAML_NAME_ID, nameId);
|
||||||
|
clientSession.setNote(SAML_NAME_ID_FORMAT, nameIdFormat);
|
||||||
|
|
||||||
SALM2LoginResponseBuilder builder = new SALM2LoginResponseBuilder();
|
SALM2LoginResponseBuilder builder = new SALM2LoginResponseBuilder();
|
||||||
builder.requestID(requestID)
|
builder.requestID(requestID)
|
||||||
.relayState(relayState)
|
.relayState(relayState)
|
||||||
|
@ -256,8 +278,9 @@ public class SamlProtocol implements LoginProtocol {
|
||||||
ApplicationModel app = (ApplicationModel)client;
|
ApplicationModel app = (ApplicationModel)client;
|
||||||
if (app.getManagementUrl() == null) return;
|
if (app.getManagementUrl() == null) return;
|
||||||
|
|
||||||
|
// build userPrincipal with subject used at login
|
||||||
SAML2LogoutRequestBuilder logoutBuilder = new SAML2LogoutRequestBuilder()
|
SAML2LogoutRequestBuilder logoutBuilder = new SAML2LogoutRequestBuilder()
|
||||||
.userPrincipal(userSession.getUser().getUsername())
|
.userPrincipal(clientSession.getNote(SAML_NAME_ID), clientSession.getNote(SAML_NAME_ID_FORMAT))
|
||||||
.destination(client.getClientId());
|
.destination(client.getClientId());
|
||||||
if (requiresRealmSignature(client)) {
|
if (requiresRealmSignature(client)) {
|
||||||
logoutBuilder.signatureAlgorithm(getSignatureAlgorithm(client))
|
logoutBuilder.signatureAlgorithm(getSignatureAlgorithm(client))
|
||||||
|
|
|
@ -246,6 +246,7 @@ public class SamlService {
|
||||||
private boolean isSupportedNameIdFormat(String nameIdFormat) {
|
private boolean isSupportedNameIdFormat(String nameIdFormat) {
|
||||||
if (nameIdFormat.equals(JBossSAMLURIConstants.NAMEID_FORMAT_EMAIL.get()) ||
|
if (nameIdFormat.equals(JBossSAMLURIConstants.NAMEID_FORMAT_EMAIL.get()) ||
|
||||||
nameIdFormat.equals(JBossSAMLURIConstants.NAMEID_FORMAT_TRANSIENT.get()) ||
|
nameIdFormat.equals(JBossSAMLURIConstants.NAMEID_FORMAT_TRANSIENT.get()) ||
|
||||||
|
nameIdFormat.equals(JBossSAMLURIConstants.NAMEID_FORMAT_PERSISTENT.get()) ||
|
||||||
nameIdFormat.equals(JBossSAMLURIConstants.NAMEID_FORMAT_UNSPECIFIED.get())) {
|
nameIdFormat.equals(JBossSAMLURIConstants.NAMEID_FORMAT_UNSPECIFIED.get())) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
|
@ -5,6 +5,7 @@
|
||||||
<EntityDescriptor entityID="${idp.entityID}">
|
<EntityDescriptor entityID="${idp.entityID}">
|
||||||
<IDPSSODescriptor WantAuthnRequestsSigned="true"
|
<IDPSSODescriptor WantAuthnRequestsSigned="true"
|
||||||
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
|
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
|
||||||
|
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
|
||||||
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
|
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
|
||||||
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
|
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
|
||||||
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
|
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
|
||||||
|
|
|
@ -49,6 +49,9 @@ public class SamlBindingTest {
|
||||||
|
|
||||||
initializeSamlSecuredWar("/saml/simple-post", "/sales-post", "post.war", classLoader);
|
initializeSamlSecuredWar("/saml/simple-post", "/sales-post", "post.war", classLoader);
|
||||||
initializeSamlSecuredWar("/saml/signed-post", "/sales-post-sig", "post-sig.war", classLoader);
|
initializeSamlSecuredWar("/saml/signed-post", "/sales-post-sig", "post-sig.war", classLoader);
|
||||||
|
initializeSamlSecuredWar("/saml/signed-post-email", "/sales-post-sig-email", "post-sig-email.war", classLoader);
|
||||||
|
initializeSamlSecuredWar("/saml/signed-post-transient", "/sales-post-sig-transient", "post-sig-transient.war", classLoader);
|
||||||
|
initializeSamlSecuredWar("/saml/signed-post-persistent", "/sales-post-sig-persistent", "post-sig-persistent.war", classLoader);
|
||||||
initializeSamlSecuredWar("/saml/signed-metadata", "/sales-metadata", "post-metadata.war", classLoader);
|
initializeSamlSecuredWar("/saml/signed-metadata", "/sales-metadata", "post-metadata.war", classLoader);
|
||||||
initializeSamlSecuredWar("/saml/signed-get", "/employee-sig", "employee-sig.war", classLoader);
|
initializeSamlSecuredWar("/saml/signed-get", "/employee-sig", "employee-sig.war", classLoader);
|
||||||
initializeSamlSecuredWar("/saml/bad-client-signed-post", "/bad-client-sales-post-sig", "bad-client-post-sig.war", classLoader);
|
initializeSamlSecuredWar("/saml/bad-client-signed-post", "/bad-client-sales-post-sig", "bad-client-post-sig.war", classLoader);
|
||||||
|
@ -99,6 +102,44 @@ public class SamlBindingTest {
|
||||||
driver.navigate().to("http://localhost:8081/sales-post-sig?GLO=true");
|
driver.navigate().to("http://localhost:8081/sales-post-sig?GLO=true");
|
||||||
Assert.assertEquals(driver.getCurrentUrl(), "http://localhost:8081/auth/realms/demo/protocol/saml");
|
Assert.assertEquals(driver.getCurrentUrl(), "http://localhost:8081/auth/realms/demo/protocol/saml");
|
||||||
|
|
||||||
|
}
|
||||||
|
@Test
|
||||||
|
public void testPostSignedLoginLogoutTransientNameID() {
|
||||||
|
driver.navigate().to("http://localhost:8081/sales-post-sig-transient/");
|
||||||
|
Assert.assertEquals(driver.getCurrentUrl(), "http://localhost:8081/auth/realms/demo/protocol/saml");
|
||||||
|
loginPage.login("bburke", "password");
|
||||||
|
Assert.assertEquals(driver.getCurrentUrl(), "http://localhost:8081/sales-post-sig-transient/");
|
||||||
|
System.out.println(driver.getPageSource());
|
||||||
|
Assert.assertFalse(driver.getPageSource().contains("bburke"));
|
||||||
|
Assert.assertTrue(driver.getPageSource().contains("principal=G-"));
|
||||||
|
driver.navigate().to("http://localhost:8081/sales-post-sig-transient?GLO=true");
|
||||||
|
Assert.assertEquals(driver.getCurrentUrl(), "http://localhost:8081/auth/realms/demo/protocol/saml");
|
||||||
|
|
||||||
|
}
|
||||||
|
@Test
|
||||||
|
public void testPostSignedLoginLogoutPersistentNameID() {
|
||||||
|
driver.navigate().to("http://localhost:8081/sales-post-sig-persistent/");
|
||||||
|
Assert.assertEquals(driver.getCurrentUrl(), "http://localhost:8081/auth/realms/demo/protocol/saml");
|
||||||
|
loginPage.login("bburke", "password");
|
||||||
|
Assert.assertEquals(driver.getCurrentUrl(), "http://localhost:8081/sales-post-sig-persistent/");
|
||||||
|
System.out.println(driver.getPageSource());
|
||||||
|
Assert.assertFalse(driver.getPageSource().contains("bburke"));
|
||||||
|
Assert.assertTrue(driver.getPageSource().contains("principal=G-"));
|
||||||
|
driver.navigate().to("http://localhost:8081/sales-post-sig-persistent?GLO=true");
|
||||||
|
Assert.assertEquals(driver.getCurrentUrl(), "http://localhost:8081/auth/realms/demo/protocol/saml");
|
||||||
|
|
||||||
|
}
|
||||||
|
@Test
|
||||||
|
public void testPostSignedLoginLogoutEmailNameID() {
|
||||||
|
driver.navigate().to("http://localhost:8081/sales-post-sig-email/");
|
||||||
|
Assert.assertEquals(driver.getCurrentUrl(), "http://localhost:8081/auth/realms/demo/protocol/saml");
|
||||||
|
loginPage.login("bburke", "password");
|
||||||
|
Assert.assertEquals(driver.getCurrentUrl(), "http://localhost:8081/sales-post-sig-email/");
|
||||||
|
System.out.println(driver.getPageSource());
|
||||||
|
Assert.assertTrue(driver.getPageSource().contains("principal=bburke@redhat.com"));
|
||||||
|
driver.navigate().to("http://localhost:8081/sales-post-sig-email?GLO=true");
|
||||||
|
Assert.assertEquals(driver.getCurrentUrl(), "http://localhost:8081/auth/realms/demo/protocol/saml");
|
||||||
|
|
||||||
}
|
}
|
||||||
@Test
|
@Test
|
||||||
public void testRedirectSignedLoginLogout() {
|
public void testRedirectSignedLoginLogout() {
|
||||||
|
|
|
@ -36,6 +36,7 @@ public abstract class SamlKeycloakRule extends AbstractKeycloakRule {
|
||||||
resp.setContentType("text/plain");
|
resp.setContentType("text/plain");
|
||||||
OutputStream stream = resp.getOutputStream();
|
OutputStream stream = resp.getOutputStream();
|
||||||
Principal principal = req.getUserPrincipal();
|
Principal principal = req.getUserPrincipal();
|
||||||
|
stream.write("principal=".getBytes());
|
||||||
if (principal == null) {
|
if (principal == null) {
|
||||||
stream.write("null".getBytes());
|
stream.write("null".getBytes());
|
||||||
return;
|
return;
|
||||||
|
@ -48,6 +49,7 @@ public abstract class SamlKeycloakRule extends AbstractKeycloakRule {
|
||||||
resp.setContentType("text/plain");
|
resp.setContentType("text/plain");
|
||||||
OutputStream stream = resp.getOutputStream();
|
OutputStream stream = resp.getOutputStream();
|
||||||
Principal principal = req.getUserPrincipal();
|
Principal principal = req.getUserPrincipal();
|
||||||
|
stream.write("principal=".getBytes());
|
||||||
if (principal == null) {
|
if (principal == null) {
|
||||||
stream.write("null".getBytes());
|
stream.write("null".getBytes());
|
||||||
return;
|
return;
|
||||||
|
|
|
@ -20,7 +20,9 @@
|
||||||
<Handler
|
<Handler
|
||||||
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
|
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
|
||||||
<Handler
|
<Handler
|
||||||
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />
|
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler">
|
||||||
|
<Option Key="NAMEID_FORMAT" Value="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
|
||||||
|
</Handler>
|
||||||
<Handler
|
<Handler
|
||||||
class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
|
class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
|
||||||
<Handler
|
<Handler
|
||||||
|
|
|
@ -19,7 +19,9 @@
|
||||||
<Handler
|
<Handler
|
||||||
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
|
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
|
||||||
<Handler
|
<Handler
|
||||||
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />
|
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler">
|
||||||
|
<Option Key="NAMEID_FORMAT" Value="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
|
||||||
|
</Handler>
|
||||||
<Handler
|
<Handler
|
||||||
class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
|
class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
|
||||||
<Handler
|
<Handler
|
||||||
|
|
|
@ -20,7 +20,9 @@
|
||||||
<Handler
|
<Handler
|
||||||
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
|
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
|
||||||
<Handler
|
<Handler
|
||||||
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />
|
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler">
|
||||||
|
<Option Key="NAMEID_FORMAT" Value="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
|
||||||
|
</Handler>
|
||||||
<Handler
|
<Handler
|
||||||
class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
|
class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
|
||||||
<Handler
|
<Handler
|
||||||
|
|
Binary file not shown.
|
@ -0,0 +1,33 @@
|
||||||
|
<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
|
||||||
|
<PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1"
|
||||||
|
ServerEnvironment="tomcat" BindingType="POST" SupportsSignatures="true">
|
||||||
|
<IdentityURL>${idp-sig.url::http://localhost:8081/auth/realms/demo/protocol/saml}
|
||||||
|
</IdentityURL>
|
||||||
|
<ServiceURL>${sales-post-sig.url::http://localhost:8081/sales-post-sig-email/}
|
||||||
|
</ServiceURL>
|
||||||
|
<KeyProvider
|
||||||
|
ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager">
|
||||||
|
<Auth Key="KeyStoreURL" Value="saml/signed-post/WEB-INF/keystore.jks"/>
|
||||||
|
<Auth Key="KeyStorePass" Value="store123"/>
|
||||||
|
<Auth Key="SigningKeyPass" Value="test123"/>
|
||||||
|
<Auth Key="SigningKeyAlias" Value="http://localhost:8080/sales-post-sig/"/>
|
||||||
|
<ValidatingAlias Key="localhost" Value="demo"/>
|
||||||
|
<ValidatingAlias Key="127.0.0.1" Value="demo"/>
|
||||||
|
</KeyProvider>
|
||||||
|
|
||||||
|
</PicketLinkSP>
|
||||||
|
<Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
|
||||||
|
<Handler
|
||||||
|
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler"/>
|
||||||
|
<Handler
|
||||||
|
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler">
|
||||||
|
<Option Key="NAMEID_FORMAT" Value="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/>
|
||||||
|
</Handler>
|
||||||
|
<Handler
|
||||||
|
class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler"/>
|
||||||
|
<Handler
|
||||||
|
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureGenerationHandler"/>
|
||||||
|
<Handler
|
||||||
|
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler"/>
|
||||||
|
</Handlers>
|
||||||
|
</PicketLink>
|
Binary file not shown.
|
@ -0,0 +1,33 @@
|
||||||
|
<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
|
||||||
|
<PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1"
|
||||||
|
ServerEnvironment="tomcat" BindingType="POST" SupportsSignatures="true">
|
||||||
|
<IdentityURL>${idp-sig.url::http://localhost:8081/auth/realms/demo/protocol/saml}
|
||||||
|
</IdentityURL>
|
||||||
|
<ServiceURL>${sales-post-sig.url::http://localhost:8081/sales-post-sig-persistent/}
|
||||||
|
</ServiceURL>
|
||||||
|
<KeyProvider
|
||||||
|
ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager">
|
||||||
|
<Auth Key="KeyStoreURL" Value="saml/signed-post/WEB-INF/keystore.jks"/>
|
||||||
|
<Auth Key="KeyStorePass" Value="store123"/>
|
||||||
|
<Auth Key="SigningKeyPass" Value="test123"/>
|
||||||
|
<Auth Key="SigningKeyAlias" Value="http://localhost:8080/sales-post-sig/"/>
|
||||||
|
<ValidatingAlias Key="localhost" Value="demo"/>
|
||||||
|
<ValidatingAlias Key="127.0.0.1" Value="demo"/>
|
||||||
|
</KeyProvider>
|
||||||
|
|
||||||
|
</PicketLinkSP>
|
||||||
|
<Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
|
||||||
|
<Handler
|
||||||
|
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler"/>
|
||||||
|
<Handler
|
||||||
|
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler">
|
||||||
|
<Option Key="NAMEID_FORMAT" Value="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
|
||||||
|
</Handler>
|
||||||
|
<Handler
|
||||||
|
class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler"/>
|
||||||
|
<Handler
|
||||||
|
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureGenerationHandler"/>
|
||||||
|
<Handler
|
||||||
|
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler"/>
|
||||||
|
</Handlers>
|
||||||
|
</PicketLink>
|
Binary file not shown.
|
@ -0,0 +1,33 @@
|
||||||
|
<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
|
||||||
|
<PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1"
|
||||||
|
ServerEnvironment="tomcat" BindingType="POST" SupportsSignatures="true">
|
||||||
|
<IdentityURL>${idp-sig.url::http://localhost:8081/auth/realms/demo/protocol/saml}
|
||||||
|
</IdentityURL>
|
||||||
|
<ServiceURL>${sales-post-sig.url::http://localhost:8081/sales-post-sig-transient/}
|
||||||
|
</ServiceURL>
|
||||||
|
<KeyProvider
|
||||||
|
ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager">
|
||||||
|
<Auth Key="KeyStoreURL" Value="saml/signed-post/WEB-INF/keystore.jks"/>
|
||||||
|
<Auth Key="KeyStorePass" Value="store123"/>
|
||||||
|
<Auth Key="SigningKeyPass" Value="test123"/>
|
||||||
|
<Auth Key="SigningKeyAlias" Value="http://localhost:8080/sales-post-sig/"/>
|
||||||
|
<ValidatingAlias Key="localhost" Value="demo"/>
|
||||||
|
<ValidatingAlias Key="127.0.0.1" Value="demo"/>
|
||||||
|
</KeyProvider>
|
||||||
|
|
||||||
|
</PicketLinkSP>
|
||||||
|
<Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
|
||||||
|
<Handler
|
||||||
|
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler"/>
|
||||||
|
<Handler
|
||||||
|
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler">
|
||||||
|
<Option Key="NAMEID_FORMAT" Value="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
|
||||||
|
</Handler>
|
||||||
|
<Handler
|
||||||
|
class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler"/>
|
||||||
|
<Handler
|
||||||
|
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureGenerationHandler"/>
|
||||||
|
<Handler
|
||||||
|
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2SignatureValidationHandler"/>
|
||||||
|
</Handlers>
|
||||||
|
</PicketLink>
|
|
@ -20,7 +20,9 @@
|
||||||
<Handler
|
<Handler
|
||||||
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler"/>
|
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler"/>
|
||||||
<Handler
|
<Handler
|
||||||
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />
|
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler">
|
||||||
|
<Option Key="NAMEID_FORMAT" Value="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
|
||||||
|
</Handler>
|
||||||
<Handler
|
<Handler
|
||||||
class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler"/>
|
class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler"/>
|
||||||
<Handler
|
<Handler
|
||||||
|
|
|
@ -11,6 +11,7 @@
|
||||||
<Handler
|
<Handler
|
||||||
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler">
|
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler">
|
||||||
|
|
||||||
|
<Option Key="NAMEID_FORMAT" Value="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
|
||||||
<Option Key="ASSERTION_SESSION_ATTRIBUTE_NAME" Value="org.picketlink.sp.assertion"/>
|
<Option Key="ASSERTION_SESSION_ATTRIBUTE_NAME" Value="org.picketlink.sp.assertion"/>
|
||||||
|
|
||||||
</Handler>
|
</Handler>
|
||||||
|
|
|
@ -13,7 +13,9 @@
|
||||||
<Handler
|
<Handler
|
||||||
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
|
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
|
||||||
<Handler
|
<Handler
|
||||||
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />
|
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler">
|
||||||
|
<Option Key="NAMEID_FORMAT" Value="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
|
||||||
|
</Handler>
|
||||||
<Handler
|
<Handler
|
||||||
class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
|
class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
|
||||||
</Handlers>
|
</Handlers>
|
||||||
|
|
|
@ -61,6 +61,63 @@
|
||||||
"saml.signing.certificate": "MIIB1DCCAT0CBgFJGP5dZDANBgkqhkiG9w0BAQsFADAwMS4wLAYDVQQDEyVodHRwOi8vbG9jYWxob3N0OjgwODAvc2FsZXMtcG9zdC1zaWcvMB4XDTE0MTAxNjEyNDQyM1oXDTI0MTAxNjEyNDYwM1owMDEuMCwGA1UEAxMlaHR0cDovL2xvY2FsaG9zdDo4MDgwL3NhbGVzLXBvc3Qtc2lnLzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1RvGu8RjemSJA23nnMksoHA37MqY1DDTxOECY4rPAd9egr7GUNIXE0y1MokaR5R2crNpN8RIRwR8phQtQDjXL82c6W+NLQISxztarQJ7rdNJIYwHY0d5ri1XRpDP8zAuxubPYiMAVYcDkIcvlbBpwh/dRM5I2eElRK+eSiaMkCUCAwEAATANBgkqhkiG9w0BAQsFAAOBgQCLms6htnPaY69k1ntm9a5jgwSn/K61cdai8R8B0ccY7zvinn9AfRD7fiROQpFyY29wKn8WCLrJ86NBXfgFUGyR5nLNHVy3FghE36N2oHy53uichieMxffE6vhkKJ4P8ChfJMMOZlmCPsQPDvjoAghHt4mriFiQgRdPgIy/zDjSNw=="
|
"saml.signing.certificate": "MIIB1DCCAT0CBgFJGP5dZDANBgkqhkiG9w0BAQsFADAwMS4wLAYDVQQDEyVodHRwOi8vbG9jYWxob3N0OjgwODAvc2FsZXMtcG9zdC1zaWcvMB4XDTE0MTAxNjEyNDQyM1oXDTI0MTAxNjEyNDYwM1owMDEuMCwGA1UEAxMlaHR0cDovL2xvY2FsaG9zdDo4MDgwL3NhbGVzLXBvc3Qtc2lnLzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1RvGu8RjemSJA23nnMksoHA37MqY1DDTxOECY4rPAd9egr7GUNIXE0y1MokaR5R2crNpN8RIRwR8phQtQDjXL82c6W+NLQISxztarQJ7rdNJIYwHY0d5ri1XRpDP8zAuxubPYiMAVYcDkIcvlbBpwh/dRM5I2eElRK+eSiaMkCUCAwEAATANBgkqhkiG9w0BAQsFAAOBgQCLms6htnPaY69k1ntm9a5jgwSn/K61cdai8R8B0ccY7zvinn9AfRD7fiROQpFyY29wKn8WCLrJ86NBXfgFUGyR5nLNHVy3FghE36N2oHy53uichieMxffE6vhkKJ4P8ChfJMMOZlmCPsQPDvjoAghHt4mriFiQgRdPgIy/zDjSNw=="
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
"name": "http://localhost:8081/sales-post-sig-transient/",
|
||||||
|
"enabled": true,
|
||||||
|
"protocol": "saml",
|
||||||
|
"fullScopeAllowed": true,
|
||||||
|
"baseUrl": "http://localhost:8081/sales-post-sig-transient",
|
||||||
|
"adminUrl": "http://localhost:8081/sales-post-sig-transient",
|
||||||
|
"redirectUris": [
|
||||||
|
"http://localhost:8081/sales-post-sig-transient/*"
|
||||||
|
],
|
||||||
|
"attributes": {
|
||||||
|
"saml.server.signature": "true",
|
||||||
|
"saml.signature.algorithm": "RSA_SHA256",
|
||||||
|
"saml.client.signature": "true",
|
||||||
|
"saml.authnstatement": "true",
|
||||||
|
"saml.signing.private.key": "MIICWwIBAAKBgQDVG8a7xGN6ZIkDbeecySygcDfsypjUMNPE4QJjis8B316CvsZQ0hcTTLUyiRpHlHZys2k3xEhHBHymFC1AONcvzZzpb40tAhLHO1qtAnut00khjAdjR3muLVdGkM/zMC7G5s9iIwBVhwOQhy+VsGnCH91EzkjZ4SVEr55KJoyQJQIDAQABAoGADaTtoG/+foOZUiLjRWKL/OmyavK9vjgyFtThNkZY4qHOh0h3og0RdSbgIxAsIpEa1FUwU2W5yvI6mNeJ3ibFgCgcxqPk6GkAC7DWfQfdQ8cS+dCuaFTs8ObIQEvU50YzeNPiiFxRA+MnauCUXaKm/PnDfjd4tPgru7XZvlGh0wECQQDsBbN2cKkBKpr/b5oJiBcBaSZtWiMNuYBDn9x8uORj+Gy/49BUIMHF2EWyxOWz6ocP5YiynNRkPe21Zus7PEr1AkEA5yWQOkxUTIg43s4pxNSeHtL+Ebqcg54lY2xOQK0yufxUVZI8ODctAKmVBMiCKpU3mZQquOaQicuGtocpgxlScQI/YM31zZ5nsxLGf/5GL6KhzPJT0IYn2nk7IoFu7bjn9BjwgcPurpLA52TNMYWQsTqAKwT6DEhG1NaRqNWNpb4VAkBehObAYBwMm5udyHIeEc+CzUalm0iLLa0eRdiN7AUVNpCJ2V2Uo0NcxPux1AgeP5xXydXafDXYkwhINWcNO9qRAkEA58ckAC5loUGwU5dLaugsGH/a2Q8Ac8bmPglwfCstYDpl8Gp/eimb1eKyvDEELOhyImAv4/uZV9wN85V0xZXWsw==",
|
||||||
|
"saml.signing.certificate": "MIIB1DCCAT0CBgFJGP5dZDANBgkqhkiG9w0BAQsFADAwMS4wLAYDVQQDEyVodHRwOi8vbG9jYWxob3N0OjgwODAvc2FsZXMtcG9zdC1zaWcvMB4XDTE0MTAxNjEyNDQyM1oXDTI0MTAxNjEyNDYwM1owMDEuMCwGA1UEAxMlaHR0cDovL2xvY2FsaG9zdDo4MDgwL3NhbGVzLXBvc3Qtc2lnLzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1RvGu8RjemSJA23nnMksoHA37MqY1DDTxOECY4rPAd9egr7GUNIXE0y1MokaR5R2crNpN8RIRwR8phQtQDjXL82c6W+NLQISxztarQJ7rdNJIYwHY0d5ri1XRpDP8zAuxubPYiMAVYcDkIcvlbBpwh/dRM5I2eElRK+eSiaMkCUCAwEAATANBgkqhkiG9w0BAQsFAAOBgQCLms6htnPaY69k1ntm9a5jgwSn/K61cdai8R8B0ccY7zvinn9AfRD7fiROQpFyY29wKn8WCLrJ86NBXfgFUGyR5nLNHVy3FghE36N2oHy53uichieMxffE6vhkKJ4P8ChfJMMOZlmCPsQPDvjoAghHt4mriFiQgRdPgIy/zDjSNw=="
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "http://localhost:8081/sales-post-sig-persistent/",
|
||||||
|
"enabled": true,
|
||||||
|
"protocol": "saml",
|
||||||
|
"fullScopeAllowed": true,
|
||||||
|
"baseUrl": "http://localhost:8081/sales-post-sig-persistent",
|
||||||
|
"adminUrl": "http://localhost:8081/sales-post-sig-persistent",
|
||||||
|
"redirectUris": [
|
||||||
|
"http://localhost:8081/sales-post-sig-persistent/*"
|
||||||
|
],
|
||||||
|
"attributes": {
|
||||||
|
"saml.server.signature": "true",
|
||||||
|
"saml.signature.algorithm": "RSA_SHA256",
|
||||||
|
"saml.client.signature": "true",
|
||||||
|
"saml.authnstatement": "true",
|
||||||
|
"saml.signing.private.key": "MIICWwIBAAKBgQDVG8a7xGN6ZIkDbeecySygcDfsypjUMNPE4QJjis8B316CvsZQ0hcTTLUyiRpHlHZys2k3xEhHBHymFC1AONcvzZzpb40tAhLHO1qtAnut00khjAdjR3muLVdGkM/zMC7G5s9iIwBVhwOQhy+VsGnCH91EzkjZ4SVEr55KJoyQJQIDAQABAoGADaTtoG/+foOZUiLjRWKL/OmyavK9vjgyFtThNkZY4qHOh0h3og0RdSbgIxAsIpEa1FUwU2W5yvI6mNeJ3ibFgCgcxqPk6GkAC7DWfQfdQ8cS+dCuaFTs8ObIQEvU50YzeNPiiFxRA+MnauCUXaKm/PnDfjd4tPgru7XZvlGh0wECQQDsBbN2cKkBKpr/b5oJiBcBaSZtWiMNuYBDn9x8uORj+Gy/49BUIMHF2EWyxOWz6ocP5YiynNRkPe21Zus7PEr1AkEA5yWQOkxUTIg43s4pxNSeHtL+Ebqcg54lY2xOQK0yufxUVZI8ODctAKmVBMiCKpU3mZQquOaQicuGtocpgxlScQI/YM31zZ5nsxLGf/5GL6KhzPJT0IYn2nk7IoFu7bjn9BjwgcPurpLA52TNMYWQsTqAKwT6DEhG1NaRqNWNpb4VAkBehObAYBwMm5udyHIeEc+CzUalm0iLLa0eRdiN7AUVNpCJ2V2Uo0NcxPux1AgeP5xXydXafDXYkwhINWcNO9qRAkEA58ckAC5loUGwU5dLaugsGH/a2Q8Ac8bmPglwfCstYDpl8Gp/eimb1eKyvDEELOhyImAv4/uZV9wN85V0xZXWsw==",
|
||||||
|
"saml.signing.certificate": "MIIB1DCCAT0CBgFJGP5dZDANBgkqhkiG9w0BAQsFADAwMS4wLAYDVQQDEyVodHRwOi8vbG9jYWxob3N0OjgwODAvc2FsZXMtcG9zdC1zaWcvMB4XDTE0MTAxNjEyNDQyM1oXDTI0MTAxNjEyNDYwM1owMDEuMCwGA1UEAxMlaHR0cDovL2xvY2FsaG9zdDo4MDgwL3NhbGVzLXBvc3Qtc2lnLzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1RvGu8RjemSJA23nnMksoHA37MqY1DDTxOECY4rPAd9egr7GUNIXE0y1MokaR5R2crNpN8RIRwR8phQtQDjXL82c6W+NLQISxztarQJ7rdNJIYwHY0d5ri1XRpDP8zAuxubPYiMAVYcDkIcvlbBpwh/dRM5I2eElRK+eSiaMkCUCAwEAATANBgkqhkiG9w0BAQsFAAOBgQCLms6htnPaY69k1ntm9a5jgwSn/K61cdai8R8B0ccY7zvinn9AfRD7fiROQpFyY29wKn8WCLrJ86NBXfgFUGyR5nLNHVy3FghE36N2oHy53uichieMxffE6vhkKJ4P8ChfJMMOZlmCPsQPDvjoAghHt4mriFiQgRdPgIy/zDjSNw=="
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "http://localhost:8081/sales-post-sig-email/",
|
||||||
|
"enabled": true,
|
||||||
|
"protocol": "saml",
|
||||||
|
"fullScopeAllowed": true,
|
||||||
|
"baseUrl": "http://localhost:8081/sales-post-sig-email",
|
||||||
|
"adminUrl": "http://localhost:8081/sales-post-sig-email",
|
||||||
|
"redirectUris": [
|
||||||
|
"http://localhost:8081/sales-post-sig-email/*"
|
||||||
|
],
|
||||||
|
"attributes": {
|
||||||
|
"saml.server.signature": "true",
|
||||||
|
"saml.signature.algorithm": "RSA_SHA256",
|
||||||
|
"saml.client.signature": "true",
|
||||||
|
"saml.authnstatement": "true",
|
||||||
|
"saml.signing.private.key": "MIICWwIBAAKBgQDVG8a7xGN6ZIkDbeecySygcDfsypjUMNPE4QJjis8B316CvsZQ0hcTTLUyiRpHlHZys2k3xEhHBHymFC1AONcvzZzpb40tAhLHO1qtAnut00khjAdjR3muLVdGkM/zMC7G5s9iIwBVhwOQhy+VsGnCH91EzkjZ4SVEr55KJoyQJQIDAQABAoGADaTtoG/+foOZUiLjRWKL/OmyavK9vjgyFtThNkZY4qHOh0h3og0RdSbgIxAsIpEa1FUwU2W5yvI6mNeJ3ibFgCgcxqPk6GkAC7DWfQfdQ8cS+dCuaFTs8ObIQEvU50YzeNPiiFxRA+MnauCUXaKm/PnDfjd4tPgru7XZvlGh0wECQQDsBbN2cKkBKpr/b5oJiBcBaSZtWiMNuYBDn9x8uORj+Gy/49BUIMHF2EWyxOWz6ocP5YiynNRkPe21Zus7PEr1AkEA5yWQOkxUTIg43s4pxNSeHtL+Ebqcg54lY2xOQK0yufxUVZI8ODctAKmVBMiCKpU3mZQquOaQicuGtocpgxlScQI/YM31zZ5nsxLGf/5GL6KhzPJT0IYn2nk7IoFu7bjn9BjwgcPurpLA52TNMYWQsTqAKwT6DEhG1NaRqNWNpb4VAkBehObAYBwMm5udyHIeEc+CzUalm0iLLa0eRdiN7AUVNpCJ2V2Uo0NcxPux1AgeP5xXydXafDXYkwhINWcNO9qRAkEA58ckAC5loUGwU5dLaugsGH/a2Q8Ac8bmPglwfCstYDpl8Gp/eimb1eKyvDEELOhyImAv4/uZV9wN85V0xZXWsw==",
|
||||||
|
"saml.signing.certificate": "MIIB1DCCAT0CBgFJGP5dZDANBgkqhkiG9w0BAQsFADAwMS4wLAYDVQQDEyVodHRwOi8vbG9jYWxob3N0OjgwODAvc2FsZXMtcG9zdC1zaWcvMB4XDTE0MTAxNjEyNDQyM1oXDTI0MTAxNjEyNDYwM1owMDEuMCwGA1UEAxMlaHR0cDovL2xvY2FsaG9zdDo4MDgwL3NhbGVzLXBvc3Qtc2lnLzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1RvGu8RjemSJA23nnMksoHA37MqY1DDTxOECY4rPAd9egr7GUNIXE0y1MokaR5R2crNpN8RIRwR8phQtQDjXL82c6W+NLQISxztarQJ7rdNJIYwHY0d5ri1XRpDP8zAuxubPYiMAVYcDkIcvlbBpwh/dRM5I2eElRK+eSiaMkCUCAwEAATANBgkqhkiG9w0BAQsFAAOBgQCLms6htnPaY69k1ntm9a5jgwSn/K61cdai8R8B0ccY7zvinn9AfRD7fiROQpFyY29wKn8WCLrJ86NBXfgFUGyR5nLNHVy3FghE36N2oHy53uichieMxffE6vhkKJ4P8ChfJMMOZlmCPsQPDvjoAghHt4mriFiQgRdPgIy/zDjSNw=="
|
||||||
|
}
|
||||||
|
},
|
||||||
{
|
{
|
||||||
"name": "http://localhost:8081/bad-realm-sales-post-sig/",
|
"name": "http://localhost:8081/bad-realm-sales-post-sig/",
|
||||||
"enabled": true,
|
"enabled": true,
|
||||||
|
|
Loading…
Reference in a new issue