From e255e8cf64b8d6e48bce0c30560b334aaafe3933 Mon Sep 17 00:00:00 2001 From: rmartinc Date: Fri, 23 Aug 2019 11:57:10 +0200 Subject: [PATCH] KEYCLOAK-10757: Replaying assertion with signature in SAML adapters --- .../topics/saml/java/general-config/sp_element.adoc | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/securing_apps/topics/saml/java/general-config/sp_element.adoc b/securing_apps/topics/saml/java/general-config/sp_element.adoc index 33735f168b..951dcb15e1 100644 --- a/securing_apps/topics/saml/java/general-config/sp_element.adoc +++ b/securing_apps/topics/saml/java/general-config/sp_element.adoc @@ -11,6 +11,7 @@ Here is the explanation of the SP element attributes: nameIDPolicyFormat="format" forceAuthentication="true" isPassive="false" + keepDOMAssertion="true" autodetectBearerOnly="false"> ... @@ -62,3 +63,10 @@ logoutPage:: the user is redirected after logout to that page using the HTTP `302` status code. If a link without scheme part is specified, such as `/logout.jsp`, the page is displayed after logout, _regardless of whether it lies in a protected area according to `security-constraint` declarations in web.xml_, and the page is resolved relative to the deployment context root. + +keepDOMAssertion:: + This attribute should be set to __true__ to make the adapter store the DOM representation of the assertion in its + original form inside the `SamlPrincipal` associated to the request. The assertion document can be retrieved using + the method `getAssertionDocument` inside the principal. This is specially useful when re-playing a signed assertion. + The returned document is the one that was generated parsing the SAML response received by the {project_name} server. + This setting is _OPTIONAL_ and its default value is __false__ (the document is not saved inside the principal).