SLO and ACS Binding are linked with AuthnRequest Binding in SAML Identity Broker Metadata

Closes #11079
This commit is contained in:
i7a7467 2022-04-02 14:37:23 +09:00 committed by Marek Posolda
parent d7a408d081
commit e41e1a971a
2 changed files with 70 additions and 3 deletions

View file

@ -344,12 +344,17 @@ public class SAMLIdentityProvider extends AbstractIdentityProvider<SAMLIdentityP
public Response export(UriInfo uriInfo, RealmModel realm, String format) {
try
{
URI authnBinding = JBossSAMLURIConstants.SAML_HTTP_REDIRECT_BINDING.getUri();
URI authnResponseBinding = JBossSAMLURIConstants.SAML_HTTP_REDIRECT_BINDING.getUri();
if (getConfig().isPostBindingAuthnRequest()) {
authnBinding = JBossSAMLURIConstants.SAML_HTTP_POST_BINDING.getUri();
authnResponseBinding = JBossSAMLURIConstants.SAML_HTTP_POST_BINDING.getUri();
}
URI logoutBinding = JBossSAMLURIConstants.SAML_HTTP_REDIRECT_BINDING.getUri();
if (getConfig().isPostBindingLogout()) {
logoutBinding = JBossSAMLURIConstants.SAML_HTTP_POST_BINDING.getUri();
}
URI endpoint = uriInfo.getBaseUriBuilder()
.path("realms").path(realm.getName())
.path("broker")
@ -407,7 +412,7 @@ public class SAMLIdentityProvider extends AbstractIdentityProvider<SAMLIdentityP
SAMLMetadataWriter metadataWriter = new SAMLMetadataWriter(writer);
EntityDescriptorType entityDescriptor = SPMetadataDescriptor.buildSPDescriptor(
authnBinding, authnBinding, endpoint, endpoint,
authnResponseBinding, logoutBinding, endpoint, endpoint,
wantAuthnRequestsSigned, wantAssertionsSigned, wantAssertionsEncrypted,
entityId, nameIDPolicyFormat, signingKeys, encryptionKeys);

View file

@ -380,4 +380,66 @@ public class KcSamlSpDescriptorTest extends AbstractBrokerTest {
}
}
@Test
public void testMetadataBindingEqualsKeycloakPOSTBindingSettingsOn()
throws IOException, ParsingException, URISyntaxException {
try (Closeable idpUpdater = new IdentityProviderAttributeUpdater(identityProviderResource)
.setAttribute(SAMLIdentityProviderConfig.POST_BINDING_AUTHN_REQUEST, "true")
.setAttribute(SAMLIdentityProviderConfig.POST_BINDING_LOGOUT, "true")
//To ensure that backward compatibility is maintained, the value is intentionally reversed from isPostBindingAuthnRequest.
.setAttribute(SAMLIdentityProviderConfig.POST_BINDING_RESPONSE, "false")
.update())
{
String spDescriptorString = identityProviderResource.export(null).readEntity(String.class);
SAMLParser parser = SAMLParser.getInstance();
EntityDescriptorType o = (EntityDescriptorType) parser.parse(new StringInputStream(spDescriptorString));
SPSSODescriptorType spDescriptor = o.getChoiceType().get(0).getDescriptors().get(0).getSpDescriptor();
assertThat(spDescriptor.getSingleLogoutService().get(0).getBinding().toString(),
is(JBossSAMLURIConstants.SAML_HTTP_POST_BINDING.get()));
assertThat(spDescriptor.getAssertionConsumerService().get(0).getBinding().toString(),
is(JBossSAMLURIConstants.SAML_HTTP_POST_BINDING.get()));
}
}
@Test
public void testMetadataBindingEqualsKeycloakPOSTBindingSettingsOff()
throws IOException, ParsingException, URISyntaxException {
try (Closeable idpUpdater = new IdentityProviderAttributeUpdater(identityProviderResource)
.setAttribute(SAMLIdentityProviderConfig.POST_BINDING_AUTHN_REQUEST, "false")
.setAttribute(SAMLIdentityProviderConfig.POST_BINDING_LOGOUT, "false")
//To ensure that backward compatibility is maintained, the value is intentionally reversed from isPostBindingAuthnRequest.
.setAttribute(SAMLIdentityProviderConfig.POST_BINDING_RESPONSE, "true")
.update()) {
String spDescriptorString = identityProviderResource.export(null).readEntity(String.class);
SAMLParser parser = SAMLParser.getInstance();
EntityDescriptorType o = (EntityDescriptorType) parser.parse(new StringInputStream(spDescriptorString));
SPSSODescriptorType spDescriptor = o.getChoiceType().get(0).getDescriptors().get(0).getSpDescriptor();
assertThat(spDescriptor.getSingleLogoutService().get(0).getBinding().toString(),
is(JBossSAMLURIConstants.SAML_HTTP_REDIRECT_BINDING.get()));
assertThat(spDescriptor.getAssertionConsumerService().get(0).getBinding().toString(),
is(JBossSAMLURIConstants.SAML_HTTP_REDIRECT_BINDING.get()));
}
}
@Test
public void testMetadataBindingEqualsKeycloakSLOBindingSettingsIsDefault()
throws IOException, ParsingException, URISyntaxException {
try (Closeable idpUpdater = new IdentityProviderAttributeUpdater(identityProviderResource).update()){
String spDescriptorString = identityProviderResource.export(null).readEntity(String.class);
SAMLParser parser = SAMLParser.getInstance();
EntityDescriptorType o = (EntityDescriptorType) parser.parse(new StringInputStream(spDescriptorString));
SPSSODescriptorType spDescriptor = o.getChoiceType().get(0).getDescriptors().get(0).getSpDescriptor();
assertThat(spDescriptor.getSingleLogoutService().get(0).getBinding().toString(),
is(spDescriptor.getAssertionConsumerService().get(0).getBinding().toString()));
}
}
}