From fd49213cb9e45f036050e0b72a28e6e7f8877fd2 Mon Sep 17 00:00:00 2001
From: Bill Burke <bburke@redhat.com>
Date: Wed, 17 Feb 2016 17:02:14 -0500
Subject: [PATCH] KEYCLOAK-2477

---
 .../SamlIDPDescriptorClientInstallation.java  | 46 +++++++++++--------
 .../main/resources/idp-metadata-template.xml  |  7 ++-
 2 files changed, 33 insertions(+), 20 deletions(-)

diff --git a/services/src/main/java/org/keycloak/protocol/saml/installation/SamlIDPDescriptorClientInstallation.java b/services/src/main/java/org/keycloak/protocol/saml/installation/SamlIDPDescriptorClientInstallation.java
index 43a712e0c9..5d155d2e5e 100755
--- a/services/src/main/java/org/keycloak/protocol/saml/installation/SamlIDPDescriptorClientInstallation.java
+++ b/services/src/main/java/org/keycloak/protocol/saml/installation/SamlIDPDescriptorClientInstallation.java
@@ -47,30 +47,40 @@ public class SamlIDPDescriptorClientInstallation implements ClientInstallationPr
                 "   <IDPSSODescriptor WantAuthnRequestsSigned=\"" + Boolean.toString(samlClient.requiresClientSignature()) + "\"\n" +
                 "      protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\">\n";
         if (samlClient.forceNameIDFormat() && samlClient.getNameIDFormat() != null) {
-            idp +=  "      " + samlClient.getNameIDFormat();
+            idp +=  "   <NameIDFormat>" + samlClient.getNameIDFormat() + "</NameIDFormat>\n";
         } else {
-            idp +=  "      <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>\n" +
-                    "      <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>\n" +
-                    "      <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>\n" +
-                    "      <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>\n";
+            idp +=  "   <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>\n" +
+                    "   <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>\n" +
+                    "   <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>\n" +
+                    "   <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>\n";
         }
         String bindUrl = RealmsResource.protocolUrl(UriBuilder.fromUri(serverBaseUri)).build(realm.getName(), SamlProtocol.LOGIN_PROTOCOL).toString();
         idp +=  "\n" +
                 "      <SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\"\n" +
-                "         Location=\"" + bindUrl + "\" />\n" +
-                "      <SingleLogoutService\n" +
+                "         Location=\"" + bindUrl + "\" />\n";
+        if (!samlClient.forcePostBinding()) {
+           idp +=   "      <SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\"\n" +
+                    "         Location=\"" + bindUrl + "\" />\n";
+
+        }
+        idp +=  "      <SingleLogoutService\n" +
                 "         Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\"\n" +
-                "         Location=\"" + bindUrl + "\" />\n" +
-                "            <KeyDescriptor use=\"signing\">\n" +
-                "                <dsig:KeyInfo xmlns:dsig=\"http://www.w3.org/2000/09/xmldsig#\">\n" +
-                "                    <dsig:X509Data>\n" +
-                "                        <dsig:X509Certificate>\n" +
-                "                            " + realm.getCertificatePem() + "\n" +
-                "                        </dsig:X509Certificate>\n" +
-                "                    </dsig:X509Data>\n" +
-                "                </dsig:KeyInfo>\n" +
-                "            </KeyDescriptor>\n" +
-                "      </IDPSSODescriptor>\n" +
+                "         Location=\"" + bindUrl + "\" />\n";
+        if (!samlClient.forcePostBinding()) {
+            idp +=  "      <SingleLogoutService\n" +
+                    "         Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\"\n" +
+                    "         Location=\"" + bindUrl + "\" />\n";
+        }
+        idp +=  "      <KeyDescriptor use=\"signing\">\n" +
+                "          <dsig:KeyInfo xmlns:dsig=\"http://www.w3.org/2000/09/xmldsig#\">\n" +
+                "              <dsig:X509Data>\n" +
+                "                  <dsig:X509Certificate>\n" +
+                "                      " + realm.getCertificatePem() + "\n" +
+                "                  </dsig:X509Certificate>\n" +
+                "              </dsig:X509Data>\n" +
+                "          </dsig:KeyInfo>\n" +
+                "      </KeyDescriptor>\n" +
+                "   </IDPSSODescriptor>\n" +
                 "</EntityDescriptor>\n";
         return idp;
     }
diff --git a/services/src/main/resources/idp-metadata-template.xml b/services/src/main/resources/idp-metadata-template.xml
index f2cba1134c..5581ab0a90 100755
--- a/services/src/main/resources/idp-metadata-template.xml
+++ b/services/src/main/resources/idp-metadata-template.xml
@@ -33,8 +33,11 @@
 				Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
 				Location="${idp.sso.HTTP-Redirect}" />
 			<SingleLogoutService
-				Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
-				Location="${idp.sls.HTTP-POST}" />
+					Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+					Location="${idp.sls.HTTP-POST}" />
+			<SingleLogoutService
+					Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+					Location="${idp.sso.HTTP-Redirect}" />
             <KeyDescriptor use="signing">
                 <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
                     <dsig:X509Data>