Commit graph

198 commits

Author SHA1 Message Date
Steeve Beroard
fc9a0e1766 [KEYCLOAK-8104] Keycloak SAML Adapter does not support clockSkew configuration
Co-Authored-By: vramik <vramik@redhat.com>
2019-07-15 13:08:52 +02:00
Hynek Mlnarik
ca4e14fbfa KEYCLOAK-7852 Use original NameId value in logout requests 2019-07-04 19:30:21 +02:00
Vlasta Ramik
cc8cfd4269 KEYCLOAK-10751 Fix SAML undertow adapter not sending challenge
Co-Authored-By: mhajas <mhajas@redhat.com>
Co-Authored-By: Hynek Mlnarik <hmlnarik@redhat.com>
2019-07-04 10:04:51 +02:00
vramik
d245287320 KEYCLOAK-9598 Apache Tomcat adapter 2019-06-14 10:09:13 +02:00
Sebastian Laskawiec
e739344556 KEYCLOAK-9640 Unify surefire versions 2019-06-13 13:26:49 +02:00
vramik
3bbab225c8 KEYCLOAK-9596 Remove Apache Tomcat 6.0.x adapter 2019-05-28 12:00:19 +02:00
keycloak-bot
49d4e935cb Set version to 7.0.0-SNAPSHOT 2019-04-17 09:48:07 +01:00
Sebastian Laskawiec
0042726dd8 KEYCLOAK-9601 KEYCLOAK-9602 Jetty 8.1 and 9.1 removal
Co-Authored-By: mhajas <mhajas@redhat.com>
2019-04-16 11:21:29 +02:00
Martin Ball
21e2fa8784 KEYCLOAK-4249 - Make IDP URL in keycloak-saml.xml configurable
Added the metadata url as an attribute on the IDP in the keycloak saml configuration which then propagates through to the DefaultSamlDeployment where it is used on the construction of the SamlDescriptorPublicKeyLocator thereby allowing support for ADFS or other IDP which uses a path that is different to the Keycloak IDP.

To make this work when testing with ADFS a change was made to SamlDescriptorIDPKeysExtractor because it would not extract keys from metadata which contained the EntityDescriptor as the root element. The solution was to change the xpath expression in SamlDescriptorIDPKeysExtractor so that it does not require a wrapping EntitiesDescriptor but instead loads all EntityDescriptors located in the document. This allows it to handle a single EntityDescriptor or multiple descriptors wrapped in an EntitiesDescriptor in the same xpath expression. A unit test SamlDescriptorIDPKeysExtractorTest has been added which validates that keys can be loaded in both scenarios.
2019-03-27 08:04:53 +01:00
keycloak-bot
e843d84f6e Set version to 6.0.0-SNAPSHOT 2019-03-06 15:54:08 +01:00
mhajas
8a750c7fca KEYCLOAK-6750 Adapt Tomcat adapter tests to new structure 2019-03-06 08:57:46 +01:00
stianst
e06c705ca8 Set version 5.0.0 2019-02-21 09:35:14 +01:00
stianst
7c9f15778a Set version to 4.8.3.Final 2019-01-09 20:39:30 +01:00
stianst
7c4890152c Set version to 4.8.2 2019-01-03 14:43:22 +01:00
stianst
b674c0d4d9 Prepare for 4.8.0.Final 2018-12-04 13:54:25 +01:00
stianst
ecd476fb10 Prepare for 4.7.0.Final 2018-11-14 20:10:59 +01:00
Hynek Mlnarik
7703d81389 KEYCLOAK-7421 Support SAML cluster logout for Elytron SAML adapter 2018-11-09 21:06:50 +01:00
vramik
560d76b7ee KEYCLOAK-6748 undertow saml adapter tests 2018-11-06 21:17:07 +01:00
vramik
7a96911a83 KEYCLOAK-8300 KEYCLOAK-8301 Wildfly 14 upgrade
Co-authored-by: Marek Posolda <mposolda@redhat.com>
2018-10-17 20:01:07 +02:00
vramik
623d985e7f KEYCLOAK-8454 KeycloakHttpServerAuthenticationMechanism uses wrong status code when logout page not set 2018-10-17 19:03:24 +02:00
Hynek Mlnarik
211774ccbc KEYCLOAK-7810 Fix NPE in Elytron SAML adapter 2018-10-04 14:38:45 +02:00
stianst
c3fc9e9815 Set version to 4.6.0.Final-SNAPSHOT 2018-09-26 20:58:41 +02:00
Hynek Mlnarik
2bf6d75e57 KEYCLOAK-8010 Improve handling of Conditions SAML tag 2018-09-19 14:00:28 +02:00
stianst
1fb4ca4525 Set version to 4.5.0.Final 2018-09-06 20:08:02 +02:00
Hynek Mlnarik
812e76c39b KEYCLOAK-8163 Improve SAML validations 2018-09-05 15:47:03 +02:00
Hynek Mlnarik
a8a9631d4f KEYCLOAK-6832 Unify Destination attribute handling 2018-08-09 10:30:30 +02:00
mposolda
959cd035ba Set version to 4.3.0.Final-SNAPSHOT 2018-08-01 22:40:05 +02:00
rmartinc
4a82979792 KEYCLOAK-1925: SAML adapter multitenant support 2018-07-10 13:21:11 +02:00
mposolda
d0a824dde4 Updating version to 4.2.0.Final-SNAPSHOT 2018-07-05 07:42:48 -04:00
Pedro Igor
23db2b852b [KEYCLOAK-7679] - Wildfly adapter must be disabled when using Elytron 2018-06-28 11:08:28 -03:00
Hynek Mlnarik
6b968796ce KEYCLOAK-7667 Fix namespace handling when decrypting assertion 2018-06-21 13:09:18 +02:00
vramik
2fcfa5cf71 KEYCLOAK-7094 Support redirect to external logout page for saml filter adapter 2018-06-19 13:23:18 +02:00
stianst
e1a0e581b9 Update to 4.1.0.Final-SNAPSHOT 2018-06-14 14:22:28 +02:00
vramik
5f1f3dff5e KEYCLOAK-7094 Support redirect to external logout page for elytron adapter 2018-06-13 12:50:38 +02:00
Vlasta Ramik
182c975e01 KEYCLOAK-7597 fix logger classes (#5263) 2018-06-12 11:02:04 -03:00
Hynek Mlnarik
5a241392cf KEYCLOAK-7094 Support redirect to external logout page 2018-06-05 14:51:18 +02:00
Stian Thorgersen
dbf5c395b0
Bump version to 4.0.0.Final (#5224) 2018-05-24 19:02:30 +02:00
Stian Thorgersen
90e5c7f3eb
Bump version to 4.0.0.Beta3-SNAPSHOT (#5185) 2018-05-02 14:32:20 +02:00
pedroigor
b249a48dcf [KEYCLOAK-7147] - Support obtaining a buffered input stream in HttpFacade.Request 2018-04-25 10:16:41 -03:00
stianst
07fea02146 Bump versions to 4.0.0.Beta2-SNAPSHOT 2018-03-26 18:17:38 +02:00
Hynek Mlnarik
1f20c03afa KEYCLOAK-6470 Refactor SAML adapter parsers 2018-02-27 09:37:29 +01:00
Hynek Mlnarik
e7cdb8ad54 KEYCLOAK-6473 KEYCLOAK-6472 SAML parser refactor + protocol parsers 2018-02-23 08:16:14 +01:00
stianst
0bedbb4dd3 Bump version to 4.0.0.CR1-SNAPSHOT 2017-12-21 15:06:00 +01:00
Hynek Mlnarik
626004e782 KEYCLOAK-6066 Be less strict when handling cookies 2017-12-19 21:39:41 +01:00
stianst
37de8e9f69 Bump version to 3.4.2.Final-SNAPSHOT 2017-12-01 09:34:48 +01:00
David De Vreese
9485a63157 KEYCLOAK-5183 Support for AssertionConsumerServiceUrl in Saml Adapter subsystem
Co-Authored-By: Hynek Mlnarik <hmlnarik@redhat.com>
2017-11-20 15:59:47 +01:00
Stian Thorgersen
128ff12f8f Bump versions 2017-11-09 15:37:21 +01:00
Pedro Igor
476dd1cef5 [KEYCLOAK-4439] - Fixing saml adapter 2017-11-08 19:01:54 -02:00
Pedro Igor
a8ba3eb7f9 [KEYCLOAK-4439] - Fixing elytron adapter for standalone apps 2017-11-08 14:09:34 -02:00
Pedro Igor
4c71e2ec17 [KEYCLOAK-4439] - Changes for Wildfly 11.0.0.CR1 (#4504)
* [KEYCLOAK-4439] - Changes for Wildfly 11.0.0.CR1

* [KEYCLOAK-5463] - Fixing servlet filter when using elytron adapters
2017-09-28 11:46:17 +02:00
Jasper Siepkes
458c2f2682
Clarify request URI mismatch error message in SAML adapter.
Show expected URI and received URI in error message. Also makes the logging behavior of 'handleSamlResponse' the same as 'handleSamlRequest' since that method already shows the expected and received URI.
2017-09-11 19:52:49 +02:00
Stian Thorgersen
463661b051 Set version to 3.4.0.CR1-SNAPSHOT 2017-08-28 15:46:22 +02:00
Hynek Mlnarik
794c508b10 KEYCLOAK-4995 Support for distributed SAML logout in cross DC 2017-08-28 13:15:11 +02:00
Pedro Igor
d3e559453b [KEYCLOAK-5015] - Updating Elytron Adapters 2017-08-22 18:01:19 -03:00
Marek Posolda
1b83928652 Merge pull request #4354 from hmlnarik/KEYCLOAK-5241-Tomcat-Adapter-8-x-does-not-work-with-Tomcat-8-5-8
KEYCLOAK-5241 Tomcat SAML Adapter (Fix for Tomcat 8.5.8)
2017-07-27 14:27:19 +02:00
Hynek Mlnarik
96bdd32bd0 KEYCLOAK-5241 Tomcat SAML Adapter Tomcat 8.5.8 2017-07-27 10:20:49 +02:00
Hynek Mlnarik
d8b77895db KEYCLOAK-4788 Fix reversed arguments and String comparison 2017-07-27 08:25:22 +02:00
Marek Posolda
dd6a7b23c3 Merge pull request #4350 from hmlnarik/KEYCLOAK-4446-Failed-to-process-response-when-reject-consent-with-turned-on-encryption
KEYCLOAK-4446 Do not encrypt SAML status messages
2017-07-26 15:31:54 +02:00
Hynek Mlnarik
3c537f5f28 KEYCLOAK-4446 Do not encrypt SAML status messages
SAML status messages are not encryptable per Chapter 6 of
saml-core-2.0-os.pdf. Only assertions, attributes, base ID and name ID
can be encrypted.
2017-07-26 11:22:56 +02:00
Hynek Mlnarik
8d81a4a2e4 KEYCLOAK-5236 2017-07-26 11:22:05 +02:00
Pedro Igor
5456514499 [KEYCLOAK-5015] - Pushing keycloak context to exchange scope 2017-07-19 16:39:38 -03:00
Stian Thorgersen
454c5f4d83 Set version to 3.3.0.CR1-SNAPSHOT 2017-06-30 09:47:11 +02:00
hmlnarik
b4ad69b841 KEYCLOAK-5115 (#4272) 2017-06-29 15:50:50 +02:00
Frederik Libert
63d2d0f7ed KEYCLOAK-4897 SAML Adapter fails to validate signature on assertion 2017-06-19 18:26:17 +02:00
Hisanobu Okuda
9135ba7c40 KEYCLOAK-4980 SAML adapter should return 401 when unauthenticated Ajax client accesses 2017-06-08 23:36:25 +09:00
Frederik Libert
71f0db0837 KEYCLOAK-4897
SAML Adapter fails to validate signature on encrypted assertion.
2017-05-17 15:47:04 +02:00
Stian Thorgersen
87dedb56e5 Set version to 3.2.0.CR1-SNAPSHOT 2017-04-27 14:23:03 +02:00
Hynek Mlnarik
d7615d6a68 KEYCLOAK-2122 Configuration of AssertionConsumerServiceUrl in SAML adapter 2017-04-26 11:59:37 +02:00
Stian Thorgersen
0180d54dd9 KEYCLOAK-4668 Exclude modules in product profile 2017-03-28 10:04:20 +02:00
Bill Burke
e5a2642e62 Merge pull request #3978 from pedroigor/KEYCLOAK-3573
[KEYCLOAK-3573] - Elytron SAML and OIDC Adapters
2017-03-25 19:24:42 -04:00
Pedro Igor
30d7a5b01f [KEYCLOAK-3573] - Elytron SAML and OIDC Adapters 2017-03-24 11:32:08 -03:00
Stian Thorgersen
5d028205bf KEYCLOAK-4659 Changes to adapters for product profile 2017-03-24 12:07:21 +01:00
Stian Thorgersen
a87ee04024 Bump to 3.1.0.CR1-SNAPSHOT 2017-03-16 14:21:40 +01:00
David Klassen
32d3f760ec KEYCLOAK-4421: Change http url to https
Change any http maven urls to https to reduce build-time MITM vulnerability
2017-03-14 10:18:40 +01:00
Bill Burke
0ff4223184 Merge pull request #3922 from hmlnarik/KEYCLOAK-4288-SAML-logouts-are-not-invalidating-the-sessions-for-all-the-logged-in-applications
KEYCLOAK-4288 Invalidate sessions in cluster for SAML logouts
2017-03-09 19:13:37 -05:00
Rene Ploetz
e770a05db0
KEYCLOAK-4537 Jetty 9.4 implementation (OIDC/SAML) 2017-03-06 23:01:24 +01:00
Hynek Mlnarik
3a0c2be885 KEYCLOAK-4288 AS 7 / EAP 6 2017-03-01 15:17:39 +01:00
Hynek Mlnarik
04da679628 KEYCLOAK-4288 Wildfly 2017-03-01 15:17:39 +01:00
Hynek Mlnarik
43be3fc409 KEYCLOAK-4288 Use SessionListener to keep track of local HTTP-SSO session mappings 2017-03-01 15:17:39 +01:00
Hynek Mlnarik
567393a102 KEYCLOAK-4288 Fix SAML logout session for Tomcat/EAP6
When logging out via application (via ?GLO=true query parameter),
CatalineSamlSessionStore does not expire session, while it does that
in logging by SAML session index.

This causes distributed sessions being invalidated only on node hanling
the request, but remains active in other nodes of the cluster. Then the
session can be resurrected on next cache replication back even to the
node where the logout was performed. This behaviour is fixed here.
2017-03-01 15:17:39 +01:00
Stian Thorgersen
aa59c2f95f KEYCLOAK-4394 Use JBoss logging 2017-02-15 09:05:42 +01:00
Stian Thorgersen
6f22f88d85 Bump version to 3.0.0.CR1 2017-01-26 06:18:11 +01:00
Hynek Mlnarik
350b9550c3 KEYCLOAK-4264 2017-01-19 16:30:01 +01:00
Hynek Mlnarik
4df70c517d KEYCLOAK-4141 2017-01-10 09:02:36 +01:00
Stian Thorgersen
e805ffd945 Bump version to 2.5.1.Final-SNAPSHOT 2016-12-22 08:22:18 +01:00
Hynek Mlnarik
7d51df4eed KEYCLOAK-3971 Explicitly set encoding for SAML message processing 2016-12-15 14:04:34 +01:00
Hynek Mlnarik
5006fe2292 KEYCLOAK-4062 - GUI changes for KeyName format + few tests 2016-12-12 22:29:01 +01:00
Stian Thorgersen
b771b84f56 Bump to 2.5.0.Final-SNAPSHOT 2016-11-30 15:44:51 +01:00
Stian Thorgersen
6ec82865d3 Bump version to 2.4.1.Final-SNAPSHOT 2016-11-22 14:56:21 +01:00
Stian Thorgersen
65136fabdd Merge pull request #3486 from hmlnarik/KEYCLOAK-3488
KEYCLOAK-3488 Fix typo in SamlPrincipal
2016-11-16 12:21:50 +01:00
Hynek Mlnarik
43002f7a8a KEYCLOAK-3488 Fix typo 2016-11-09 15:11:45 +01:00
Hynek Mlnarik
025cf5ebaf KEYCLOAK-3870 Schema for keycloak-saml.xml
Updated schema schema for keycloak-saml.xml (added documentation, set
up enumeration instead of free string where applicable per documentation)
and updated existing keycloak-saml.xml files with schema reference.
2016-11-09 10:45:43 +01:00
Hynek Mlnarik
570d71c07b KEYCLOAK-1881 Update client adapter configuration
Client adapter configuration was updated to support for customization
of HttpClient used for key retrieval similarly to OIDC. Further, it is
now possible to specify several static public keys for signature
verification in saml-client.xml.
2016-11-04 21:53:43 +01:00
Hynek Mlnarik
1ae268ec6f KEYCLOAK-1881 Include key ID for REDIRECT and use it for validation
Contrary to POST binding, signature of SAML protocol message sent using
REDIRECT binding is contained in query parameters and not in the
message. This renders <dsig:KeyName> key ID hint unusable. This commit
adds <Extensions> element in SAML protocol message containing key ID so
that key ID is present in the SAML protocol message.
2016-11-04 21:53:43 +01:00
Hynek Mlnarik
10deac0b06 KEYCLOAK-1881 KeyLocator implementation for SAML descriptor 2016-11-04 21:53:43 +01:00
Hynek Mlnarik
057cc37b60 KEYCLOAK-1881 Clone OIDC adapter HttpClient tools to SAML adapter
and
KEYCLOAK-1881 Extract httpclient configuration from AdapterConfig
2016-11-04 21:53:43 +01:00
Hynek Mlnarik
5d840500af KEYCLOAK-1881 Include key ID in <ds:KeyInfo> in SAML assertions and protocol message
Changes of SAML assertion creation/parsing that are required to allow
for validation of rotating realm key: signed SAML assertions and signed
SAML protocol message now contain signing key ID in XML <dsig:KeyName>
element.
2016-11-04 21:53:43 +01:00
Stian Thorgersen
4d47f758fc Merge pull request #3405 from stianst/master
Bump version
2016-10-21 10:11:59 +02:00
Stian Thorgersen
c615674cbb Bump version 2016-10-21 07:03:15 +02:00
Pulkit Gupta
8e9db1be96 fixed null pointer exception when principal is null 2016-10-20 13:39:04 +05:30