Example 1 with Key
use of org.keycloak.adapters.saml.config.Key in project keycloak by keycloak.
the class KeycloakSamlAdapterXMLParserTest method testXmlParserBaseFile.
@Test
public void testXmlParserBaseFile() throws Exception {
KeycloakSamlAdapter config = parseKeycloakSamlAdapterConfig("keycloak-saml.xml", KeycloakSamlAdapter.class);
assertThat(config, notNullValue());
assertThat(config.getSps(), hasSize(1));
SP sp = config.getSps().get(0);
assertThat(sp.getEntityID(), is("sp"));
assertThat(sp.getSslPolicy(), is("EXTERNAL"));
assertThat(sp.getNameIDPolicyFormat(), is("format"));
assertThat(sp.isForceAuthentication(), is(true));
assertThat(sp.isIsPassive(), is(true));
assertThat(sp.isAutodetectBearerOnly(), is(false));
assertThat(sp.isKeepDOMAssertion(), is(false));
assertThat(sp.getKeys(), hasSize(2));
Key signing = sp.getKeys().get(0);
assertThat(signing.isSigning(), is(true));
Key.KeyStoreConfig keystore = signing.getKeystore();
assertThat(keystore, notNullValue());
assertThat(keystore.getFile(), is("file"));
assertThat(keystore.getResource(), is("cp"));
assertThat(keystore.getPassword(), is("pw"));
assertThat(keystore.getPrivateKeyAlias(), is("private alias"));
assertThat(keystore.getPrivateKeyPassword(), is("private pw"));
assertThat(keystore.getCertificateAlias(), is("cert alias"));
Key encryption = sp.getKeys().get(1);
assertThat(encryption.isEncryption(), is(true));
assertThat(encryption.getPrivateKeyPem(), is("private pem"));
assertThat(encryption.getPublicKeyPem(), is("public pem"));
assertThat(sp.getPrincipalNameMapping().getPolicy(), is("FROM_ATTRIBUTE"));
assertThat(sp.getPrincipalNameMapping().getAttributeName(), is("attribute"));
assertThat(sp.getRoleAttributes(), hasSize(1));
assertThat(sp.getRoleAttributes(), Matchers.contains("member"));
IDP idp = sp.getIdp();
assertThat(idp.getEntityID(), is("idp"));
assertThat(idp.getSignatureAlgorithm(), is("RSA_SHA256"));
assertThat(idp.getSignatureCanonicalizationMethod(), is("canon"));
assertThat(idp.getSingleSignOnService().isSignRequest(), is(true));
assertThat(idp.getSingleSignOnService().isValidateResponseSignature(), is(true));
assertThat(idp.getSingleSignOnService().getRequestBinding(), is("POST"));
assertThat(idp.getSingleSignOnService().getBindingUrl(), is("url"));
assertThat(idp.getSingleLogoutService().isSignRequest(), is(false));
assertThat(idp.getSingleLogoutService().isSignResponse(), is(true));
assertThat(idp.getSingleLogoutService().isValidateRequestSignature(), is(true));
assertThat(idp.getSingleLogoutService().isValidateResponseSignature(), is(true));
assertThat(idp.getSingleLogoutService().getRequestBinding(), is("REDIRECT"));
assertThat(idp.getSingleLogoutService().getResponseBinding(), is("POST"));
assertThat(idp.getSingleLogoutService().getPostBindingUrl(), is("posturl"));
assertThat(idp.getSingleLogoutService().getRedirectBindingUrl(), is("redirecturl"));
assertThat(idp.getKeys(), hasSize(1));
assertThat(idp.getKeys().get(0).isSigning(), is(true));
assertThat(idp.getKeys().get(0).getCertificatePem(), is("cert pem"));
}
Also used :
IDP(org.keycloak.adapters.saml.config.IDP)
KeycloakSamlAdapter(org.keycloak.adapters.saml.config.KeycloakSamlAdapter)
SP(org.keycloak.adapters.saml.config.SP)
Key(org.keycloak.adapters.saml.config.Key)
Test(org.junit.Test)
Example 2 with Key
use of org.keycloak.adapters.saml.config.Key in project keycloak by keycloak.
the class DeploymentBuilder method build.
public SamlDeployment build(InputStream xml, ResourceLoader resourceLoader) throws ParsingException {
DefaultSamlDeployment deployment = new DefaultSamlDeployment();
DefaultSamlDeployment.DefaultIDP defaultIDP = new DefaultSamlDeployment.DefaultIDP();
DefaultSamlDeployment.DefaultSingleSignOnService sso = new DefaultSamlDeployment.DefaultSingleSignOnService();
DefaultSamlDeployment.DefaultSingleLogoutService slo = new DefaultSamlDeployment.DefaultSingleLogoutService();
defaultIDP.setSingleSignOnService(sso);
defaultIDP.setSingleLogoutService(slo);
KeycloakSamlAdapter adapter = (KeycloakSamlAdapter) KeycloakSamlAdapterParser.getInstance().parse(xml);
SP sp = adapter.getSps().get(0);
deployment.setConfigured(true);
deployment.setEntityID(sp.getEntityID());
try {
URI.create(sp.getEntityID());
} catch (IllegalArgumentException ex) {
log.warnf("Entity ID is not an URI, assertion that restricts audience will fail. Update Entity ID to be URI.", sp.getEntityID());
}
deployment.setForceAuthentication(sp.isForceAuthentication());
deployment.setIsPassive(sp.isIsPassive());
deployment.setNameIDPolicyFormat(sp.getNameIDPolicyFormat());
deployment.setLogoutPage(sp.getLogoutPage());
IDP idp = sp.getIdp();
deployment.setSignatureCanonicalizationMethod(idp.getSignatureCanonicalizationMethod());
deployment.setAutodetectBearerOnly(sp.isAutodetectBearerOnly());
deployment.setKeepDOMAssertion(sp.isKeepDOMAssertion());
deployment.setSignatureAlgorithm(SignatureAlgorithm.RSA_SHA256);
if (idp.getSignatureAlgorithm() != null) {
deployment.setSignatureAlgorithm(SignatureAlgorithm.valueOf(idp.getSignatureAlgorithm()));
}
if (sp.getPrincipalNameMapping() != null) {
SamlDeployment.PrincipalNamePolicy policy = SamlDeployment.PrincipalNamePolicy.valueOf(sp.getPrincipalNameMapping().getPolicy());
deployment.setPrincipalNamePolicy(policy);
deployment.setPrincipalAttributeName(sp.getPrincipalNameMapping().getAttributeName());
}
deployment.setRoleAttributeNames(sp.getRoleAttributes());
if (sp.getRoleAttributes() == null) {
Set<String> roles = new HashSet<>();
roles.add("Role");
deployment.setRoleAttributeNames(roles);
}
if (sp.getSslPolicy() != null) {
SslRequired ssl = SslRequired.valueOf(sp.getSslPolicy());
deployment.setSslRequired(ssl);
}
if (sp.getKeys() != null) {
for (Key key : sp.getKeys()) {
if (key.isSigning()) {
PrivateKey privateKey = null;
PublicKey publicKey = null;
if (key.getKeystore() != null) {
KeyStore keyStore = loadKeystore(resourceLoader, key);
Certificate cert = null;
try {
log.debugf("Try to load key [%s]", key.getKeystore().getCertificateAlias());
cert = keyStore.getCertificate(key.getKeystore().getCertificateAlias());
if (cert == null) {
log.errorf("Key alias %s is not found into keystore", key.getKeystore().getCertificateAlias());
}
privateKey = (PrivateKey) keyStore.getKey(key.getKeystore().getPrivateKeyAlias(), key.getKeystore().getPrivateKeyPassword().toCharArray());
publicKey = cert.getPublicKey();
} catch (Exception e) {
throw new RuntimeException(e);
}
} else {
if (key.getPrivateKeyPem() == null) {
throw new RuntimeException("SP signing key must have a PrivateKey defined");
}
try {
privateKey = PemUtils.decodePrivateKey(key.getPrivateKeyPem().trim());
if (key.getPublicKeyPem() == null && key.getCertificatePem() == null) {
throw new RuntimeException("Sp signing key must have a PublicKey or Certificate defined");
}
publicKey = getPublicKeyFromPem(key);
} catch (Exception e) {
throw new RuntimeException(e);
}
}
KeyPair keyPair = new KeyPair(publicKey, privateKey);
deployment.setSigningKeyPair(keyPair);
}
if (key.isEncryption()) {
if (key.getKeystore() != null) {
KeyStore keyStore = loadKeystore(resourceLoader, key);
try {
PrivateKey privateKey = (PrivateKey) keyStore.getKey(key.getKeystore().getPrivateKeyAlias(), key.getKeystore().getPrivateKeyPassword().toCharArray());
deployment.setDecryptionKey(privateKey);
} catch (Exception e) {
throw new RuntimeException(e);
}
} else {
if (key.getPrivateKeyPem() == null) {
throw new RuntimeException("SP signing key must have a PrivateKey defined");
}
try {
PrivateKey privateKey = PemUtils.decodePrivateKey(key.getPrivateKeyPem().trim());
deployment.setDecryptionKey(privateKey);
} catch (Exception e) {
throw new RuntimeException(e);
}
}
}
}
}
deployment.setIdp(defaultIDP);
defaultIDP.setEntityID(idp.getEntityID());
sso.setRequestBinding(SamlDeployment.Binding.parseBinding(idp.getSingleSignOnService().getRequestBinding()));
sso.setRequestBindingUrl(idp.getSingleSignOnService().getBindingUrl());
if (idp.getSingleSignOnService().getResponseBinding() != null) {
sso.setResponseBinding(SamlDeployment.Binding.parseBinding(idp.getSingleSignOnService().getResponseBinding()));
}
if (idp.getAllowedClockSkew() != null) {
defaultIDP.setAllowedClockSkew(convertClockSkewInMillis(idp.getAllowedClockSkew(), idp.getAllowedClockSkewUnit()));
}
if (idp.getSingleSignOnService().getAssertionConsumerServiceUrl() != null) {
if (!idp.getSingleSignOnService().getAssertionConsumerServiceUrl().endsWith("/saml")) {
throw new RuntimeException("AssertionConsumerServiceUrl must end with \"/saml\".");
}
sso.setAssertionConsumerServiceUrl(URI.create(idp.getSingleSignOnService().getAssertionConsumerServiceUrl()));
}
sso.setSignRequest(idp.getSingleSignOnService().isSignRequest());
sso.setValidateResponseSignature(idp.getSingleSignOnService().isValidateResponseSignature());
sso.setValidateAssertionSignature(idp.getSingleSignOnService().isValidateAssertionSignature());
slo.setSignRequest(idp.getSingleLogoutService().isSignRequest());
slo.setSignResponse(idp.getSingleLogoutService().isSignResponse());
slo.setValidateResponseSignature(idp.getSingleLogoutService().isValidateResponseSignature());
slo.setValidateRequestSignature(idp.getSingleLogoutService().isValidateRequestSignature());
slo.setRequestBinding(SamlDeployment.Binding.parseBinding(idp.getSingleLogoutService().getRequestBinding()));
slo.setResponseBinding(SamlDeployment.Binding.parseBinding(idp.getSingleLogoutService().getResponseBinding()));
if (slo.getRequestBinding() == SamlDeployment.Binding.POST) {
slo.setRequestBindingUrl(idp.getSingleLogoutService().getPostBindingUrl());
} else {
slo.setRequestBindingUrl(idp.getSingleLogoutService().getRedirectBindingUrl());
}
if (slo.getResponseBinding() == SamlDeployment.Binding.POST) {
slo.setResponseBindingUrl(idp.getSingleLogoutService().getPostBindingUrl());
} else {
slo.setResponseBindingUrl(idp.getSingleLogoutService().getRedirectBindingUrl());
}
if (idp.getKeys() != null) {
for (Key key : idp.getKeys()) {
if (key.isSigning()) {
processSigningKey(defaultIDP, key, resourceLoader);
}
}
}
defaultIDP.setMetadataUrl(idp.getMetadataUrl());
defaultIDP.setClient(new HttpClientBuilder().build(idp.getHttpClientConfig()));
defaultIDP.refreshKeyLocatorConfiguration();
// set the role mappings provider.
deployment.setRoleMappingsProvider(RoleMappingsProviderUtils.bootstrapRoleMappingsProvider(deployment, resourceLoader, sp.getRoleMappingsProviderConfig()));
return deployment;
}
Also used :
PrivateKey(java.security.PrivateKey)
SslRequired(org.keycloak.common.enums.SslRequired)
DefaultSamlDeployment(org.keycloak.adapters.saml.DefaultSamlDeployment)
HttpClientBuilder(org.keycloak.adapters.cloned.HttpClientBuilder)
IDP(org.keycloak.adapters.saml.config.IDP)
SP(org.keycloak.adapters.saml.config.SP)
HashSet(java.util.HashSet)
KeyPair(java.security.KeyPair)
PublicKey(java.security.PublicKey)
DefaultSamlDeployment(org.keycloak.adapters.saml.DefaultSamlDeployment)
SamlDeployment(org.keycloak.adapters.saml.SamlDeployment)
KeyStore(java.security.KeyStore)
KeyStoreException(java.security.KeyStoreException)
CertificateException(java.security.cert.CertificateException)
FileNotFoundException(java.io.FileNotFoundException)
ParsingException(org.keycloak.saml.common.exceptions.ParsingException)
KeycloakSamlAdapter(org.keycloak.adapters.saml.config.KeycloakSamlAdapter)
Key(org.keycloak.adapters.saml.config.Key)
PublicKey(java.security.PublicKey)
PrivateKey(java.security.PrivateKey)
X509Certificate(java.security.cert.X509Certificate)
Certificate(java.security.cert.Certificate)
Example 3 with Key
use of org.keycloak.adapters.saml.config.Key in project keycloak by keycloak.
the class KeyParser method instantiateElement.
@Override
protected Key instantiateElement(XMLEventReader xmlEventReader, StartElement element) throws ParsingException {
Key key = new Key();
key.setSigning(StaxParserUtil.getBooleanAttributeValueRP(element, KeycloakSamlAdapterV1QNames.ATTR_SIGNING));
key.setEncryption(StaxParserUtil.getBooleanAttributeValueRP(element, KeycloakSamlAdapterV1QNames.ATTR_ENCRYPTION));
return key;
}
Also used :
Key(org.keycloak.adapters.saml.config.Key)
Example 4 with Key
use of org.keycloak.adapters.saml.config.Key in project keycloak by keycloak.
the class KeycloakSamlAdapterXMLParserTest method testXmlParserMultipleSigningKeys.
@Test
public void testXmlParserMultipleSigningKeys() throws Exception {
KeycloakSamlAdapter config = parseKeycloakSamlAdapterConfig("keycloak-saml-multiple-signing-keys.xml", KeycloakSamlAdapter.class);
assertThat(config, notNullValue());
assertThat(config.getSps(), hasSize(1));
SP sp = config.getSps().get(0);
IDP idp = sp.getIdp();
assertThat(idp.getKeys(), hasSize(4));
for (int i = 0; i < 4; i++) {
Key key = idp.getKeys().get(i);
assertThat(key.isSigning(), is(true));
assertThat(idp.getKeys().get(i).getCertificatePem(), is("cert pem " + i));
}
}
Also used :
IDP(org.keycloak.adapters.saml.config.IDP)
KeycloakSamlAdapter(org.keycloak.adapters.saml.config.KeycloakSamlAdapter)
SP(org.keycloak.adapters.saml.config.SP)
Key(org.keycloak.adapters.saml.config.Key)
Test(org.junit.Test)
Aggregations
Key (org.keycloak.adapters.saml.config.Key)4
IDP (org.keycloak.adapters.saml.config.IDP)3
KeycloakSamlAdapter (org.keycloak.adapters.saml.config.KeycloakSamlAdapter)3
SP (org.keycloak.adapters.saml.config.SP)3
Test (org.junit.Test)2
FileNotFoundException (java.io.FileNotFoundException)1
KeyPair (java.security.KeyPair)1
KeyStore (java.security.KeyStore)1
KeyStoreException (java.security.KeyStoreException)1
PrivateKey (java.security.PrivateKey)1
PublicKey (java.security.PublicKey)1
Certificate (java.security.cert.Certificate)1
CertificateException (java.security.cert.CertificateException)1
X509Certificate (java.security.cert.X509Certificate)1
HashSet (java.util.HashSet)1
HttpClientBuilder (org.keycloak.adapters.cloned.HttpClientBuilder)1
DefaultSamlDeployment (org.keycloak.adapters.saml.DefaultSamlDeployment)1
SamlDeployment (org.keycloak.adapters.saml.SamlDeployment)1
SslRequired (org.keycloak.common.enums.SslRequired)1
ParsingException (org.keycloak.saml.common.exceptions.ParsingException)1
