Search in sources :

Example 6 with KeycloakSamlAdapter

use of org.keycloak.adapters.saml.config.KeycloakSamlAdapter in project keycloak by keycloak.

the class DeploymentBuilder method build.

public SamlDeployment build(InputStream xml, ResourceLoader resourceLoader) throws ParsingException {
    DefaultSamlDeployment deployment = new DefaultSamlDeployment();
    DefaultSamlDeployment.DefaultIDP defaultIDP = new DefaultSamlDeployment.DefaultIDP();
    DefaultSamlDeployment.DefaultSingleSignOnService sso = new DefaultSamlDeployment.DefaultSingleSignOnService();
    DefaultSamlDeployment.DefaultSingleLogoutService slo = new DefaultSamlDeployment.DefaultSingleLogoutService();
    defaultIDP.setSingleSignOnService(sso);
    defaultIDP.setSingleLogoutService(slo);
    KeycloakSamlAdapter adapter = (KeycloakSamlAdapter) KeycloakSamlAdapterParser.getInstance().parse(xml);
    SP sp = adapter.getSps().get(0);
    deployment.setConfigured(true);
    deployment.setEntityID(sp.getEntityID());
    try {
        URI.create(sp.getEntityID());
    } catch (IllegalArgumentException ex) {
        log.warnf("Entity ID is not an URI, assertion that restricts audience will fail. Update Entity ID to be URI.", sp.getEntityID());
    }
    deployment.setForceAuthentication(sp.isForceAuthentication());
    deployment.setIsPassive(sp.isIsPassive());
    deployment.setNameIDPolicyFormat(sp.getNameIDPolicyFormat());
    deployment.setLogoutPage(sp.getLogoutPage());
    IDP idp = sp.getIdp();
    deployment.setSignatureCanonicalizationMethod(idp.getSignatureCanonicalizationMethod());
    deployment.setAutodetectBearerOnly(sp.isAutodetectBearerOnly());
    deployment.setKeepDOMAssertion(sp.isKeepDOMAssertion());
    deployment.setSignatureAlgorithm(SignatureAlgorithm.RSA_SHA256);
    if (idp.getSignatureAlgorithm() != null) {
        deployment.setSignatureAlgorithm(SignatureAlgorithm.valueOf(idp.getSignatureAlgorithm()));
    }
    if (sp.getPrincipalNameMapping() != null) {
        SamlDeployment.PrincipalNamePolicy policy = SamlDeployment.PrincipalNamePolicy.valueOf(sp.getPrincipalNameMapping().getPolicy());
        deployment.setPrincipalNamePolicy(policy);
        deployment.setPrincipalAttributeName(sp.getPrincipalNameMapping().getAttributeName());
    }
    deployment.setRoleAttributeNames(sp.getRoleAttributes());
    if (sp.getRoleAttributes() == null) {
        Set<String> roles = new HashSet<>();
        roles.add("Role");
        deployment.setRoleAttributeNames(roles);
    }
    if (sp.getSslPolicy() != null) {
        SslRequired ssl = SslRequired.valueOf(sp.getSslPolicy());
        deployment.setSslRequired(ssl);
    }
    if (sp.getKeys() != null) {
        for (Key key : sp.getKeys()) {
            if (key.isSigning()) {
                PrivateKey privateKey = null;
                PublicKey publicKey = null;
                if (key.getKeystore() != null) {
                    KeyStore keyStore = loadKeystore(resourceLoader, key);
                    Certificate cert = null;
                    try {
                        log.debugf("Try to load key [%s]", key.getKeystore().getCertificateAlias());
                        cert = keyStore.getCertificate(key.getKeystore().getCertificateAlias());
                        if (cert == null) {
                            log.errorf("Key alias %s is not found into keystore", key.getKeystore().getCertificateAlias());
                        }
                        privateKey = (PrivateKey) keyStore.getKey(key.getKeystore().getPrivateKeyAlias(), key.getKeystore().getPrivateKeyPassword().toCharArray());
                        publicKey = cert.getPublicKey();
                    } catch (Exception e) {
                        throw new RuntimeException(e);
                    }
                } else {
                    if (key.getPrivateKeyPem() == null) {
                        throw new RuntimeException("SP signing key must have a PrivateKey defined");
                    }
                    try {
                        privateKey = PemUtils.decodePrivateKey(key.getPrivateKeyPem().trim());
                        if (key.getPublicKeyPem() == null && key.getCertificatePem() == null) {
                            throw new RuntimeException("Sp signing key must have a PublicKey or Certificate defined");
                        }
                        publicKey = getPublicKeyFromPem(key);
                    } catch (Exception e) {
                        throw new RuntimeException(e);
                    }
                }
                KeyPair keyPair = new KeyPair(publicKey, privateKey);
                deployment.setSigningKeyPair(keyPair);
            }
            if (key.isEncryption()) {
                if (key.getKeystore() != null) {
                    KeyStore keyStore = loadKeystore(resourceLoader, key);
                    try {
                        PrivateKey privateKey = (PrivateKey) keyStore.getKey(key.getKeystore().getPrivateKeyAlias(), key.getKeystore().getPrivateKeyPassword().toCharArray());
                        deployment.setDecryptionKey(privateKey);
                    } catch (Exception e) {
                        throw new RuntimeException(e);
                    }
                } else {
                    if (key.getPrivateKeyPem() == null) {
                        throw new RuntimeException("SP signing key must have a PrivateKey defined");
                    }
                    try {
                        PrivateKey privateKey = PemUtils.decodePrivateKey(key.getPrivateKeyPem().trim());
                        deployment.setDecryptionKey(privateKey);
                    } catch (Exception e) {
                        throw new RuntimeException(e);
                    }
                }
            }
        }
    }
    deployment.setIdp(defaultIDP);
    defaultIDP.setEntityID(idp.getEntityID());
    sso.setRequestBinding(SamlDeployment.Binding.parseBinding(idp.getSingleSignOnService().getRequestBinding()));
    sso.setRequestBindingUrl(idp.getSingleSignOnService().getBindingUrl());
    if (idp.getSingleSignOnService().getResponseBinding() != null) {
        sso.setResponseBinding(SamlDeployment.Binding.parseBinding(idp.getSingleSignOnService().getResponseBinding()));
    }
    if (idp.getAllowedClockSkew() != null) {
        defaultIDP.setAllowedClockSkew(convertClockSkewInMillis(idp.getAllowedClockSkew(), idp.getAllowedClockSkewUnit()));
    }
    if (idp.getSingleSignOnService().getAssertionConsumerServiceUrl() != null) {
        if (!idp.getSingleSignOnService().getAssertionConsumerServiceUrl().endsWith("/saml")) {
            throw new RuntimeException("AssertionConsumerServiceUrl must end with \"/saml\".");
        }
        sso.setAssertionConsumerServiceUrl(URI.create(idp.getSingleSignOnService().getAssertionConsumerServiceUrl()));
    }
    sso.setSignRequest(idp.getSingleSignOnService().isSignRequest());
    sso.setValidateResponseSignature(idp.getSingleSignOnService().isValidateResponseSignature());
    sso.setValidateAssertionSignature(idp.getSingleSignOnService().isValidateAssertionSignature());
    slo.setSignRequest(idp.getSingleLogoutService().isSignRequest());
    slo.setSignResponse(idp.getSingleLogoutService().isSignResponse());
    slo.setValidateResponseSignature(idp.getSingleLogoutService().isValidateResponseSignature());
    slo.setValidateRequestSignature(idp.getSingleLogoutService().isValidateRequestSignature());
    slo.setRequestBinding(SamlDeployment.Binding.parseBinding(idp.getSingleLogoutService().getRequestBinding()));
    slo.setResponseBinding(SamlDeployment.Binding.parseBinding(idp.getSingleLogoutService().getResponseBinding()));
    if (slo.getRequestBinding() == SamlDeployment.Binding.POST) {
        slo.setRequestBindingUrl(idp.getSingleLogoutService().getPostBindingUrl());
    } else {
        slo.setRequestBindingUrl(idp.getSingleLogoutService().getRedirectBindingUrl());
    }
    if (slo.getResponseBinding() == SamlDeployment.Binding.POST) {
        slo.setResponseBindingUrl(idp.getSingleLogoutService().getPostBindingUrl());
    } else {
        slo.setResponseBindingUrl(idp.getSingleLogoutService().getRedirectBindingUrl());
    }
    if (idp.getKeys() != null) {
        for (Key key : idp.getKeys()) {
            if (key.isSigning()) {
                processSigningKey(defaultIDP, key, resourceLoader);
            }
        }
    }
    defaultIDP.setMetadataUrl(idp.getMetadataUrl());
    defaultIDP.setClient(new HttpClientBuilder().build(idp.getHttpClientConfig()));
    defaultIDP.refreshKeyLocatorConfiguration();
    // set the role mappings provider.
    deployment.setRoleMappingsProvider(RoleMappingsProviderUtils.bootstrapRoleMappingsProvider(deployment, resourceLoader, sp.getRoleMappingsProviderConfig()));
    return deployment;
}
Also used : PrivateKey(java.security.PrivateKey) SslRequired(org.keycloak.common.enums.SslRequired) DefaultSamlDeployment(org.keycloak.adapters.saml.DefaultSamlDeployment) HttpClientBuilder(org.keycloak.adapters.cloned.HttpClientBuilder) IDP(org.keycloak.adapters.saml.config.IDP) SP(org.keycloak.adapters.saml.config.SP) HashSet(java.util.HashSet) KeyPair(java.security.KeyPair) PublicKey(java.security.PublicKey) DefaultSamlDeployment(org.keycloak.adapters.saml.DefaultSamlDeployment) SamlDeployment(org.keycloak.adapters.saml.SamlDeployment) KeyStore(java.security.KeyStore) KeyStoreException(java.security.KeyStoreException) CertificateException(java.security.cert.CertificateException) FileNotFoundException(java.io.FileNotFoundException) ParsingException(org.keycloak.saml.common.exceptions.ParsingException) KeycloakSamlAdapter(org.keycloak.adapters.saml.config.KeycloakSamlAdapter) Key(org.keycloak.adapters.saml.config.Key) PublicKey(java.security.PublicKey) PrivateKey(java.security.PrivateKey) X509Certificate(java.security.cert.X509Certificate) Certificate(java.security.cert.Certificate)

Example 7 with KeycloakSamlAdapter

use of org.keycloak.adapters.saml.config.KeycloakSamlAdapter in project keycloak by keycloak.

the class KeycloakSamlAdapterXMLParserTest method testXmlParserMultipleSigningKeys.

@Test
public void testXmlParserMultipleSigningKeys() throws Exception {
    KeycloakSamlAdapter config = parseKeycloakSamlAdapterConfig("keycloak-saml-multiple-signing-keys.xml", KeycloakSamlAdapter.class);
    assertThat(config, notNullValue());
    assertThat(config.getSps(), hasSize(1));
    SP sp = config.getSps().get(0);
    IDP idp = sp.getIdp();
    assertThat(idp.getKeys(), hasSize(4));
    for (int i = 0; i < 4; i++) {
        Key key = idp.getKeys().get(i);
        assertThat(key.isSigning(), is(true));
        assertThat(idp.getKeys().get(i).getCertificatePem(), is("cert pem " + i));
    }
}
Also used : IDP(org.keycloak.adapters.saml.config.IDP) KeycloakSamlAdapter(org.keycloak.adapters.saml.config.KeycloakSamlAdapter) SP(org.keycloak.adapters.saml.config.SP) Key(org.keycloak.adapters.saml.config.Key) Test(org.junit.Test)

Example 8 with KeycloakSamlAdapter

use of org.keycloak.adapters.saml.config.KeycloakSamlAdapter in project keycloak by keycloak.

the class KeycloakSamlAdapterXMLParserTest method testParseRoleMappingsProvider.

@Test
public void testParseRoleMappingsProvider() throws Exception {
    KeycloakSamlAdapter config = parseKeycloakSamlAdapterConfig("keycloak-saml-with-role-mappings-provider.xml", KeycloakSamlAdapter.class);
    assertThat(config, notNullValue());
    assertThat(config.getSps(), Matchers.contains(instanceOf(SP.class)));
    SP sp = config.getSps().get(0);
    SP.RoleMappingsProviderConfig roleMapperConfig = sp.getRoleMappingsProviderConfig();
    assertThat(roleMapperConfig, notNullValue());
    assertThat(roleMapperConfig.getId(), is("properties-based-role-mapper"));
    Properties providerConfig = roleMapperConfig.getConfiguration();
    assertThat(providerConfig.size(), is(2));
    assertThat(providerConfig.containsKey("properties.resource.location"), is(true));
    assertThat(providerConfig.getProperty("properties.resource.location"), is("role-mappings.properties"));
    assertThat(providerConfig.containsKey("another.property"), is(true));
    assertThat(providerConfig.getProperty("another.property"), is("another.value"));
}
Also used : KeycloakSamlAdapter(org.keycloak.adapters.saml.config.KeycloakSamlAdapter) Properties(java.util.Properties) SP(org.keycloak.adapters.saml.config.SP) Test(org.junit.Test)

Example 9 with KeycloakSamlAdapter

use of org.keycloak.adapters.saml.config.KeycloakSamlAdapter in project keycloak by keycloak.

the class KeycloakSamlAdapterXMLParserTest method testXmlParserHttpClientSettings.

@Test
public void testXmlParserHttpClientSettings() throws Exception {
    KeycloakSamlAdapter config = parseKeycloakSamlAdapterConfig("keycloak-saml-wth-http-client-settings.xml", KeycloakSamlAdapter.class);
    assertThat(config, notNullValue());
    assertThat(config.getSps(), hasSize(1));
    SP sp = config.getSps().get(0);
    IDP idp = sp.getIdp();
    assertThat(idp.getHttpClientConfig(), notNullValue());
    assertThat(idp.getHttpClientConfig().getClientKeystore(), is("ks"));
    assertThat(idp.getHttpClientConfig().getClientKeystorePassword(), is("ks-pwd"));
    assertThat(idp.getHttpClientConfig().getProxyUrl(), is("pu"));
    assertThat(idp.getHttpClientConfig().getTruststore(), is("ts"));
    assertThat(idp.getHttpClientConfig().getTruststorePassword(), is("tsp"));
    assertThat(idp.getHttpClientConfig().getConnectionPoolSize(), is(42));
    assertThat(idp.getHttpClientConfig().isAllowAnyHostname(), is(true));
    assertThat(idp.getHttpClientConfig().isDisableTrustManager(), is(true));
    assertThat(idp.getHttpClientConfig().getSocketTimeout(), is(6000L));
    assertThat(idp.getHttpClientConfig().getConnectionTimeout(), is(7000L));
    assertThat(idp.getHttpClientConfig().getConnectionTTL(), is(200L));
}
Also used : IDP(org.keycloak.adapters.saml.config.IDP) KeycloakSamlAdapter(org.keycloak.adapters.saml.config.KeycloakSamlAdapter) SP(org.keycloak.adapters.saml.config.SP) Test(org.junit.Test)

Example 10 with KeycloakSamlAdapter

use of org.keycloak.adapters.saml.config.KeycloakSamlAdapter in project keycloak by keycloak.

the class KeycloakSamlAdapterXMLParserTest method testAllowedClockSkewWithUnit.

@Test
public void testAllowedClockSkewWithUnit() throws Exception {
    KeycloakSamlAdapter config = parseKeycloakSamlAdapterConfig("keycloak-saml-with-allowed-clock-skew-with-unit.xml", KeycloakSamlAdapter.class);
    assertThat(config, notNullValue());
    assertThat(config.getSps(), Matchers.contains(instanceOf(SP.class)));
    SP sp = config.getSps().get(0);
    IDP idp = sp.getIdp();
    assertThat(idp.getAllowedClockSkew(), is(3500));
    assertThat(idp.getAllowedClockSkewUnit(), is(TimeUnit.MILLISECONDS));
}
Also used : IDP(org.keycloak.adapters.saml.config.IDP) KeycloakSamlAdapter(org.keycloak.adapters.saml.config.KeycloakSamlAdapter) SP(org.keycloak.adapters.saml.config.SP) Test(org.junit.Test)

Aggregations

KeycloakSamlAdapter (org.keycloak.adapters.saml.config.KeycloakSamlAdapter)11 SP (org.keycloak.adapters.saml.config.SP)11 Test (org.junit.Test)10 IDP (org.keycloak.adapters.saml.config.IDP)9 Key (org.keycloak.adapters.saml.config.Key)3 FileNotFoundException (java.io.FileNotFoundException)1 KeyPair (java.security.KeyPair)1 KeyStore (java.security.KeyStore)1 KeyStoreException (java.security.KeyStoreException)1 PrivateKey (java.security.PrivateKey)1 PublicKey (java.security.PublicKey)1 Certificate (java.security.cert.Certificate)1 CertificateException (java.security.cert.CertificateException)1 X509Certificate (java.security.cert.X509Certificate)1 HashSet (java.util.HashSet)1 Properties (java.util.Properties)1 HttpClientBuilder (org.keycloak.adapters.cloned.HttpClientBuilder)1 DefaultSamlDeployment (org.keycloak.adapters.saml.DefaultSamlDeployment)1 SamlDeployment (org.keycloak.adapters.saml.SamlDeployment)1 SslRequired (org.keycloak.common.enums.SslRequired)1