Examples with SP org.keycloak.adapters.saml.config.SP used on opensource projects

Example 6 with SP

use of org.keycloak.adapters.saml.config.SP in project keycloak by keycloak.

the class DeploymentBuilder method build.

public SamlDeployment build(InputStream xml, ResourceLoader resourceLoader) throws ParsingException {
    DefaultSamlDeployment deployment = new DefaultSamlDeployment();
    DefaultSamlDeployment.DefaultIDP defaultIDP = new DefaultSamlDeployment.DefaultIDP();
    DefaultSamlDeployment.DefaultSingleSignOnService sso = new DefaultSamlDeployment.DefaultSingleSignOnService();
    DefaultSamlDeployment.DefaultSingleLogoutService slo = new DefaultSamlDeployment.DefaultSingleLogoutService();
    defaultIDP.setSingleSignOnService(sso);
    defaultIDP.setSingleLogoutService(slo);
    KeycloakSamlAdapter adapter = (KeycloakSamlAdapter) KeycloakSamlAdapterParser.getInstance().parse(xml);
    SP sp = adapter.getSps().get(0);
    deployment.setConfigured(true);
    deployment.setEntityID(sp.getEntityID());
    try {
        URI.create(sp.getEntityID());
    } catch (IllegalArgumentException ex) {
        log.warnf("Entity ID is not an URI, assertion that restricts audience will fail. Update Entity ID to be URI.", sp.getEntityID());
    }
    deployment.setForceAuthentication(sp.isForceAuthentication());
    deployment.setIsPassive(sp.isIsPassive());
    deployment.setNameIDPolicyFormat(sp.getNameIDPolicyFormat());
    deployment.setLogoutPage(sp.getLogoutPage());
    IDP idp = sp.getIdp();
    deployment.setSignatureCanonicalizationMethod(idp.getSignatureCanonicalizationMethod());
    deployment.setAutodetectBearerOnly(sp.isAutodetectBearerOnly());
    deployment.setKeepDOMAssertion(sp.isKeepDOMAssertion());
    deployment.setSignatureAlgorithm(SignatureAlgorithm.RSA_SHA256);
    if (idp.getSignatureAlgorithm() != null) {
        deployment.setSignatureAlgorithm(SignatureAlgorithm.valueOf(idp.getSignatureAlgorithm()));
    }
    if (sp.getPrincipalNameMapping() != null) {
        SamlDeployment.PrincipalNamePolicy policy = SamlDeployment.PrincipalNamePolicy.valueOf(sp.getPrincipalNameMapping().getPolicy());
        deployment.setPrincipalNamePolicy(policy);
        deployment.setPrincipalAttributeName(sp.getPrincipalNameMapping().getAttributeName());
    }
    deployment.setRoleAttributeNames(sp.getRoleAttributes());
    if (sp.getRoleAttributes() == null) {
        Set<String> roles = new HashSet<>();
        roles.add("Role");
        deployment.setRoleAttributeNames(roles);
    }
    if (sp.getSslPolicy() != null) {
        SslRequired ssl = SslRequired.valueOf(sp.getSslPolicy());
        deployment.setSslRequired(ssl);
    }
    if (sp.getKeys() != null) {
        for (Key key : sp.getKeys()) {
            if (key.isSigning()) {
                PrivateKey privateKey = null;
                PublicKey publicKey = null;
                if (key.getKeystore() != null) {
                    KeyStore keyStore = loadKeystore(resourceLoader, key);
                    Certificate cert = null;
                    try {
                        log.debugf("Try to load key [%s]", key.getKeystore().getCertificateAlias());
                        cert = keyStore.getCertificate(key.getKeystore().getCertificateAlias());
                        if (cert == null) {
                            log.errorf("Key alias %s is not found into keystore", key.getKeystore().getCertificateAlias());
                        }
                        privateKey = (PrivateKey) keyStore.getKey(key.getKeystore().getPrivateKeyAlias(), key.getKeystore().getPrivateKeyPassword().toCharArray());
                        publicKey = cert.getPublicKey();
                    } catch (Exception e) {
                        throw new RuntimeException(e);
                    }
                } else {
                    if (key.getPrivateKeyPem() == null) {
                        throw new RuntimeException("SP signing key must have a PrivateKey defined");
                    }
                    try {
                        privateKey = PemUtils.decodePrivateKey(key.getPrivateKeyPem().trim());
                        if (key.getPublicKeyPem() == null && key.getCertificatePem() == null) {
                            throw new RuntimeException("Sp signing key must have a PublicKey or Certificate defined");
                        }
                        publicKey = getPublicKeyFromPem(key);
                    } catch (Exception e) {
                        throw new RuntimeException(e);
                    }
                }
                KeyPair keyPair = new KeyPair(publicKey, privateKey);
                deployment.setSigningKeyPair(keyPair);
            }
            if (key.isEncryption()) {
                if (key.getKeystore() != null) {
                    KeyStore keyStore = loadKeystore(resourceLoader, key);
                    try {
                        PrivateKey privateKey = (PrivateKey) keyStore.getKey(key.getKeystore().getPrivateKeyAlias(), key.getKeystore().getPrivateKeyPassword().toCharArray());
                        deployment.setDecryptionKey(privateKey);
                    } catch (Exception e) {
                        throw new RuntimeException(e);
                    }
                } else {
                    if (key.getPrivateKeyPem() == null) {
                        throw new RuntimeException("SP signing key must have a PrivateKey defined");
                    }
                    try {
                        PrivateKey privateKey = PemUtils.decodePrivateKey(key.getPrivateKeyPem().trim());
                        deployment.setDecryptionKey(privateKey);
                    } catch (Exception e) {
                        throw new RuntimeException(e);
                    }
                }
            }
        }
    }
    deployment.setIdp(defaultIDP);
    defaultIDP.setEntityID(idp.getEntityID());
    sso.setRequestBinding(SamlDeployment.Binding.parseBinding(idp.getSingleSignOnService().getRequestBinding()));
    sso.setRequestBindingUrl(idp.getSingleSignOnService().getBindingUrl());
    if (idp.getSingleSignOnService().getResponseBinding() != null) {
        sso.setResponseBinding(SamlDeployment.Binding.parseBinding(idp.getSingleSignOnService().getResponseBinding()));
    }
    if (idp.getAllowedClockSkew() != null) {
        defaultIDP.setAllowedClockSkew(convertClockSkewInMillis(idp.getAllowedClockSkew(), idp.getAllowedClockSkewUnit()));
    }
    if (idp.getSingleSignOnService().getAssertionConsumerServiceUrl() != null) {
        if (!idp.getSingleSignOnService().getAssertionConsumerServiceUrl().endsWith("/saml")) {
            throw new RuntimeException("AssertionConsumerServiceUrl must end with \"/saml\".");
        }
        sso.setAssertionConsumerServiceUrl(URI.create(idp.getSingleSignOnService().getAssertionConsumerServiceUrl()));
    }
    sso.setSignRequest(idp.getSingleSignOnService().isSignRequest());
    sso.setValidateResponseSignature(idp.getSingleSignOnService().isValidateResponseSignature());
    sso.setValidateAssertionSignature(idp.getSingleSignOnService().isValidateAssertionSignature());
    slo.setSignRequest(idp.getSingleLogoutService().isSignRequest());
    slo.setSignResponse(idp.getSingleLogoutService().isSignResponse());
    slo.setValidateResponseSignature(idp.getSingleLogoutService().isValidateResponseSignature());
    slo.setValidateRequestSignature(idp.getSingleLogoutService().isValidateRequestSignature());
    slo.setRequestBinding(SamlDeployment.Binding.parseBinding(idp.getSingleLogoutService().getRequestBinding()));
    slo.setResponseBinding(SamlDeployment.Binding.parseBinding(idp.getSingleLogoutService().getResponseBinding()));
    if (slo.getRequestBinding() == SamlDeployment.Binding.POST) {
        slo.setRequestBindingUrl(idp.getSingleLogoutService().getPostBindingUrl());
    } else {
        slo.setRequestBindingUrl(idp.getSingleLogoutService().getRedirectBindingUrl());
    }
    if (slo.getResponseBinding() == SamlDeployment.Binding.POST) {
        slo.setResponseBindingUrl(idp.getSingleLogoutService().getPostBindingUrl());
    } else {
        slo.setResponseBindingUrl(idp.getSingleLogoutService().getRedirectBindingUrl());
    }
    if (idp.getKeys() != null) {
        for (Key key : idp.getKeys()) {
            if (key.isSigning()) {
                processSigningKey(defaultIDP, key, resourceLoader);
            }
        }
    }
    defaultIDP.setMetadataUrl(idp.getMetadataUrl());
    defaultIDP.setClient(new HttpClientBuilder().build(idp.getHttpClientConfig()));
    defaultIDP.refreshKeyLocatorConfiguration();
    // set the role mappings provider.
    deployment.setRoleMappingsProvider(RoleMappingsProviderUtils.bootstrapRoleMappingsProvider(deployment, resourceLoader, sp.getRoleMappingsProviderConfig()));
    return deployment;
}

Example 7 with SP

use of org.keycloak.adapters.saml.config.SP in project keycloak by keycloak.

the class SpParser method instantiateElement.

@Override
protected SP instantiateElement(XMLEventReader xmlEventReader, StartElement element) throws ParsingException {
    final SP sp = new SP();
    sp.setEntityID(StaxParserUtil.getRequiredAttributeValueRP(element, KeycloakSamlAdapterV1QNames.ATTR_ENTITY_ID));
    sp.setSslPolicy(StaxParserUtil.getAttributeValueRP(element, KeycloakSamlAdapterV1QNames.ATTR_SSL_POLICY));
    sp.setLogoutPage(StaxParserUtil.getAttributeValueRP(element, KeycloakSamlAdapterV1QNames.ATTR_LOGOUT_PAGE));
    sp.setNameIDPolicyFormat(StaxParserUtil.getAttributeValueRP(element, KeycloakSamlAdapterV1QNames.ATTR_NAME_ID_POLICY_FORMAT));
    sp.setForceAuthentication(StaxParserUtil.getBooleanAttributeValueRP(element, KeycloakSamlAdapterV1QNames.ATTR_FORCE_AUTHENTICATION));
    sp.setIsPassive(StaxParserUtil.getBooleanAttributeValueRP(element, KeycloakSamlAdapterV1QNames.ATTR_IS_PASSIVE));
    sp.setAutodetectBearerOnly(StaxParserUtil.getBooleanAttributeValueRP(element, KeycloakSamlAdapterV1QNames.ATTR_AUTODETECT_BEARER_ONLY));
    sp.setTurnOffChangeSessionIdOnLogin(StaxParserUtil.getBooleanAttributeValueRP(element, KeycloakSamlAdapterV1QNames.ATTR_TURN_OFF_CHANGE_SESSSION_ID_ON_LOGIN));
    sp.setKeepDOMAssertion(StaxParserUtil.getBooleanAttributeValueRP(element, KeycloakSamlAdapterV1QNames.ATTR_KEEP_DOM_ASSERTION));
    return sp;
}

Example 8 with SP

use of org.keycloak.adapters.saml.config.SP in project keycloak by keycloak.

the class KeycloakSamlAdapterXMLParserTest method testXmlParserMultipleSigningKeys.

@Test
public void testXmlParserMultipleSigningKeys() throws Exception {
    KeycloakSamlAdapter config = parseKeycloakSamlAdapterConfig("keycloak-saml-multiple-signing-keys.xml", KeycloakSamlAdapter.class);
    assertThat(config, notNullValue());
    assertThat(config.getSps(), hasSize(1));
    SP sp = config.getSps().get(0);
    IDP idp = sp.getIdp();
    assertThat(idp.getKeys(), hasSize(4));
    for (int i = 0; i < 4; i++) {
        Key key = idp.getKeys().get(i);
        assertThat(key.isSigning(), is(true));
        assertThat(idp.getKeys().get(i).getCertificatePem(), is("cert pem " + i));
    }
}

Example 9 with SP

use of org.keycloak.adapters.saml.config.SP in project keycloak by keycloak.

the class KeycloakSamlAdapterXMLParserTest method testParseRoleMappingsProvider.

@Test
public void testParseRoleMappingsProvider() throws Exception {
    KeycloakSamlAdapter config = parseKeycloakSamlAdapterConfig("keycloak-saml-with-role-mappings-provider.xml", KeycloakSamlAdapter.class);
    assertThat(config, notNullValue());
    assertThat(config.getSps(), Matchers.contains(instanceOf(SP.class)));
    SP sp = config.getSps().get(0);
    SP.RoleMappingsProviderConfig roleMapperConfig = sp.getRoleMappingsProviderConfig();
    assertThat(roleMapperConfig, notNullValue());
    assertThat(roleMapperConfig.getId(), is("properties-based-role-mapper"));
    Properties providerConfig = roleMapperConfig.getConfiguration();
    assertThat(providerConfig.size(), is(2));
    assertThat(providerConfig.containsKey("properties.resource.location"), is(true));
    assertThat(providerConfig.getProperty("properties.resource.location"), is("role-mappings.properties"));
    assertThat(providerConfig.containsKey("another.property"), is(true));
    assertThat(providerConfig.getProperty("another.property"), is("another.value"));
}

Example 10 with SP

use of org.keycloak.adapters.saml.config.SP in project keycloak by keycloak.

the class KeycloakSamlAdapterXMLParserTest method testXmlParserHttpClientSettings.

@Test
public void testXmlParserHttpClientSettings() throws Exception {
    KeycloakSamlAdapter config = parseKeycloakSamlAdapterConfig("keycloak-saml-wth-http-client-settings.xml", KeycloakSamlAdapter.class);
    assertThat(config, notNullValue());
    assertThat(config.getSps(), hasSize(1));
    SP sp = config.getSps().get(0);
    IDP idp = sp.getIdp();
    assertThat(idp.getHttpClientConfig(), notNullValue());
    assertThat(idp.getHttpClientConfig().getClientKeystore(), is("ks"));
    assertThat(idp.getHttpClientConfig().getClientKeystorePassword(), is("ks-pwd"));
    assertThat(idp.getHttpClientConfig().getProxyUrl(), is("pu"));
    assertThat(idp.getHttpClientConfig().getTruststore(), is("ts"));
    assertThat(idp.getHttpClientConfig().getTruststorePassword(), is("tsp"));
    assertThat(idp.getHttpClientConfig().getConnectionPoolSize(), is(42));
    assertThat(idp.getHttpClientConfig().isAllowAnyHostname(), is(true));
    assertThat(idp.getHttpClientConfig().isDisableTrustManager(), is(true));
    assertThat(idp.getHttpClientConfig().getSocketTimeout(), is(6000L));
    assertThat(idp.getHttpClientConfig().getConnectionTimeout(), is(7000L));
    assertThat(idp.getHttpClientConfig().getConnectionTTL(), is(200L));
}