use of org.keycloak.dom.saml.v2.assertion.AssertionType in project keycloak by keycloak.
the class SAMLLogoutAdapterTest method extractNameId.
private SAML2Object extractNameId(SAML2Object so) {
assertThat(so, isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
ResponseType loginResp1 = (ResponseType) so;
final AssertionType firstAssertion = loginResp1.getAssertions().get(0).getAssertion();
assertThat(firstAssertion, org.hamcrest.Matchers.notNullValue());
assertThat(firstAssertion.getSubject().getSubType().getBaseID(), instanceOf(NameIDType.class));
NameIDType nameId = (NameIDType) firstAssertion.getSubject().getSubType().getBaseID();
AuthnStatementType firstAssertionStatement = (AuthnStatementType) firstAssertion.getStatements().iterator().next();
nameIdRef.set(nameId);
sessionIndexRef.set(firstAssertionStatement.getSessionIndex());
return so;
}
use of org.keycloak.dom.saml.v2.assertion.AssertionType in project keycloak by keycloak.
the class ClientTokenExchangeSAML2Test method testExchangeToSAML2EncryptedAssertion.
@Test
@UncaughtServerErrorExpected
public void testExchangeToSAML2EncryptedAssertion() throws Exception {
testingClient.server().run(ClientTokenExchangeSAML2Test::setupRealm);
oauth.realm(TEST);
oauth.clientId("client-exchanger");
OAuthClient.AccessTokenResponse response = oauth.doGrantAccessTokenRequest("secret", "user", "password");
String accessToken = response.getAccessToken();
TokenVerifier<AccessToken> accessTokenVerifier = TokenVerifier.create(accessToken, AccessToken.class);
AccessToken token = accessTokenVerifier.parse().getToken();
Assert.assertEquals(token.getPreferredUsername(), "user");
Assert.assertTrue(token.getRealmAccess() == null || !token.getRealmAccess().isUserInRole("example"));
Map<String, String> params = new HashMap<>();
params.put(OAuth2Constants.REQUESTED_TOKEN_TYPE, OAuth2Constants.SAML2_TOKEN_TYPE);
{
response = oauth.doTokenExchange(TEST, accessToken, SAML_ENCRYPTED_TARGET, "client-exchanger", "secret", params);
String exchangedTokenString = response.getAccessToken();
String assertionXML = new String(Base64Url.decode(exchangedTokenString), "UTF-8");
// Verify issued_token_type
Assert.assertEquals(OAuth2Constants.SAML2_TOKEN_TYPE, response.getIssuedTokenType());
// Decrypt assertion
Document assertionDoc = DocumentUtil.getDocument(assertionXML);
Element assertionElement = XMLEncryptionUtil.decryptElementInDocument(assertionDoc, privateKeyFromString(ENCRYPTION_PRIVATE_KEY));
Assert.assertFalse(AssertionUtil.isSignedElement(assertionElement));
AssertionType assertion = (AssertionType) SAMLParser.getInstance().parse(assertionElement);
// Expires
Assert.assertEquals(30, response.getExpiresIn());
// Audience
AudienceRestrictionType aud = (AudienceRestrictionType) assertion.getConditions().getConditions().get(0);
Assert.assertEquals(SAML_ENCRYPTED_TARGET, aud.getAudience().get(0).toString());
// NameID
Assert.assertEquals("user", ((NameIDType) assertion.getSubject().getSubType().getBaseID()).getValue());
// Role mapping
List<String> roles = AssertionUtil.getRoles(assertion, null);
Assert.assertTrue(roles.contains("example"));
}
}
use of org.keycloak.dom.saml.v2.assertion.AssertionType in project keycloak by keycloak.
the class ClientTokenExchangeSAML2Test method testExchangeToSAML2SignedAssertion.
@Test
@UncaughtServerErrorExpected
public void testExchangeToSAML2SignedAssertion() throws Exception {
testingClient.server().run(ClientTokenExchangeSAML2Test::setupRealm);
oauth.realm(TEST);
oauth.clientId("client-exchanger");
OAuthClient.AccessTokenResponse response = oauth.doGrantAccessTokenRequest("secret", "user", "password");
String accessToken = response.getAccessToken();
TokenVerifier<AccessToken> accessTokenVerifier = TokenVerifier.create(accessToken, AccessToken.class);
AccessToken token = accessTokenVerifier.parse().getToken();
Assert.assertEquals(token.getPreferredUsername(), "user");
Assert.assertTrue(token.getRealmAccess() == null || !token.getRealmAccess().isUserInRole("example"));
Map<String, String> params = new HashMap<>();
params.put(OAuth2Constants.REQUESTED_TOKEN_TYPE, OAuth2Constants.SAML2_TOKEN_TYPE);
{
response = oauth.doTokenExchange(TEST, accessToken, SAML_SIGNED_TARGET, "client-exchanger", "secret", params);
String exchangedTokenString = response.getAccessToken();
String assertionXML = new String(Base64Url.decode(exchangedTokenString), "UTF-8");
// Verify issued_token_type
Assert.assertEquals(OAuth2Constants.SAML2_TOKEN_TYPE, response.getIssuedTokenType());
// Verify assertion
Element assertionElement = DocumentUtil.getDocument(assertionXML).getDocumentElement();
Assert.assertTrue(AssertionUtil.isSignedElement(assertionElement));
AssertionType assertion = (AssertionType) SAMLParser.getInstance().parse(assertionElement);
Assert.assertTrue(AssertionUtil.isSignatureValid(assertionElement, publicKeyFromString(REALM_PUBLIC_KEY)));
// Expires
Assert.assertEquals(60, response.getExpiresIn());
// Audience
AudienceRestrictionType aud = (AudienceRestrictionType) assertion.getConditions().getConditions().get(0);
Assert.assertEquals(SAML_SIGNED_TARGET, aud.getAudience().get(0).toString());
// NameID
Assert.assertEquals("user", ((NameIDType) assertion.getSubject().getSubType().getBaseID()).getValue());
// Role mapping
List<String> roles = AssertionUtil.getRoles(assertion, null);
Assert.assertTrue(roles.contains("example"));
}
{
response = oauth.doTokenExchange(TEST, accessToken, SAML_SIGNED_TARGET, "legal", "secret", params);
String exchangedTokenString = response.getAccessToken();
String assertionXML = new String(Base64Url.decode(exchangedTokenString), "UTF-8");
// Verify issued_token_type
Assert.assertEquals(OAuth2Constants.SAML2_TOKEN_TYPE, response.getIssuedTokenType());
// Verify assertion
Element assertionElement = DocumentUtil.getDocument(assertionXML).getDocumentElement();
Assert.assertTrue(AssertionUtil.isSignedElement(assertionElement));
AssertionType assertion = (AssertionType) SAMLParser.getInstance().parse(assertionElement);
Assert.assertTrue(AssertionUtil.isSignatureValid(assertionElement, publicKeyFromString(REALM_PUBLIC_KEY)));
// Audience
AudienceRestrictionType aud = (AudienceRestrictionType) assertion.getConditions().getConditions().get(0);
Assert.assertEquals(SAML_SIGNED_TARGET, aud.getAudience().get(0).toString());
// NameID
Assert.assertEquals("user", ((NameIDType) assertion.getSubject().getSubType().getBaseID()).getValue());
// Role mapping
List<String> roles = AssertionUtil.getRoles(assertion, null);
Assert.assertTrue(roles.contains("example"));
}
{
response = oauth.doTokenExchange(TEST, accessToken, SAML_SIGNED_TARGET, "illegal", "secret", params);
Assert.assertEquals(403, response.getStatusCode());
}
}
use of org.keycloak.dom.saml.v2.assertion.AssertionType in project keycloak by keycloak.
the class SAMLParserTest method testSaml20AssertionExample.
@Test
public void testSaml20AssertionExample() throws Exception {
AssertionType assertion = assertParsed("saml20-assertion-example.xml", AssertionType.class);
AttributeStatementType attributeStatementType = assertion.getAttributeStatements().iterator().next();
assertThat(attributeStatementType.getAttributes(), hasSize(9));
for (AttributeStatementType.ASTChoiceType choiceType : attributeStatementType.getAttributes()) {
AttributeType attr = choiceType.getAttribute();
String attrName = attr.getName();
Object value = attr.getAttributeValue().get(0);
// test selected attributes
switch(attrName) {
case "portal_id":
assertEquals(value, "060D00000000SHZ");
break;
case "organization_id":
assertThat(value, instanceOf(String.class));
assertThat((String) value, containsString("<n3:stuff xmlns:n3=\"ftp://example.org\">00DD0000000F7L5</n3:stuff>"));
break;
case "has_sub_organization":
assertThat(value, is((Object) "true"));
break;
case "anytype_test":
assertThat(value, instanceOf(String.class));
assertThat((String) value, containsString("<elem2>val2</elem2>"));
break;
case "anytype_no_xml_test":
assertThat(value, is((Object) "value_no_xml"));
break;
case "logouturl":
assertThat(value, is((Object) "http://www.salesforce.com/security/del_auth/SsoLogoutPage.html"));
break;
case "nil_value_attribute":
assertNull(value);
break;
case "status":
assertThat(value, is((Object) "<status><code><status>XYZ</status></code></status>"));
break;
default:
break;
}
}
}
use of org.keycloak.dom.saml.v2.assertion.AssertionType in project keycloak by keycloak.
the class SAMLParserTest method testSaml20AuthnResponseNonAsciiNameDefaultLatin2.
@Test
public void testSaml20AuthnResponseNonAsciiNameDefaultLatin2() throws Exception {
ResponseType rt = assertParsed("KEYCLOAK-3971-8859-2-in-header-authnresponse.xml", ResponseType.class);
assertThat(rt.getAssertions().size(), is(1));
final AssertionType assertion = rt.getAssertions().get(0).getAssertion();
final SubjectType subject = assertion.getSubject();
assertThat(subject.getConfirmation(), hasSize(1));
SubjectConfirmationType confirmation = subject.getConfirmation().get(0);
assertThat(confirmation.getMethod(), is(JBossSAMLURIConstants.SUBJECT_CONFIRMATION_BEARER.get()));
assertThat(confirmation.getSubjectConfirmationData(), notNullValue());
assertThat(confirmation.getSubjectConfirmationData().getInResponseTo(), is("ID_cc0ff6f7-b481-4c98-9a79-481d50958290"));
assertThat(confirmation.getSubjectConfirmationData().getRecipient(), is("http://localhost:8080/sales-post-sig/saml"));
assertThat(subject.getSubType().getBaseID(), instanceOf(NameIDType.class));
NameIDType nameId = (NameIDType) subject.getSubType().getBaseID();
assertThat(nameId.getValue(), is("ročéíöüßäöü"));
}
Aggregations