Examples with AttributeStatementType org.keycloak.dom.saml.v2.assertion.AttributeStatementType used on opensource projects

Example 1 with AttributeStatementType

use of org.keycloak.dom.saml.v2.assertion.AttributeStatementType in project keycloak by keycloak.

the class SAMLParserTest method testSaml20AssertionExample.

@Test
public void testSaml20AssertionExample() throws Exception {
    AssertionType assertion = assertParsed("saml20-assertion-example.xml", AssertionType.class);
    AttributeStatementType attributeStatementType = assertion.getAttributeStatements().iterator().next();
    assertThat(attributeStatementType.getAttributes(), hasSize(9));
    for (AttributeStatementType.ASTChoiceType choiceType : attributeStatementType.getAttributes()) {
        AttributeType attr = choiceType.getAttribute();
        String attrName = attr.getName();
        Object value = attr.getAttributeValue().get(0);
        // test selected attributes
        switch(attrName) {
            case "portal_id":
                assertEquals(value, "060D00000000SHZ");
                break;
            case "organization_id":
                assertThat(value, instanceOf(String.class));
                assertThat((String) value, containsString("<n3:stuff xmlns:n3=\"ftp://example.org\">00DD0000000F7L5</n3:stuff>"));
                break;
            case "has_sub_organization":
                assertThat(value, is((Object) "true"));
                break;
            case "anytype_test":
                assertThat(value, instanceOf(String.class));
                assertThat((String) value, containsString("<elem2>val2</elem2>"));
                break;
            case "anytype_no_xml_test":
                assertThat(value, is((Object) "value_no_xml"));
                break;
            case "logouturl":
                assertThat(value, is((Object) "http://www.salesforce.com/security/del_auth/SsoLogoutPage.html"));
                break;
            case "nil_value_attribute":
                assertNull(value);
                break;
            case "status":
                assertThat(value, is((Object) "<status><code><status>XYZ</status></code></status>"));
                break;
            default:
                break;
        }
    }
}

Example 2 with AttributeStatementType

use of org.keycloak.dom.saml.v2.assertion.AttributeStatementType in project keycloak by keycloak.

the class SAMLParserTest method testSaml20AssertionsAdviceTag.

@Test
public void testSaml20AssertionsAdviceTag() throws Exception {
    Matcher<String>[] ATTR_NAME = new Matcher[] { is("portal_id"), is("organization_id"), is("status"), is("has_sub_organization"), is("anytype_test"), is("anytype_no_xml_test"), is("ssostartpage"), is("logouturl"), is("nil_value_attribute") };
    Matcher<List<Object>>[] ATTR_VALUE = new Matcher[] { contains(is("060D00000000SHZ")), contains(is("<n1:elem2 xmlns:n1=\"http://example.net\" xml:lang=\"en\"><n3:stuff xmlns:n3=\"ftp://example.org\">00DD0000000F7L5</n3:stuff></n1:elem2>")), contains(is("<status><code><status>XYZ</status></code></status>")), contains(is("true")), contains(is("<elem1 atttr1=\"en\"><elem2>val2</elem2></elem1>")), contains(is("value_no_xml")), contains(is("http://www.salesforce.com/security/saml/saml20-gen.jsp")), contains(is("http://www.salesforce.com/security/del_auth/SsoLogoutPage.html")), contains(nullValue()) };
    AssertionType a = assertParsed("saml20-assertion-advice.xml", AssertionType.class);
    assertThat(a.getStatements(), containsInAnyOrder(instanceOf(AuthnStatementType.class), instanceOf(AttributeStatementType.class)));
    for (StatementAbstractType statement : a.getStatements()) {
        if (statement instanceof AuthnStatementType) {
            AuthnStatementType as = (AuthnStatementType) statement;
            final AuthnContextType ac = as.getAuthnContext();
            assertThat(ac, notNullValue());
            assertThat(ac.getSequence(), notNullValue());
            assertThat(ac.getSequence().getClassRef().getValue(), is(JBossSAMLURIConstants.AC_UNSPECIFIED.getUri()));
            assertThat(ac.getSequence(), notNullValue());
            assertThat(ac.getSequence().getAuthnContextDecl(), notNullValue());
            assertThat(ac.getSequence().getAuthnContextDecl().getValue(), instanceOf(Element.class));
            final Element el = (Element) ac.getSequence().getAuthnContextDecl().getValue();
            assertThat(el.getTextContent(), is("auth.weak"));
        } else {
            AttributeStatementType as = (AttributeStatementType) statement;
            assertThat(as.getAttributes(), hasSize(9));
            for (int i = 0; i < as.getAttributes().size(); i++) {
                AttributeType attr = as.getAttributes().get(i).getAttribute();
                assertThat(attr.getName(), ATTR_NAME[i]);
                assertThat(attr.getAttributeValue(), ATTR_VALUE[i]);
            }
        }
    }
    assertThat(a.getConditions().getConditions(), contains(instanceOf(AudienceRestrictionType.class)));
}

Example 3 with AttributeStatementType

use of org.keycloak.dom.saml.v2.assertion.AttributeStatementType in project keycloak by keycloak.

the class SamlProtocol method authenticated.

@Override
public Response authenticated(AuthenticationSessionModel authSession, UserSessionModel userSession, ClientSessionContext clientSessionCtx) {
    AuthenticatedClientSessionModel clientSession = clientSessionCtx.getClientSession();
    ClientModel client = clientSession.getClient();
    SamlClient samlClient = new SamlClient(client);
    String requestID = authSession.getClientNote(SAML_REQUEST_ID);
    String relayState = authSession.getClientNote(GeneralConstants.RELAY_STATE);
    String redirectUri = authSession.getRedirectUri();
    String responseIssuer = getResponseIssuer(realm);
    String nameIdFormat = getNameIdFormat(samlClient, authSession);
    int assertionLifespan = samlClient.getAssertionLifespan();
    SAML2LoginResponseBuilder builder = new SAML2LoginResponseBuilder();
    builder.requestID(requestID).destination(redirectUri).issuer(responseIssuer).assertionExpiration(assertionLifespan <= 0 ? realm.getAccessCodeLifespan() : assertionLifespan).subjectExpiration(assertionLifespan <= 0 ? realm.getAccessTokenLifespan() : assertionLifespan).sessionExpiration(realm.getSsoSessionMaxLifespan()).requestIssuer(clientSession.getClient().getClientId()).authMethod(JBossSAMLURIConstants.AC_UNSPECIFIED.get());
    String sessionIndex = SamlSessionUtils.getSessionIndex(clientSession);
    builder.sessionIndex(sessionIndex);
    if (!samlClient.includeAuthnStatement()) {
        builder.disableAuthnStatement(true);
    }
    builder.includeOneTimeUseCondition(samlClient.includeOneTimeUseCondition());
    List<ProtocolMapperProcessor<SAMLAttributeStatementMapper>> attributeStatementMappers = new LinkedList<>();
    List<ProtocolMapperProcessor<SAMLLoginResponseMapper>> loginResponseMappers = new LinkedList<>();
    AtomicReference<ProtocolMapperProcessor<SAMLRoleListMapper>> roleListMapper = new AtomicReference<>(null);
    List<ProtocolMapperProcessor<SAMLNameIdMapper>> samlNameIdMappers = new LinkedList<>();
    ProtocolMapperUtils.getSortedProtocolMappers(session, clientSessionCtx).forEach(entry -> {
        ProtocolMapperModel mapping = entry.getKey();
        ProtocolMapper mapper = entry.getValue();
        if (mapper instanceof SAMLAttributeStatementMapper) {
            attributeStatementMappers.add(new ProtocolMapperProcessor<>((SAMLAttributeStatementMapper) mapper, mapping));
        }
        if (mapper instanceof SAMLLoginResponseMapper) {
            loginResponseMappers.add(new ProtocolMapperProcessor<>((SAMLLoginResponseMapper) mapper, mapping));
        }
        if (mapper instanceof SAMLRoleListMapper) {
            roleListMapper.set(new ProtocolMapperProcessor<>((SAMLRoleListMapper) mapper, mapping));
        }
        if (mapper instanceof SAMLNameIdMapper) {
            samlNameIdMappers.add(new ProtocolMapperProcessor<>((SAMLNameIdMapper) mapper, mapping));
        }
    });
    Document samlDocument = null;
    ResponseType samlModel = null;
    KeyManager keyManager = session.keys();
    KeyManager.ActiveRsaKey keys = keyManager.getActiveRsaKey(realm);
    boolean postBinding = isPostBinding(authSession);
    String keyName = samlClient.getXmlSigKeyInfoKeyNameTransformer().getKeyName(keys.getKid(), keys.getCertificate());
    String nameId = getSAMLNameId(samlNameIdMappers, nameIdFormat, session, userSession, clientSession);
    if (nameId == null) {
        return samlErrorMessage(null, samlClient, isPostBinding(authSession), redirectUri, JBossSAMLURIConstants.STATUS_INVALID_NAMEIDPOLICY, relayState);
    }
    builder.nameIdentifier(nameIdFormat, nameId);
    // save NAME_ID and format in clientSession as they may be persistent or
    // transient or email and not username
    // we'll need to send this back on a logout
    clientSession.setNote(SAML_NAME_ID, nameId);
    clientSession.setNote(SAML_NAME_ID_FORMAT, nameIdFormat);
    try {
        if ((!postBinding) && samlClient.requiresRealmSignature() && samlClient.addExtensionsElementWithKeyInfo()) {
            builder.addExtension(new KeycloakKeySamlExtensionGenerator(keyName));
        }
        samlModel = builder.buildModel();
        final AttributeStatementType attributeStatement = populateAttributeStatements(attributeStatementMappers, session, userSession, clientSession);
        populateRoles(roleListMapper.get(), session, userSession, clientSessionCtx, attributeStatement);
        // SAML Spec 2.7.3 AttributeStatement must contain one or more Attribute or EncryptedAttribute
        if (attributeStatement.getAttributes().size() > 0) {
            AssertionType assertion = samlModel.getAssertions().get(0).getAssertion();
            assertion.addStatement(attributeStatement);
        }
        samlModel = transformLoginResponse(loginResponseMappers, samlModel, session, userSession, clientSessionCtx);
    } catch (Exception e) {
        logger.error("failed", e);
        return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.FAILED_TO_PROCESS_RESPONSE);
    }
    JaxrsSAML2BindingBuilder bindingBuilder = new JaxrsSAML2BindingBuilder(session);
    bindingBuilder.relayState(relayState);
    if ("true".equals(clientSession.getNote(JBossSAMLURIConstants.SAML_HTTP_ARTIFACT_BINDING.get()))) {
        try {
            return buildArtifactAuthenticatedResponse(clientSession, redirectUri, samlModel, bindingBuilder);
        } catch (Exception e) {
            logger.error("failed", e);
            return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.FAILED_TO_PROCESS_RESPONSE);
        }
    }
    if (samlClient.requiresRealmSignature() || samlClient.requiresAssertionSignature()) {
        String canonicalization = samlClient.getCanonicalizationMethod();
        if (canonicalization != null) {
            bindingBuilder.canonicalizationMethod(canonicalization);
        }
        bindingBuilder.signatureAlgorithm(samlClient.getSignatureAlgorithm()).signWith(keyName, keys.getPrivateKey(), keys.getPublicKey(), keys.getCertificate());
        if (samlClient.requiresRealmSignature())
            bindingBuilder.signDocument();
        if (samlClient.requiresAssertionSignature())
            bindingBuilder.signAssertions();
    }
    if (samlClient.requiresEncryption()) {
        PublicKey publicKey = null;
        try {
            publicKey = SamlProtocolUtils.getEncryptionKey(client);
        } catch (Exception e) {
            logger.error("failed", e);
            return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.FAILED_TO_PROCESS_RESPONSE);
        }
        bindingBuilder.encrypt(publicKey);
    }
    try {
        samlDocument = builder.buildDocument(samlModel);
        return buildAuthenticatedResponse(clientSession, redirectUri, samlDocument, bindingBuilder);
    } catch (Exception e) {
        logger.error("failed", e);
        return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.FAILED_TO_PROCESS_RESPONSE);
    }
}

Example 4 with AttributeStatementType

use of org.keycloak.dom.saml.v2.assertion.AttributeStatementType in project keycloak by keycloak.

the class AttributeStatementHelper method addAttributes.

public static void addAttributes(AttributeStatementType attributeStatement, ProtocolMapperModel mappingModel, Collection<String> attributeValues) {
    AttributeType attribute = createAttributeType(mappingModel);
    attributeValues.forEach(attribute::addAttributeValue);
    attributeStatement.addAttribute(new AttributeStatementType.ASTChoiceType(attribute));
}

Example 5 with AttributeStatementType

use of org.keycloak.dom.saml.v2.assertion.AttributeStatementType in project keycloak by keycloak.

the class KcSamlIdPInitiatedSsoTest method testProviderTransientIdpInitiatedLogin.

@Test
public void testProviderTransientIdpInitiatedLogin() throws Exception {
    IdentityProviderResource idp = adminClient.realm(REALM_CONS_NAME).identityProviders().get("saml-leaf");
    IdentityProviderRepresentation rep = idp.toRepresentation();
    rep.getConfig().put(SAMLIdentityProviderConfig.NAME_ID_POLICY_FORMAT, JBossSAMLURIConstants.NAMEID_FORMAT_TRANSIENT.get());
    rep.getConfig().put(SAMLIdentityProviderConfig.PRINCIPAL_TYPE, SamlPrincipalType.ATTRIBUTE.name());
    rep.getConfig().put(SAMLIdentityProviderConfig.PRINCIPAL_ATTRIBUTE, X500SAMLProfileConstants.UID.get());
    idp.update(rep);
    SAMLDocumentHolder samlResponse = new SamlClientBuilder().navigateTo(getSamlIdpInitiatedUrl(REALM_PROV_NAME, "samlbroker")).login().user(PROVIDER_REALM_USER_NAME, PROVIDER_REALM_USER_PASSWORD).build().processSamlResponse(Binding.POST).transformObject(ob -> {
        assertThat(ob, Matchers.isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
        ResponseType resp = (ResponseType) ob;
        assertThat(resp.getDestination(), is(getSamlBrokerIdpInitiatedUrl(REALM_CONS_NAME, "sales")));
        assertAudience(resp, getSamlBrokerIdpInitiatedUrl(REALM_CONS_NAME, "sales"));
        NameIDType nameId = new NameIDType();
        nameId.setFormat(URI.create(JBossSAMLURIConstants.NAMEID_FORMAT_TRANSIENT.get()));
        nameId.setValue("subjectId1");
        resp.getAssertions().get(0).getAssertion().getSubject().getSubType().addBaseID(nameId);
        Set<StatementAbstractType> statements = resp.getAssertions().get(0).getAssertion().getStatements();
        AttributeStatementType attributeType = (AttributeStatementType) statements.stream().filter(statement -> statement instanceof AttributeStatementType).findFirst().orElse(new AttributeStatementType());
        AttributeType attr = new AttributeType(X500SAMLProfileConstants.UID.get());
        attr.addAttributeValue(PROVIDER_REALM_USER_NAME);
        attributeType.addAttribute(new AttributeStatementType.ASTChoiceType(attr));
        resp.getAssertions().get(0).getAssertion().addStatement(attributeType);
        return ob;
    }).build().navigateTo(getSamlIdpInitiatedUrl(REALM_PROV_NAME, "samlbroker-2")).login().sso(true).build().processSamlResponse(Binding.POST).transformObject(ob -> {
        assertThat(ob, Matchers.isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
        ResponseType resp = (ResponseType) ob;
        assertThat(resp.getDestination(), is(getSamlBrokerIdpInitiatedUrl(REALM_CONS_NAME, "sales2")));
        assertAudience(resp, getSamlBrokerIdpInitiatedUrl(REALM_CONS_NAME, "sales2"));
        NameIDType nameId = new NameIDType();
        nameId.setFormat(URI.create(JBossSAMLURIConstants.NAMEID_FORMAT_TRANSIENT.get()));
        nameId.setValue("subjectId2");
        resp.getAssertions().get(0).getAssertion().getSubject().getSubType().addBaseID(nameId);
        Set<StatementAbstractType> statements = resp.getAssertions().get(0).getAssertion().getStatements();
        AttributeStatementType attributeType = (AttributeStatementType) statements.stream().filter(statement -> statement instanceof AttributeStatementType).findFirst().orElse(new AttributeStatementType());
        AttributeType attr = new AttributeType(X500SAMLProfileConstants.UID.get());
        attr.addAttributeValue(PROVIDER_REALM_USER_NAME);
        attributeType.addAttribute(new AttributeStatementType.ASTChoiceType(attr));
        resp.getAssertions().get(0).getAssertion().addStatement(attributeType);
        return ob;
    }).build().updateProfile().username(CONSUMER_CHOSEN_USERNAME).email("test@localhost").firstName("Firstname").lastName("Lastname").build().followOneRedirect().getSamlResponse(Binding.POST);
    assertThat(samlResponse.getSamlObject(), Matchers.isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
    ResponseType resp = (ResponseType) samlResponse.getSamlObject();
    assertThat(resp.getDestination(), is(urlRealmConsumer + "/app/auth2/saml"));
    assertAudience(resp, urlRealmConsumer + "/app/auth2");
    UsersResource users = adminClient.realm(REALM_CONS_NAME).users();
    List<UserRepresentation> userList = users.search(CONSUMER_CHOSEN_USERNAME);
    assertEquals(1, userList.size());
    String id = userList.get(0).getId();
    FederatedIdentityRepresentation fed = users.get(id).getFederatedIdentity().get(0);
    assertThat(fed.getUserId(), is(PROVIDER_REALM_USER_NAME));
    assertThat(fed.getUserName(), is(PROVIDER_REALM_USER_NAME));
    // check that no user with sent subject-id was sent
    userList = users.search("subjectId1");
    assertTrue(userList.isEmpty());
    userList = users.search("subjectId2");
    assertTrue(userList.isEmpty());
}