Example 16 with AttributeStatementType
use of org.keycloak.dom.saml.v2.assertion.AttributeStatementType in project keycloak by keycloak.
the class AbstractSamlAuthenticationHandler method handleLoginResponse.
protected AuthOutcome handleLoginResponse(SAMLDocumentHolder responseHolder, boolean postBinding, OnSessionCreated onCreateSession) {
if (!sessionStore.isLoggingIn()) {
log.warn("Adapter obtained LoginResponse, however containers session is not aware of sending any request. " + "This may be because the session cookies created by container are not properly configured " + "with SameSite settings. Refer to KEYCLOAK-14103 for more details.");
}
final ResponseType responseType = (ResponseType) responseHolder.getSamlObject();
AssertionType assertion = null;
if (!isSuccessfulSamlResponse(responseType) || responseType.getAssertions() == null || responseType.getAssertions().isEmpty()) {
return failed(createAuthChallenge403(responseType));
}
try {
assertion = AssertionUtil.getAssertion(responseHolder, responseType, deployment.getDecryptionKey());
ConditionsValidator.Builder cvb = new ConditionsValidator.Builder(assertion.getID(), assertion.getConditions(), destinationValidator);
try {
cvb.clockSkewInMillis(deployment.getIDP().getAllowedClockSkew());
cvb.addAllowedAudience(URI.create(deployment.getEntityID()));
if (responseType.getDestination() != null) {
// getDestination has been validated to match request URL already so it matches SAML endpoint
cvb.addAllowedAudience(URI.create(responseType.getDestination()));
}
} catch (IllegalArgumentException ex) {
// warning has been already emitted in DeploymentBuilder
}
if (!cvb.build().isValid()) {
return initiateLogin();
}
} catch (Exception e) {
log.error("Error extracting SAML assertion: " + e.getMessage());
return failed(CHALLENGE_EXTRACTION_FAILURE);
}
Element assertionElement = null;
if (deployment.getIDP().getSingleSignOnService().validateAssertionSignature()) {
try {
assertionElement = getAssertionFromResponse(responseHolder);
if (!AssertionUtil.isSignatureValid(assertionElement, deployment.getIDP().getSignatureValidationKeyLocator())) {
log.error("Failed to verify saml assertion signature");
return failed(CHALLENGE_INVALID_SIGNATURE);
}
} catch (Exception e) {
log.error("Error processing validation of SAML assertion: " + e.getMessage());
return failed(CHALLENGE_EXTRACTION_FAILURE);
}
}
SubjectType subject = assertion.getSubject();
SubjectType.STSubType subType = subject.getSubType();
NameIDType subjectNameID = subType == null ? null : (NameIDType) subType.getBaseID();
String principalName = subjectNameID == null ? null : subjectNameID.getValue();
Set<String> roles = new HashSet<>();
MultivaluedHashMap<String, String> attributes = new MultivaluedHashMap<>();
MultivaluedHashMap<String, String> friendlyAttributes = new MultivaluedHashMap<>();
Set<StatementAbstractType> statements = assertion.getStatements();
for (StatementAbstractType statement : statements) {
if (statement instanceof AttributeStatementType) {
AttributeStatementType attributeStatement = (AttributeStatementType) statement;
List<AttributeStatementType.ASTChoiceType> attList = attributeStatement.getAttributes();
for (AttributeStatementType.ASTChoiceType obj : attList) {
AttributeType attr = obj.getAttribute();
if (isRole(attr)) {
List<Object> attributeValues = attr.getAttributeValue();
if (attributeValues != null) {
for (Object attrValue : attributeValues) {
String role = getAttributeValue(attrValue);
log.debugv("Add role: {0}", role);
roles.add(role);
}
}
} else {
List<Object> attributeValues = attr.getAttributeValue();
if (attributeValues != null) {
for (Object attrValue : attributeValues) {
String value = getAttributeValue(attrValue);
if (attr.getName() != null) {
attributes.add(attr.getName(), value);
}
if (attr.getFriendlyName() != null) {
friendlyAttributes.add(attr.getFriendlyName(), value);
}
}
}
}
}
}
}
if (deployment.getPrincipalNamePolicy() == SamlDeployment.PrincipalNamePolicy.FROM_ATTRIBUTE) {
if (deployment.getPrincipalAttributeName() != null) {
String attribute = attributes.getFirst(deployment.getPrincipalAttributeName());
if (attribute != null)
principalName = attribute;
else {
attribute = friendlyAttributes.getFirst(deployment.getPrincipalAttributeName());
if (attribute != null)
principalName = attribute;
}
}
}
// use the configured role mappings provider to map roles if necessary.
if (deployment.getRoleMappingsProvider() != null) {
roles = deployment.getRoleMappingsProvider().map(principalName, roles);
}
// roles should also be there as regular attributes
// this mainly required for elytron and its ABAC nature
attributes.put(DEFAULT_ROLE_ATTRIBUTE_NAME, new ArrayList<>(roles));
AuthnStatementType authn = null;
for (Object statement : assertion.getStatements()) {
if (statement instanceof AuthnStatementType) {
authn = (AuthnStatementType) statement;
break;
}
}
URI nameFormat = subjectNameID == null ? null : subjectNameID.getFormat();
String nameFormatString = nameFormat == null ? JBossSAMLURIConstants.NAMEID_FORMAT_UNSPECIFIED.get() : nameFormat.toString();
if (deployment.isKeepDOMAssertion() && assertionElement == null) {
// obtain the assertion from the response to add the DOM document to the principal
assertionElement = getAssertionFromResponseNoException(responseHolder);
}
final SamlPrincipal principal = new SamlPrincipal(assertion, deployment.isKeepDOMAssertion() ? getAssertionDocumentFromElement(assertionElement) : null, principalName, principalName, nameFormatString, attributes, friendlyAttributes);
final String sessionIndex = authn == null ? null : authn.getSessionIndex();
final XMLGregorianCalendar sessionNotOnOrAfter = authn == null ? null : authn.getSessionNotOnOrAfter();
SamlSession account = new SamlSession(principal, roles, sessionIndex, sessionNotOnOrAfter);
sessionStore.saveAccount(account);
onCreateSession.onSessionCreated(account);
// redirect to original request, it will be restored
String redirectUri = sessionStore.getRedirectUri();
if (redirectUri != null) {
facade.getResponse().setHeader("Location", redirectUri);
facade.getResponse().setStatus(302);
facade.getResponse().end();
} else {
log.debug("IDP initiated invocation");
}
log.debug("AUTHENTICATED authn");
return AuthOutcome.AUTHENTICATED;
}
Also used :
SAML2AuthnRequestBuilder(org.keycloak.saml.SAML2AuthnRequestBuilder)
KeycloakUriBuilder(org.keycloak.common.util.KeycloakUriBuilder)
BaseSAML2BindingBuilder(org.keycloak.saml.BaseSAML2BindingBuilder)
Element(org.w3c.dom.Element)
URI(java.net.URI)
MultivaluedHashMap(org.keycloak.common.util.MultivaluedHashMap)
AuthnStatementType(org.keycloak.dom.saml.v2.assertion.AuthnStatementType)
SubjectType(org.keycloak.dom.saml.v2.assertion.SubjectType)
AttributeType(org.keycloak.dom.saml.v2.assertion.AttributeType)
NameIDType(org.keycloak.dom.saml.v2.assertion.NameIDType)
AttributeStatementType(org.keycloak.dom.saml.v2.assertion.AttributeStatementType)
AssertionType(org.keycloak.dom.saml.v2.assertion.AssertionType)
SamlSession(org.keycloak.adapters.saml.SamlSession)
VerificationException(org.keycloak.common.VerificationException)
SignatureException(java.security.SignatureException)
KeyManagementException(java.security.KeyManagementException)
InvalidKeyException(java.security.InvalidKeyException)
ProcessingException(org.keycloak.saml.common.exceptions.ProcessingException)
ConfigurationException(org.keycloak.saml.common.exceptions.ConfigurationException)
IOException(java.io.IOException)
ResponseType(org.keycloak.dom.saml.v2.protocol.ResponseType)
StatusResponseType(org.keycloak.dom.saml.v2.protocol.StatusResponseType)
XMLGregorianCalendar(javax.xml.datatype.XMLGregorianCalendar)
SamlPrincipal(org.keycloak.adapters.saml.SamlPrincipal)
SAML2Object(org.keycloak.dom.saml.v2.SAML2Object)
ConditionsValidator(org.keycloak.saml.validators.ConditionsValidator)
StatementAbstractType(org.keycloak.dom.saml.v2.assertion.StatementAbstractType)
Example 17 with AttributeStatementType
use of org.keycloak.dom.saml.v2.assertion.AttributeStatementType in project keycloak by keycloak.
the class SAMLLoginResponseHandlingTest method testNilAttributeValueAttribute.
@Test
public void testNilAttributeValueAttribute() {
beginAuthenticationAndLogin(employee2ServletPage, SamlClient.Binding.POST).processSamlResponse(// Update response with Nil attribute
SamlClient.Binding.POST).transformObject(ob -> {
assertThat(ob, Matchers.isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
ResponseType resp = (ResponseType) ob;
Set<StatementAbstractType> statements = resp.getAssertions().get(0).getAssertion().getStatements();
AttributeStatementType attributeType = (AttributeStatementType) statements.stream().filter(statement -> statement instanceof AttributeStatementType).findFirst().orElse(new AttributeStatementType());
AttributeType attr = new AttributeType("attribute-with-null-attribute-value");
attr.addAttributeValue(null);
attributeType.addAttribute(new AttributeStatementType.ASTChoiceType(attr));
resp.getAssertions().get(0).getAssertion().addStatement(attributeType);
return ob;
}).build().navigateTo(employee2ServletPage.getUriBuilder().clone().path("getAttributes").build()).execute(response -> {
Assert.assertThat(response, statusCodeIsHC(Response.Status.OK));
Assert.assertThat(response, bodyHC(containsString("attribute-with-null-attribute-value: <br />")));
});
}
Also used :
AttributeStatementHelper(org.keycloak.protocol.saml.mappers.AttributeStatementHelper)
AbstractSamlTest(org.keycloak.testsuite.saml.AbstractSamlTest)
WaitUtils.waitUntilElement(org.keycloak.testsuite.util.WaitUtils.waitUntilElement)
RoleListMapper(org.keycloak.protocol.saml.mappers.RoleListMapper)
Matchers.statusCodeIsHC(org.keycloak.testsuite.util.Matchers.statusCodeIsHC)
X500SAMLProfileConstants(org.keycloak.saml.processing.core.saml.v2.constants.X500SAMLProfileConstants)
HashMap(java.util.HashMap)
ResponseType(org.keycloak.dom.saml.v2.protocol.ResponseType)
Matchers.bodyHC(org.keycloak.testsuite.util.Matchers.bodyHC)
AdapterActionsFilter(org.keycloak.testsuite.adapter.filter.AdapterActionsFilter)
Page(org.jboss.arquillian.graphene.page.Page)
REALM_PUBLIC_KEY(org.keycloak.testsuite.saml.AbstractSamlTest.REALM_PUBLIC_KEY)
AttributeType(org.keycloak.dom.saml.v2.assertion.AttributeType)
REALM_PRIVATE_KEY(org.keycloak.testsuite.saml.AbstractSamlTest.REALM_PRIVATE_KEY)
AttributeStatementType(org.keycloak.dom.saml.v2.assertion.AttributeStatementType)
LinkedHashMap(java.util.LinkedHashMap)
Assert.assertThat(org.junit.Assert.assertThat)
EmployeeSigServlet(org.keycloak.testsuite.adapter.page.EmployeeSigServlet)
Document(org.w3c.dom.Document)
Map(java.util.Map)
SamlClient(org.keycloak.testsuite.util.SamlClient)
ContainerConstants(org.keycloak.testsuite.utils.arquillian.ContainerConstants)
URI(java.net.URI)
ClientResource(org.keycloak.admin.client.resource.ClientResource)
ApiUtil(org.keycloak.testsuite.admin.ApiUtil)
WaitUtils(org.keycloak.testsuite.util.WaitUtils)
WebArchive(org.jboss.shrinkwrap.api.spec.WebArchive)
ProtocolMappersResource(org.keycloak.admin.client.resource.ProtocolMappersResource)
Matchers(org.keycloak.testsuite.util.Matchers)
JBossSAMLURIConstants(org.keycloak.saml.common.constants.JBossSAMLURIConstants)
By(org.openqa.selenium.By)
Set(java.util.Set)
Test(org.junit.Test)
Employee2Servlet(org.keycloak.testsuite.adapter.page.Employee2Servlet)
WaitUtils.waitForPageToLoad(org.keycloak.testsuite.util.WaitUtils.waitForPageToLoad)
ProtocolMapperRepresentation(org.keycloak.representations.idm.ProtocolMapperRepresentation)
URLAssert.assertCurrentUrlStartsWith(org.keycloak.testsuite.util.URLAssert.assertCurrentUrlStartsWith)
Response(javax.ws.rs.core.Response)
Deployment(org.jboss.arquillian.container.test.api.Deployment)
StatementAbstractType(org.keycloak.dom.saml.v2.assertion.StatementAbstractType)
AppServerContainer(org.keycloak.testsuite.arquillian.annotation.AppServerContainer)
ApiUtil.getCreatedId(org.keycloak.testsuite.admin.ApiUtil.getCreatedId)
Assert(org.junit.Assert)
PublicKeyLocator(org.keycloak.adapters.rotation.PublicKeyLocator)
Matchers.containsString(org.hamcrest.Matchers.containsString)
UIUtils.getRawPageSource(org.keycloak.testsuite.util.UIUtils.getRawPageSource)
SAML2ErrorResponseBuilder(org.keycloak.saml.SAML2ErrorResponseBuilder)
SamlClientBuilder(org.keycloak.testsuite.util.SamlClientBuilder)
Set(java.util.Set)
AttributeType(org.keycloak.dom.saml.v2.assertion.AttributeType)
AttributeStatementType(org.keycloak.dom.saml.v2.assertion.AttributeStatementType)
ResponseType(org.keycloak.dom.saml.v2.protocol.ResponseType)
AbstractSamlTest(org.keycloak.testsuite.saml.AbstractSamlTest)
Test(org.junit.Test)
Example 18 with AttributeStatementType
use of org.keycloak.dom.saml.v2.assertion.AttributeStatementType in project keycloak by keycloak.
the class GroupMembershipMapper method transformAttributeStatement.
@Override
public void transformAttributeStatement(AttributeStatementType attributeStatement, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) {
String single = mappingModel.getConfig().get(SINGLE_GROUP_ATTRIBUTE);
boolean singleAttribute = Boolean.parseBoolean(single);
boolean fullPath = useFullPath(mappingModel);
final AtomicReference<AttributeType> singleAttributeType = new AtomicReference<>(null);
userSession.getUser().getGroupsStream().forEach(group -> {
String groupName;
if (fullPath) {
groupName = ModelToRepresentation.buildGroupPath(group);
} else {
groupName = group.getName();
}
AttributeType attributeType;
if (singleAttribute) {
if (singleAttributeType.get() == null) {
singleAttributeType.set(AttributeStatementHelper.createAttributeType(mappingModel));
attributeStatement.addAttribute(new AttributeStatementType.ASTChoiceType(singleAttributeType.get()));
}
attributeType = singleAttributeType.get();
} else {
attributeType = AttributeStatementHelper.createAttributeType(mappingModel);
attributeStatement.addAttribute(new AttributeStatementType.ASTChoiceType(attributeType));
}
attributeType.addAttributeValue(groupName);
});
}
Also used :
AttributeType(org.keycloak.dom.saml.v2.assertion.AttributeType)
AttributeStatementType(org.keycloak.dom.saml.v2.assertion.AttributeStatementType)
AtomicReference(java.util.concurrent.atomic.AtomicReference)
Example 19 with AttributeStatementType
use of org.keycloak.dom.saml.v2.assertion.AttributeStatementType in project keycloak by keycloak.
the class RoleListMapper method mapRoles.
@Override
public void mapRoles(AttributeStatementType roleAttributeStatement, ProtocolMapperModel mappingModel, KeycloakSession session, UserSessionModel userSession, ClientSessionContext clientSessionCtx) {
String single = mappingModel.getConfig().get(SINGLE_ROLE_ATTRIBUTE);
boolean singleAttribute = Boolean.parseBoolean(single);
List<SamlProtocol.ProtocolMapperProcessor<SAMLRoleNameMapper>> roleNameMappers = new LinkedList<>();
AtomicReference<AttributeType> singleAttributeType = new AtomicReference<>(null);
ProtocolMapperUtils.getSortedProtocolMappers(session, clientSessionCtx).forEach(entry -> {
ProtocolMapperModel mapping = entry.getKey();
ProtocolMapper mapper = entry.getValue();
if (mapper instanceof SAMLRoleNameMapper) {
roleNameMappers.add(new SamlProtocol.ProtocolMapperProcessor<>((SAMLRoleNameMapper) mapper, mapping));
}
if (mapper instanceof HardcodedRole) {
AttributeType attributeType;
if (singleAttribute) {
if (singleAttributeType.get() == null) {
singleAttributeType.set(AttributeStatementHelper.createAttributeType(mappingModel));
roleAttributeStatement.addAttribute(new AttributeStatementType.ASTChoiceType(singleAttributeType.get()));
}
attributeType = singleAttributeType.get();
} else {
attributeType = AttributeStatementHelper.createAttributeType(mappingModel);
roleAttributeStatement.addAttribute(new AttributeStatementType.ASTChoiceType(attributeType));
}
attributeType.addAttributeValue(mapping.getConfig().get(HardcodedRole.ROLE_ATTRIBUTE));
}
});
List<String> allRoleNames = clientSessionCtx.getRolesStream().map(roleModel -> roleNameMappers.stream().map(entry -> entry.mapper.mapName(entry.model, roleModel)).filter(Objects::nonNull).findFirst().orElse(roleModel.getName())).collect(Collectors.toList());
for (String roleName : allRoleNames) {
AttributeType attributeType;
if (singleAttribute) {
if (singleAttributeType.get() == null) {
singleAttributeType.set(AttributeStatementHelper.createAttributeType(mappingModel));
roleAttributeStatement.addAttribute(new AttributeStatementType.ASTChoiceType(singleAttributeType.get()));
}
attributeType = singleAttributeType.get();
} else {
attributeType = AttributeStatementHelper.createAttributeType(mappingModel);
roleAttributeStatement.addAttribute(new AttributeStatementType.ASTChoiceType(attributeType));
}
attributeType.addAttributeValue(roleName);
}
}
Also used :
ProtocolMapperModel(org.keycloak.models.ProtocolMapperModel)
ProviderConfigProperty(org.keycloak.provider.ProviderConfigProperty)
KeycloakSession(org.keycloak.models.KeycloakSession)
SamlProtocol(org.keycloak.protocol.saml.SamlProtocol)
HashMap(java.util.HashMap)
UserSessionModel(org.keycloak.models.UserSessionModel)
AtomicReference(java.util.concurrent.atomic.AtomicReference)
Collectors(java.util.stream.Collectors)
AttributeType(org.keycloak.dom.saml.v2.assertion.AttributeType)
ArrayList(java.util.ArrayList)
AttributeStatementType(org.keycloak.dom.saml.v2.assertion.AttributeStatementType)
Objects(java.util.Objects)
List(java.util.List)
ClientSessionContext(org.keycloak.models.ClientSessionContext)
Map(java.util.Map)
ProtocolMapperUtils(org.keycloak.protocol.ProtocolMapperUtils)
ProtocolMapper(org.keycloak.protocol.ProtocolMapper)
LinkedList(java.util.LinkedList)
AttributeStatementType(org.keycloak.dom.saml.v2.assertion.AttributeStatementType)
AtomicReference(java.util.concurrent.atomic.AtomicReference)
ProtocolMapper(org.keycloak.protocol.ProtocolMapper)
SamlProtocol(org.keycloak.protocol.saml.SamlProtocol)
LinkedList(java.util.LinkedList)
ProtocolMapperModel(org.keycloak.models.ProtocolMapperModel)
AttributeType(org.keycloak.dom.saml.v2.assertion.AttributeType)
Objects(java.util.Objects)
Example 20 with AttributeStatementType
use of org.keycloak.dom.saml.v2.assertion.AttributeStatementType in project keycloak by keycloak.
the class AttributeStatementHelper method addAttribute.
public static void addAttribute(AttributeStatementType attributeStatement, ProtocolMapperModel mappingModel, String attributeValue) {
AttributeType attribute = createAttributeType(mappingModel);
attribute.addAttributeValue(attributeValue);
attributeStatement.addAttribute(new AttributeStatementType.ASTChoiceType(attribute));
}
Also used :
AttributeType(org.keycloak.dom.saml.v2.assertion.AttributeType)
AttributeStatementType(org.keycloak.dom.saml.v2.assertion.AttributeStatementType)
Aggregations
AttributeStatementType (org.keycloak.dom.saml.v2.assertion.AttributeStatementType)27
AttributeType (org.keycloak.dom.saml.v2.assertion.AttributeType)25
AssertionType (org.keycloak.dom.saml.v2.assertion.AssertionType)12
ASTChoiceType (org.keycloak.dom.saml.v2.assertion.AttributeStatementType.ASTChoiceType)11
Test (org.junit.Test)9
StatementAbstractType (org.keycloak.dom.saml.v2.assertion.StatementAbstractType)9
ResponseType (org.keycloak.dom.saml.v2.protocol.ResponseType)8
URI (java.net.URI)6
List (java.util.List)6
NameIDType (org.keycloak.dom.saml.v2.assertion.NameIDType)6
IOException (java.io.IOException)5
ArrayList (java.util.ArrayList)5
Map (java.util.Map)5
Matchers.containsString (org.hamcrest.Matchers.containsString)5
JBossSAMLURIConstants (org.keycloak.saml.common.constants.JBossSAMLURIConstants)5
ConfigurationException (org.keycloak.saml.common.exceptions.ConfigurationException)5
ProcessingException (org.keycloak.saml.common.exceptions.ProcessingException)5
SamlClientBuilder (org.keycloak.testsuite.util.SamlClientBuilder)5
Set (java.util.Set)4
Collectors (java.util.stream.Collectors)4
