Example 6 with AuthnStatementType
use of org.keycloak.dom.saml.v2.assertion.AuthnStatementType in project keycloak by keycloak.
the class AbstractSamlAuthenticationHandler method handleLoginResponse.
protected AuthOutcome handleLoginResponse(SAMLDocumentHolder responseHolder, boolean postBinding, OnSessionCreated onCreateSession) {
if (!sessionStore.isLoggingIn()) {
log.warn("Adapter obtained LoginResponse, however containers session is not aware of sending any request. " + "This may be because the session cookies created by container are not properly configured " + "with SameSite settings. Refer to KEYCLOAK-14103 for more details.");
}
final ResponseType responseType = (ResponseType) responseHolder.getSamlObject();
AssertionType assertion = null;
if (!isSuccessfulSamlResponse(responseType) || responseType.getAssertions() == null || responseType.getAssertions().isEmpty()) {
return failed(createAuthChallenge403(responseType));
}
try {
assertion = AssertionUtil.getAssertion(responseHolder, responseType, deployment.getDecryptionKey());
ConditionsValidator.Builder cvb = new ConditionsValidator.Builder(assertion.getID(), assertion.getConditions(), destinationValidator);
try {
cvb.clockSkewInMillis(deployment.getIDP().getAllowedClockSkew());
cvb.addAllowedAudience(URI.create(deployment.getEntityID()));
if (responseType.getDestination() != null) {
// getDestination has been validated to match request URL already so it matches SAML endpoint
cvb.addAllowedAudience(URI.create(responseType.getDestination()));
}
} catch (IllegalArgumentException ex) {
// warning has been already emitted in DeploymentBuilder
}
if (!cvb.build().isValid()) {
return initiateLogin();
}
} catch (Exception e) {
log.error("Error extracting SAML assertion: " + e.getMessage());
return failed(CHALLENGE_EXTRACTION_FAILURE);
}
Element assertionElement = null;
if (deployment.getIDP().getSingleSignOnService().validateAssertionSignature()) {
try {
assertionElement = getAssertionFromResponse(responseHolder);
if (!AssertionUtil.isSignatureValid(assertionElement, deployment.getIDP().getSignatureValidationKeyLocator())) {
log.error("Failed to verify saml assertion signature");
return failed(CHALLENGE_INVALID_SIGNATURE);
}
} catch (Exception e) {
log.error("Error processing validation of SAML assertion: " + e.getMessage());
return failed(CHALLENGE_EXTRACTION_FAILURE);
}
}
SubjectType subject = assertion.getSubject();
SubjectType.STSubType subType = subject.getSubType();
NameIDType subjectNameID = subType == null ? null : (NameIDType) subType.getBaseID();
String principalName = subjectNameID == null ? null : subjectNameID.getValue();
Set<String> roles = new HashSet<>();
MultivaluedHashMap<String, String> attributes = new MultivaluedHashMap<>();
MultivaluedHashMap<String, String> friendlyAttributes = new MultivaluedHashMap<>();
Set<StatementAbstractType> statements = assertion.getStatements();
for (StatementAbstractType statement : statements) {
if (statement instanceof AttributeStatementType) {
AttributeStatementType attributeStatement = (AttributeStatementType) statement;
List<AttributeStatementType.ASTChoiceType> attList = attributeStatement.getAttributes();
for (AttributeStatementType.ASTChoiceType obj : attList) {
AttributeType attr = obj.getAttribute();
if (isRole(attr)) {
List<Object> attributeValues = attr.getAttributeValue();
if (attributeValues != null) {
for (Object attrValue : attributeValues) {
String role = getAttributeValue(attrValue);
log.debugv("Add role: {0}", role);
roles.add(role);
}
}
} else {
List<Object> attributeValues = attr.getAttributeValue();
if (attributeValues != null) {
for (Object attrValue : attributeValues) {
String value = getAttributeValue(attrValue);
if (attr.getName() != null) {
attributes.add(attr.getName(), value);
}
if (attr.getFriendlyName() != null) {
friendlyAttributes.add(attr.getFriendlyName(), value);
}
}
}
}
}
}
}
if (deployment.getPrincipalNamePolicy() == SamlDeployment.PrincipalNamePolicy.FROM_ATTRIBUTE) {
if (deployment.getPrincipalAttributeName() != null) {
String attribute = attributes.getFirst(deployment.getPrincipalAttributeName());
if (attribute != null)
principalName = attribute;
else {
attribute = friendlyAttributes.getFirst(deployment.getPrincipalAttributeName());
if (attribute != null)
principalName = attribute;
}
}
}
// use the configured role mappings provider to map roles if necessary.
if (deployment.getRoleMappingsProvider() != null) {
roles = deployment.getRoleMappingsProvider().map(principalName, roles);
}
// roles should also be there as regular attributes
// this mainly required for elytron and its ABAC nature
attributes.put(DEFAULT_ROLE_ATTRIBUTE_NAME, new ArrayList<>(roles));
AuthnStatementType authn = null;
for (Object statement : assertion.getStatements()) {
if (statement instanceof AuthnStatementType) {
authn = (AuthnStatementType) statement;
break;
}
}
URI nameFormat = subjectNameID == null ? null : subjectNameID.getFormat();
String nameFormatString = nameFormat == null ? JBossSAMLURIConstants.NAMEID_FORMAT_UNSPECIFIED.get() : nameFormat.toString();
if (deployment.isKeepDOMAssertion() && assertionElement == null) {
// obtain the assertion from the response to add the DOM document to the principal
assertionElement = getAssertionFromResponseNoException(responseHolder);
}
final SamlPrincipal principal = new SamlPrincipal(assertion, deployment.isKeepDOMAssertion() ? getAssertionDocumentFromElement(assertionElement) : null, principalName, principalName, nameFormatString, attributes, friendlyAttributes);
final String sessionIndex = authn == null ? null : authn.getSessionIndex();
final XMLGregorianCalendar sessionNotOnOrAfter = authn == null ? null : authn.getSessionNotOnOrAfter();
SamlSession account = new SamlSession(principal, roles, sessionIndex, sessionNotOnOrAfter);
sessionStore.saveAccount(account);
onCreateSession.onSessionCreated(account);
// redirect to original request, it will be restored
String redirectUri = sessionStore.getRedirectUri();
if (redirectUri != null) {
facade.getResponse().setHeader("Location", redirectUri);
facade.getResponse().setStatus(302);
facade.getResponse().end();
} else {
log.debug("IDP initiated invocation");
}
log.debug("AUTHENTICATED authn");
return AuthOutcome.AUTHENTICATED;
}
Also used :
SAML2AuthnRequestBuilder(org.keycloak.saml.SAML2AuthnRequestBuilder)
KeycloakUriBuilder(org.keycloak.common.util.KeycloakUriBuilder)
BaseSAML2BindingBuilder(org.keycloak.saml.BaseSAML2BindingBuilder)
Element(org.w3c.dom.Element)
URI(java.net.URI)
MultivaluedHashMap(org.keycloak.common.util.MultivaluedHashMap)
AuthnStatementType(org.keycloak.dom.saml.v2.assertion.AuthnStatementType)
SubjectType(org.keycloak.dom.saml.v2.assertion.SubjectType)
AttributeType(org.keycloak.dom.saml.v2.assertion.AttributeType)
NameIDType(org.keycloak.dom.saml.v2.assertion.NameIDType)
AttributeStatementType(org.keycloak.dom.saml.v2.assertion.AttributeStatementType)
AssertionType(org.keycloak.dom.saml.v2.assertion.AssertionType)
SamlSession(org.keycloak.adapters.saml.SamlSession)
VerificationException(org.keycloak.common.VerificationException)
SignatureException(java.security.SignatureException)
KeyManagementException(java.security.KeyManagementException)
InvalidKeyException(java.security.InvalidKeyException)
ProcessingException(org.keycloak.saml.common.exceptions.ProcessingException)
ConfigurationException(org.keycloak.saml.common.exceptions.ConfigurationException)
IOException(java.io.IOException)
ResponseType(org.keycloak.dom.saml.v2.protocol.ResponseType)
StatusResponseType(org.keycloak.dom.saml.v2.protocol.StatusResponseType)
XMLGregorianCalendar(javax.xml.datatype.XMLGregorianCalendar)
SamlPrincipal(org.keycloak.adapters.saml.SamlPrincipal)
SAML2Object(org.keycloak.dom.saml.v2.SAML2Object)
ConditionsValidator(org.keycloak.saml.validators.ConditionsValidator)
StatementAbstractType(org.keycloak.dom.saml.v2.assertion.StatementAbstractType)
Example 7 with AuthnStatementType
use of org.keycloak.dom.saml.v2.assertion.AuthnStatementType in project keycloak by keycloak.
the class SAMLAssertionWriterTest method testAuthnStatementSessionNotOnOrAfterExists.
@Test
public void testAuthnStatementSessionNotOnOrAfterExists() throws ProcessingException {
long sessionLengthInSeconds = 3600;
XMLGregorianCalendar issueInstant = XMLTimeUtil.getIssueInstant();
XMLGregorianCalendar sessionExpirationDate = XMLTimeUtil.add(issueInstant, sessionLengthInSeconds);
AuthnStatementType authnStatementType = new AuthnStatementType(issueInstant);
authnStatementType.setSessionIndex("9b3cf799-225b-424a-8e5e-ee3c38e06ded::24b2f572-163c-43ad-8011-de6cd3803f76");
authnStatementType.setSessionNotOnOrAfter(sessionExpirationDate);
ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
SAMLAssertionWriter samlAssertionWriter = new SAMLAssertionWriter(StaxUtil.getXMLStreamWriter(byteArrayOutputStream));
samlAssertionWriter.write(authnStatementType, true);
String serializedAssertion = new String(byteArrayOutputStream.toByteArray(), GeneralConstants.SAML_CHARSET);
String expectedXMLAttribute = "SessionNotOnOrAfter=\"" + sessionExpirationDate.toString() + "\"";
Assert.assertTrue(serializedAssertion.contains(expectedXMLAttribute));
}
Also used :
AuthnStatementType(org.keycloak.dom.saml.v2.assertion.AuthnStatementType)
XMLGregorianCalendar(javax.xml.datatype.XMLGregorianCalendar)
ByteArrayOutputStream(java.io.ByteArrayOutputStream)
Test(org.junit.Test)
Example 8 with AuthnStatementType
use of org.keycloak.dom.saml.v2.assertion.AuthnStatementType in project keycloak by keycloak.
the class SAMLDataMarshaller method serialize.
@Override
public String serialize(Object obj) {
// Lame impl, but hopefully sufficient for now. See if something better is needed...
if (obj.getClass().getName().startsWith("org.keycloak.dom.saml")) {
ByteArrayOutputStream bos = new ByteArrayOutputStream();
try {
if (obj instanceof ResponseType) {
ResponseType responseType = (ResponseType) obj;
SAMLResponseWriter samlWriter = new SAMLResponseWriter(StaxUtil.getXMLStreamWriter(bos));
samlWriter.write(responseType);
} else if (obj instanceof AssertionType) {
AssertionType assertion = (AssertionType) obj;
SAMLAssertionWriter samlWriter = new SAMLAssertionWriter(StaxUtil.getXMLStreamWriter(bos));
samlWriter.write(assertion);
} else if (obj instanceof AuthnStatementType) {
AuthnStatementType authnStatement = (AuthnStatementType) obj;
SAMLAssertionWriter samlWriter = new SAMLAssertionWriter(StaxUtil.getXMLStreamWriter(bos));
samlWriter.write(authnStatement, true);
} else if (obj instanceof ArtifactResponseType) {
ArtifactResponseType artifactResponseType = (ArtifactResponseType) obj;
SAMLResponseWriter samlWriter = new SAMLResponseWriter(StaxUtil.getXMLStreamWriter(bos));
samlWriter.write(artifactResponseType);
} else {
throw new IllegalArgumentException("Don't know how to serialize object of type " + obj.getClass().getName());
}
} catch (ProcessingException pe) {
throw new RuntimeException(pe);
}
return new String(bos.toByteArray(), GeneralConstants.SAML_CHARSET);
} else {
return super.serialize(obj);
}
}
Also used :
AuthnStatementType(org.keycloak.dom.saml.v2.assertion.AuthnStatementType)
SAMLResponseWriter(org.keycloak.saml.processing.core.saml.v2.writers.SAMLResponseWriter)
ArtifactResponseType(org.keycloak.dom.saml.v2.protocol.ArtifactResponseType)
ByteArrayOutputStream(java.io.ByteArrayOutputStream)
AssertionType(org.keycloak.dom.saml.v2.assertion.AssertionType)
SAMLAssertionWriter(org.keycloak.saml.processing.core.saml.v2.writers.SAMLAssertionWriter)
ArtifactResponseType(org.keycloak.dom.saml.v2.protocol.ArtifactResponseType)
ResponseType(org.keycloak.dom.saml.v2.protocol.ResponseType)
ProcessingException(org.keycloak.saml.common.exceptions.ProcessingException)
Example 9 with AuthnStatementType
use of org.keycloak.dom.saml.v2.assertion.AuthnStatementType in project keycloak by keycloak.
the class SAMLIdentityProvider method authenticationFinished.
@Override
public void authenticationFinished(AuthenticationSessionModel authSession, BrokeredIdentityContext context) {
ResponseType responseType = (ResponseType) context.getContextData().get(SAMLEndpoint.SAML_LOGIN_RESPONSE);
AssertionType assertion = (AssertionType) context.getContextData().get(SAMLEndpoint.SAML_ASSERTION);
SubjectType subject = assertion.getSubject();
SubjectType.STSubType subType = subject.getSubType();
if (subType != null) {
NameIDType subjectNameID = (NameIDType) subType.getBaseID();
authSession.setUserSessionNote(SAMLEndpoint.SAML_FEDERATED_SUBJECT_NAMEID, subjectNameID.serializeAsString());
}
AuthnStatementType authn = (AuthnStatementType) context.getContextData().get(SAMLEndpoint.SAML_AUTHN_STATEMENT);
if (authn != null && authn.getSessionIndex() != null) {
authSession.setUserSessionNote(SAMLEndpoint.SAML_FEDERATED_SESSION_INDEX, authn.getSessionIndex());
}
}
Also used :
AuthnStatementType(org.keycloak.dom.saml.v2.assertion.AuthnStatementType)
SubjectType(org.keycloak.dom.saml.v2.assertion.SubjectType)
AssertionType(org.keycloak.dom.saml.v2.assertion.AssertionType)
NameIDType(org.keycloak.dom.saml.v2.assertion.NameIDType)
ResponseType(org.keycloak.dom.saml.v2.protocol.ResponseType)
Example 10 with AuthnStatementType
use of org.keycloak.dom.saml.v2.assertion.AuthnStatementType in project keycloak by keycloak.
the class SAML2Response method createAuthnStatement.
/**
* Create an AuthnStatement
*
* @param authnContextDeclRef such as JBossSAMLURIConstants.AC_PASSWORD_PROTECTED_TRANSPORT
* @param issueInstant
*
* @return
*/
public AuthnStatementType createAuthnStatement(String authnContextDeclRef, XMLGregorianCalendar issueInstant) {
AuthnStatementType authnStatement = new AuthnStatementType(issueInstant);
AuthnContextType act = new AuthnContextType();
String authContextDeclRef = JBossSAMLURIConstants.AC_PASSWORD_PROTECTED_TRANSPORT.get();
act.addAuthenticatingAuthority(URI.create(authContextDeclRef));
AuthnContextType.AuthnContextTypeSequence sequence = new AuthnContextType.AuthnContextTypeSequence();
sequence.setClassRef(new AuthnContextClassRefType(JBossSAMLURIConstants.AC_PASSWORD.getUri()));
act.setSequence(sequence);
authnStatement.setAuthnContext(act);
return authnStatement;
}
Also used :
AuthnStatementType(org.keycloak.dom.saml.v2.assertion.AuthnStatementType)
AuthnContextClassRefType(org.keycloak.dom.saml.v2.assertion.AuthnContextClassRefType)
AuthnContextType(org.keycloak.dom.saml.v2.assertion.AuthnContextType)
Aggregations
AuthnStatementType (org.keycloak.dom.saml.v2.assertion.AuthnStatementType)18
ResponseType (org.keycloak.dom.saml.v2.protocol.ResponseType)10
AssertionType (org.keycloak.dom.saml.v2.assertion.AssertionType)9
Test (org.junit.Test)8
StatementAbstractType (org.keycloak.dom.saml.v2.assertion.StatementAbstractType)7
NameIDType (org.keycloak.dom.saml.v2.assertion.NameIDType)6
XMLGregorianCalendar (javax.xml.datatype.XMLGregorianCalendar)5
AuthnContextType (org.keycloak.dom.saml.v2.assertion.AuthnContextType)5
SAML2Object (org.keycloak.dom.saml.v2.SAML2Object)4
JBossSAMLURIConstants (org.keycloak.saml.common.constants.JBossSAMLURIConstants)4
SamlClient (org.keycloak.testsuite.util.SamlClient)4
Set (java.util.Set)3
Matchers.is (org.hamcrest.Matchers.is)3
Matchers.notNullValue (org.hamcrest.Matchers.notNullValue)3
Assert.assertThat (org.junit.Assert.assertThat)3
AttributeStatementType (org.keycloak.dom.saml.v2.assertion.AttributeStatementType)3
ConditionsType (org.keycloak.dom.saml.v2.assertion.ConditionsType)3
SubjectType (org.keycloak.dom.saml.v2.assertion.SubjectType)3
XMLTimeUtil (org.keycloak.saml.processing.core.saml.v2.util.XMLTimeUtil)3
Matchers (org.keycloak.testsuite.util.Matchers)3
