Examples with AuthnStatementType org.keycloak.dom.saml.v2.assertion.AuthnStatementType used on opensource projects

Search in sources :

Example 16 with AuthnStatementType

use of org.keycloak.dom.saml.v2.assertion.AuthnStatementType in project keycloak by keycloak.

the class SAMLAssertionWriter method write.

/**
 * Write an {@code AuthnStatementType} to stream
 *
 * @param authnStatement
 *
 * @throws ProcessingException
 */
public void write(AuthnStatementType authnStatement, boolean includeNamespace) throws ProcessingException {
    StaxUtil.writeStartElement(writer, ASSERTION_PREFIX, JBossSAMLConstants.AUTHN_STATEMENT.get(), ASSERTION_NSURI.get());
    if (includeNamespace) {
        StaxUtil.writeNameSpace(writer, ASSERTION_PREFIX, ASSERTION_NSURI.get());
        StaxUtil.writeDefaultNameSpace(writer, ASSERTION_NSURI.get());
    }
    XMLGregorianCalendar authnInstant = authnStatement.getAuthnInstant();
    if (authnInstant != null) {
        StaxUtil.writeAttribute(writer, JBossSAMLConstants.AUTHN_INSTANT.get(), authnInstant.toString());
    }
    String sessionIndex = authnStatement.getSessionIndex();
    if (sessionIndex != null) {
        StaxUtil.writeAttribute(writer, JBossSAMLConstants.SESSION_INDEX.get(), sessionIndex);
    }
    XMLGregorianCalendar sessionNotOnOrAfter = authnStatement.getSessionNotOnOrAfter();
    if (sessionNotOnOrAfter != null) {
        StaxUtil.writeAttribute(writer, SAMLAssertionQNames.ATTR_SESSION_NOT_ON_OR_AFTER.getQName(), sessionNotOnOrAfter.toString());
    }
    AuthnContextType authnContext = authnStatement.getAuthnContext();
    if (authnContext != null)
        write(authnContext);
    StaxUtil.writeEndElement(writer);
    StaxUtil.flush(writer);
}
Also used : XMLGregorianCalendar(javax.xml.datatype.XMLGregorianCalendar) AuthnContextType(org.keycloak.dom.saml.v2.assertion.AuthnContextType)

Example 17 with AuthnStatementType

use of org.keycloak.dom.saml.v2.assertion.AuthnStatementType in project keycloak by keycloak.

the class KcSamlBrokerSessionNotOnOrAfterTest method testConsumerIdpInitiatedLoginContainsSessionNotOnOrAfter.

@Test
public void testConsumerIdpInitiatedLoginContainsSessionNotOnOrAfter() throws Exception {
    SAMLDocumentHolder samlResponse = new SamlClientBuilder().idpInitiatedLogin(getConsumerSamlEndpoint(REALM_CONS_NAME), "sales-post").build().login().idp(IDP_SAML_ALIAS).build().processSamlResponse(// AuthnRequest to producer IdP
    SamlClient.Binding.POST).targetAttributeSamlRequest().build().login().user(USER_LOGIN, USER_PASSWORD).build().processSamlResponse(SamlClient.Binding.POST).build().updateProfile().username(USER_LOGIN).email(USER_EMAIL).firstName("Firstname").lastName("Lastname").build().followOneRedirect().getSamlResponse(SamlClient.Binding.POST);
    assertThat(samlResponse.getSamlObject(), Matchers.isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
    ResponseType resp = (ResponseType) samlResponse.getSamlObject();
    Set<StatementAbstractType> statements = resp.getAssertions().get(0).getAssertion().getStatements();
    AuthnStatementType authType = statements.stream().filter(statement -> statement instanceof AuthnStatementType).map(s -> (AuthnStatementType) s).findFirst().orElse(null);
    assertThat(authType, notNullValue());
    assertThat(authType.getSessionNotOnOrAfter(), notNullValue());
    assertThat(authType.getSessionNotOnOrAfter(), is(XMLTimeUtil.add(authType.getAuthnInstant(), adminClient.realm(REALM_CONS_NAME).toRepresentation().getSsoSessionMaxLifespan() * 1000)));
}
Also used : AuthnStatementType(org.keycloak.dom.saml.v2.assertion.AuthnStatementType) XMLTimeUtil(org.keycloak.saml.processing.core.saml.v2.util.XMLTimeUtil) USER_PASSWORD(org.keycloak.testsuite.broker.BrokerTestConstants.USER_PASSWORD) IDP_SAML_ALIAS(org.keycloak.testsuite.broker.BrokerTestConstants.IDP_SAML_ALIAS) Matchers.notNullValue(org.hamcrest.Matchers.notNullValue) Matchers(org.keycloak.testsuite.util.Matchers) JBossSAMLURIConstants(org.keycloak.saml.common.constants.JBossSAMLURIConstants) Set(java.util.Set) Test(org.junit.Test) ResponseType(org.keycloak.dom.saml.v2.protocol.ResponseType) USER_EMAIL(org.keycloak.testsuite.broker.BrokerTestConstants.USER_EMAIL) Assert.assertThat(org.junit.Assert.assertThat) USER_LOGIN(org.keycloak.testsuite.broker.BrokerTestConstants.USER_LOGIN) AuthnStatementType(org.keycloak.dom.saml.v2.assertion.AuthnStatementType) StatementAbstractType(org.keycloak.dom.saml.v2.assertion.StatementAbstractType) REALM_CONS_NAME(org.keycloak.testsuite.broker.BrokerTestConstants.REALM_CONS_NAME) SamlClient(org.keycloak.testsuite.util.SamlClient) Matchers.is(org.hamcrest.Matchers.is) SAMLDocumentHolder(org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder) SamlClientBuilder(org.keycloak.testsuite.util.SamlClientBuilder) SAMLDocumentHolder(org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder) SamlClientBuilder(org.keycloak.testsuite.util.SamlClientBuilder) StatementAbstractType(org.keycloak.dom.saml.v2.assertion.StatementAbstractType) ResponseType(org.keycloak.dom.saml.v2.protocol.ResponseType) Test(org.junit.Test)

Example 18 with AuthnStatementType

use of org.keycloak.dom.saml.v2.assertion.AuthnStatementType in project keycloak by keycloak.

the class KcSamlLogoutTest method testProviderInitiatedLogoutCorrectlyLogsOutConsumerClients.

@Test
public void testProviderInitiatedLogoutCorrectlyLogsOutConsumerClients() throws Exception {
    try (SamlMessageReceiver logoutReceiver = new SamlMessageReceiver(8082);
        ClientAttributeUpdater cauConsumer = ClientAttributeUpdater.forClient(adminClient, bc.consumerRealmName(), AbstractSamlTest.SAML_CLIENT_ID_SALES_POST).setFrontchannelLogout(false).setAttribute(SamlProtocol.SAML_SINGLE_LOGOUT_SERVICE_URL_POST_ATTRIBUTE, logoutReceiver.getUrl()).update();
        ClientAttributeUpdater cauProvider = ClientAttributeUpdater.forClient(adminClient, bc.providerRealmName(), bc.getIDPClientIdInProviderRealm()).setFrontchannelLogout(true).update()) {
        AuthnRequestType loginRep = SamlClient.createLoginRequestDocument(AbstractSamlTest.SAML_CLIENT_ID_SALES_POST, getConsumerRoot() + "/sales-post/saml", null);
        Document doc = SAML2Request.convert(loginRep);
        final AtomicReference<NameIDType> nameIdRef = new AtomicReference<>();
        final AtomicReference<String> sessionIndexRef = new AtomicReference<>();
        new SamlClientBuilder().authnRequest(getConsumerSamlEndpoint(bc.consumerRealmName()), doc, SamlClient.Binding.POST).build().login().idp(bc.getIDPAlias()).build().processSamlResponse(// AuthnRequest to producer IdP
        SamlClient.Binding.POST).targetAttributeSamlRequest().build().login().user(bc.getUserLogin(), bc.getUserPassword()).build().processSamlResponse(// Response from producer IdP
        SamlClient.Binding.POST).build().updateProfile().firstName("a").lastName("b").email(bc.getUserEmail()).username(bc.getUserLogin()).build().followOneRedirect().processSamlResponse(SamlClient.Binding.POST).transformObject(saml2Object -> {
            assertThat(saml2Object, Matchers.notNullValue());
            assertThat(saml2Object, isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
            return null;
        }).build().authnRequest(getProviderSamlEndpoint(bc.providerRealmName()), PROVIDER_SAML_CLIENT_ID, PROVIDER_SAML_CLIENT_ID + "saml", POST).build().followOneRedirect().processSamlResponse(POST).transformObject(saml2Object -> {
            assertThat(saml2Object, isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
            ResponseType loginResp1 = (ResponseType) saml2Object;
            final AssertionType firstAssertion = loginResp1.getAssertions().get(0).getAssertion();
            assertThat(firstAssertion, Matchers.notNullValue());
            assertThat(firstAssertion.getSubject().getSubType().getBaseID(), instanceOf(NameIDType.class));
            NameIDType nameId = (NameIDType) firstAssertion.getSubject().getSubType().getBaseID();
            AuthnStatementType firstAssertionStatement = (AuthnStatementType) firstAssertion.getStatements().iterator().next();
            nameIdRef.set(nameId);
            sessionIndexRef.set(firstAssertionStatement.getSessionIndex());
            return null;
        }).build().logoutRequest(getProviderSamlEndpoint(bc.providerRealmName()), PROVIDER_SAML_CLIENT_ID, POST).nameId(nameIdRef::get).sessionIndex(sessionIndexRef::get).build().processSamlResponse(POST).transformObject(saml2Object -> {
            assertThat(saml2Object, isSamlLogoutRequest(getConsumerRoot() + "/auth/realms/" + REALM_CONS_NAME + "/broker/" + IDP_SAML_ALIAS + "/endpoint"));
            return saml2Object;
        }).build().executeAndTransform(response -> {
            SAMLDocumentHolder saml2ObjectHolder = POST.extractResponse(response);
            assertThat(saml2ObjectHolder.getSamlObject(), isSamlStatusResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
            return null;
        });
        // Check whether logoutReceiver contains correct LogoutRequest
        assertThat(logoutReceiver.isMessageReceived(), is(true));
        SAMLDocumentHolder message = logoutReceiver.getSamlDocumentHolder();
        assertThat(message.getSamlObject(), isSamlLogoutRequest(logoutReceiver.getUrl()));
    }
}
Also used : CoreMatchers.is(org.hamcrest.CoreMatchers.is) AbstractSamlTest(org.keycloak.testsuite.saml.AbstractSamlTest) ClientAttributeUpdater(org.keycloak.testsuite.updaters.ClientAttributeUpdater) IDP_SAML_ALIAS(org.keycloak.testsuite.broker.BrokerTestConstants.IDP_SAML_ALIAS) SAML2Request(org.keycloak.saml.processing.api.saml.v2.request.SAML2Request) IdentityProviderAttributeUpdater(org.keycloak.testsuite.updaters.IdentityProviderAttributeUpdater) ResponseType(org.keycloak.dom.saml.v2.protocol.ResponseType) SamlConfigAttributes(org.keycloak.protocol.saml.SamlConfigAttributes) POST(org.keycloak.testsuite.util.SamlClient.Binding.POST) Matchers.isSamlLogoutRequest(org.keycloak.testsuite.util.Matchers.isSamlLogoutRequest) AtomicReference(java.util.concurrent.atomic.AtomicReference) CoreMatchers.instanceOf(org.hamcrest.CoreMatchers.instanceOf) BrokerTestTools.getConsumerRoot(org.keycloak.testsuite.broker.BrokerTestTools.getConsumerRoot) SAMLIdentityProviderConfig(org.keycloak.broker.saml.SAMLIdentityProviderConfig) AuthnStatementType(org.keycloak.dom.saml.v2.assertion.AuthnStatementType) Document(org.w3c.dom.Document) SamlClient(org.keycloak.testsuite.util.SamlClient) MatcherAssert.assertThat(org.hamcrest.MatcherAssert.assertThat) SAMLDocumentHolder(org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder) Matchers.isSamlResponse(org.keycloak.testsuite.util.Matchers.isSamlResponse) AuthnRequestType(org.keycloak.dom.saml.v2.protocol.AuthnRequestType) JBossSAMLURIConstants(org.keycloak.saml.common.constants.JBossSAMLURIConstants) Matchers(org.hamcrest.Matchers) Test(org.junit.Test) SamlProtocol(org.keycloak.protocol.saml.SamlProtocol) AssertionType(org.keycloak.dom.saml.v2.assertion.AssertionType) NameIDType(org.keycloak.dom.saml.v2.assertion.NameIDType) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) List(java.util.List) UserAttributeUpdater(org.keycloak.testsuite.updaters.UserAttributeUpdater) REALM_CONS_NAME(org.keycloak.testsuite.broker.BrokerTestConstants.REALM_CONS_NAME) Closeable(java.io.Closeable) ATTRIBUTE_TO_MAP_NAME(org.keycloak.testsuite.broker.KcOidcBrokerConfiguration.ATTRIBUTE_TO_MAP_NAME) ClientBuilder(org.keycloak.testsuite.util.ClientBuilder) Matchers.isSamlStatusResponse(org.keycloak.testsuite.util.Matchers.isSamlStatusResponse) SamlMessageReceiver(org.keycloak.testsuite.util.saml.SamlMessageReceiver) BrokerTestTools.getProviderRoot(org.keycloak.testsuite.broker.BrokerTestTools.getProviderRoot) SamlPrincipalType(org.keycloak.protocol.saml.SamlPrincipalType) SamlClientBuilder(org.keycloak.testsuite.util.SamlClientBuilder) SamlClientBuilder(org.keycloak.testsuite.util.SamlClientBuilder) AtomicReference(java.util.concurrent.atomic.AtomicReference) AssertionType(org.keycloak.dom.saml.v2.assertion.AssertionType) Document(org.w3c.dom.Document) SamlMessageReceiver(org.keycloak.testsuite.util.saml.SamlMessageReceiver) ResponseType(org.keycloak.dom.saml.v2.protocol.ResponseType) ClientAttributeUpdater(org.keycloak.testsuite.updaters.ClientAttributeUpdater) AuthnStatementType(org.keycloak.dom.saml.v2.assertion.AuthnStatementType) SAMLDocumentHolder(org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder) AuthnRequestType(org.keycloak.dom.saml.v2.protocol.AuthnRequestType) NameIDType(org.keycloak.dom.saml.v2.assertion.NameIDType) AbstractSamlTest(org.keycloak.testsuite.saml.AbstractSamlTest) Test(org.junit.Test)

Example 19 with AuthnStatementType

use of org.keycloak.dom.saml.v2.assertion.AuthnStatementType in project keycloak by keycloak.

the class SessionNotOnOrAfterTest method checkSessionNotOnOrAfter.

private SAML2Object checkSessionNotOnOrAfter(SAML2Object ob, int ssoMaxLifespan, int accessCodeLifespan, int accessTokenLifespan) {
    assertThat(ob, Matchers.isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
    ResponseType resp = (ResponseType) ob;
    Assert.assertNotNull(resp);
    Assert.assertNotNull(resp.getAssertions());
    Assert.assertThat(resp.getAssertions().size(), greaterThan(0));
    Assert.assertNotNull(resp.getAssertions().get(0));
    Assert.assertNotNull(resp.getAssertions().get(0).getAssertion());
    // session lifespan
    Assert.assertNotNull(resp.getAssertions().get(0).getAssertion().getStatements());
    Set<StatementAbstractType> statements = resp.getAssertions().get(0).getAssertion().getStatements();
    AuthnStatementType authType = statements.stream().filter(statement -> statement instanceof AuthnStatementType).map(s -> (AuthnStatementType) s).findFirst().orElse(null);
    assertThat(authType, notNullValue());
    assertThat(authType.getSessionNotOnOrAfter(), notNullValue());
    assertThat(authType.getSessionNotOnOrAfter(), is(XMLTimeUtil.add(authType.getAuthnInstant(), ssoMaxLifespan * 1000L)));
    // Conditions
    Assert.assertNotNull(resp.getAssertions().get(0).getAssertion().getConditions());
    Assert.assertNotNull(resp.getAssertions().get(0).getAssertion().getConditions());
    ConditionsType condition = resp.getAssertions().get(0).getAssertion().getConditions();
    Assert.assertEquals(XMLTimeUtil.add(condition.getNotBefore(), accessCodeLifespan * 1000L), condition.getNotOnOrAfter());
    // SubjectConfirmation (confirmationData has no NotBefore, using the previous one because it's the same)
    Assert.assertNotNull(resp.getAssertions().get(0).getAssertion().getSubject());
    Assert.assertNotNull(resp.getAssertions().get(0).getAssertion().getSubject().getConfirmation());
    List<SubjectConfirmationType> confirmations = resp.getAssertions().get(0).getAssertion().getSubject().getConfirmation();
    SubjectConfirmationDataType confirmationData = confirmations.stream().map(c -> c.getSubjectConfirmationData()).filter(c -> c != null).findFirst().orElse(null);
    Assert.assertNotNull(confirmationData);
    Assert.assertEquals(XMLTimeUtil.add(condition.getNotBefore(), accessTokenLifespan * 1000L), confirmationData.getNotOnOrAfter());
    return null;
}
Also used : AuthnStatementType(org.keycloak.dom.saml.v2.assertion.AuthnStatementType) XMLTimeUtil(org.keycloak.saml.processing.core.saml.v2.util.XMLTimeUtil) ClientAttributeUpdater(org.keycloak.testsuite.updaters.ClientAttributeUpdater) AuthServerContainerExclude(org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude) Matchers.notNullValue(org.hamcrest.Matchers.notNullValue) Matchers(org.keycloak.testsuite.util.Matchers) JBossSAMLURIConstants(org.keycloak.saml.common.constants.JBossSAMLURIConstants) Set(java.util.Set) Test(org.junit.Test) SubjectConfirmationType(org.keycloak.dom.saml.v2.assertion.SubjectConfirmationType) ResponseType(org.keycloak.dom.saml.v2.protocol.ResponseType) SamlConfigAttributes(org.keycloak.protocol.saml.SamlConfigAttributes) RealmAttributeUpdater(org.keycloak.testsuite.updaters.RealmAttributeUpdater) SubjectConfirmationDataType(org.keycloak.dom.saml.v2.assertion.SubjectConfirmationDataType) Assert.assertThat(org.junit.Assert.assertThat) SAML2Object(org.keycloak.dom.saml.v2.SAML2Object) List(java.util.List) AuthnStatementType(org.keycloak.dom.saml.v2.assertion.AuthnStatementType) StatementAbstractType(org.keycloak.dom.saml.v2.assertion.StatementAbstractType) ConditionsType(org.keycloak.dom.saml.v2.assertion.ConditionsType) SamlClient(org.keycloak.testsuite.util.SamlClient) Matchers.greaterThan(org.hamcrest.Matchers.greaterThan) Matchers.is(org.hamcrest.Matchers.is) Assert(org.junit.Assert) SamlClientBuilder(org.keycloak.testsuite.util.SamlClientBuilder) SubjectConfirmationDataType(org.keycloak.dom.saml.v2.assertion.SubjectConfirmationDataType) SubjectConfirmationType(org.keycloak.dom.saml.v2.assertion.SubjectConfirmationType) ConditionsType(org.keycloak.dom.saml.v2.assertion.ConditionsType) StatementAbstractType(org.keycloak.dom.saml.v2.assertion.StatementAbstractType) ResponseType(org.keycloak.dom.saml.v2.protocol.ResponseType)

Example 20 with AuthnStatementType

use of org.keycloak.dom.saml.v2.assertion.AuthnStatementType in project keycloak by keycloak.

the class AbstractSamlTest method extractNameIdAndSessionIndexAndTerminate.

protected SAML2Object extractNameIdAndSessionIndexAndTerminate(SAML2Object so) {
    assertThat(so, isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
    ResponseType loginResp1 = (ResponseType) so;
    final AssertionType firstAssertion = loginResp1.getAssertions().get(0).getAssertion();
    assertThat(firstAssertion, org.hamcrest.Matchers.notNullValue());
    assertThat(firstAssertion.getSubject().getSubType().getBaseID(), instanceOf(NameIDType.class));
    NameIDType nameId = (NameIDType) firstAssertion.getSubject().getSubType().getBaseID();
    AuthnStatementType firstAssertionStatement = (AuthnStatementType) firstAssertion.getStatements().iterator().next();
    nameIdRef.set(nameId);
    sessionIndexRef.set(firstAssertionStatement.getSessionIndex());
    return null;
}
Also used : AuthnStatementType(org.keycloak.dom.saml.v2.assertion.AuthnStatementType) AssertionType(org.keycloak.dom.saml.v2.assertion.AssertionType) NameIDType(org.keycloak.dom.saml.v2.assertion.NameIDType) ResponseType(org.keycloak.dom.saml.v2.protocol.ResponseType)

Aggregations

AuthnStatementType (org.keycloak.dom.saml.v2.assertion.AuthnStatementType)18 ResponseType (org.keycloak.dom.saml.v2.protocol.ResponseType)10 AssertionType (org.keycloak.dom.saml.v2.assertion.AssertionType)9 Test (org.junit.Test)8 StatementAbstractType (org.keycloak.dom.saml.v2.assertion.StatementAbstractType)7 NameIDType (org.keycloak.dom.saml.v2.assertion.NameIDType)6 XMLGregorianCalendar (javax.xml.datatype.XMLGregorianCalendar)5 AuthnContextType (org.keycloak.dom.saml.v2.assertion.AuthnContextType)5 SAML2Object (org.keycloak.dom.saml.v2.SAML2Object)4 JBossSAMLURIConstants (org.keycloak.saml.common.constants.JBossSAMLURIConstants)4 SamlClient (org.keycloak.testsuite.util.SamlClient)4 Set (java.util.Set)3 Matchers.is (org.hamcrest.Matchers.is)3 Matchers.notNullValue (org.hamcrest.Matchers.notNullValue)3 Assert.assertThat (org.junit.Assert.assertThat)3 AttributeStatementType (org.keycloak.dom.saml.v2.assertion.AttributeStatementType)3 ConditionsType (org.keycloak.dom.saml.v2.assertion.ConditionsType)3 SubjectType (org.keycloak.dom.saml.v2.assertion.SubjectType)3 XMLTimeUtil (org.keycloak.saml.processing.core.saml.v2.util.XMLTimeUtil)3 Matchers (org.keycloak.testsuite.util.Matchers)3
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial