Example 6 with ConditionsType
use of org.keycloak.dom.saml.v2.assertion.ConditionsType in project keycloak by keycloak.
the class SAMLAssertionFactory method createConditions.
/**
* <p>
* Creates a {@code Conditions} instance with the specified values.
* </p>
*
* @param notBefore a {@code XMLGregorianCalendar} representing the start of the token lifetime period.
* @param notOnOrAfter a {@code XMLGregorianCalendar} representing the end of the token lifetime period.
* @param restrictions an array containing the applicable restrictions.
*
* @return the constructed {@code Conditions} instance.
*/
public static ConditionsType createConditions(XMLGregorianCalendar notBefore, XMLGregorianCalendar notOnOrAfter, ConditionAbstractType... restrictions) {
ConditionsType conditions = new ConditionsType();
conditions.setNotBefore(notBefore);
conditions.setNotOnOrAfter(notOnOrAfter);
if (restrictions != null) {
for (ConditionAbstractType condition : restrictions) {
conditions.addCondition(condition);
}
}
return conditions;
}
Also used :
ConditionAbstractType(org.keycloak.dom.saml.v2.assertion.ConditionAbstractType)
ConditionsType(org.keycloak.dom.saml.v2.assertion.ConditionsType)
Example 7 with ConditionsType
use of org.keycloak.dom.saml.v2.assertion.ConditionsType in project keycloak by keycloak.
the class IncludeOneTimeUseConditionTest method testOneTimeUseConditionIncluded.
private void testOneTimeUseConditionIncluded(Boolean oneTimeUseConditionShouldBeIncluded) throws IOException {
try (Closeable c = ClientAttributeUpdater.forClient(adminClient, REALM_NAME, SAML_CLIENT_ID_SALES_POST).setAttribute(SamlConfigAttributes.SAML_ONETIMEUSE_CONDITION, oneTimeUseConditionShouldBeIncluded.toString()).update()) {
SAMLDocumentHolder res = new SamlClientBuilder().authnRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, Binding.POST).build().login().user(bburkeUser).build().getSamlResponse(Binding.POST);
assertThat(res.getSamlObject(), notNullValue());
assertThat(res.getSamlObject(), instanceOf(ResponseType.class));
ResponseType rt = (ResponseType) res.getSamlObject();
assertThat(rt.getAssertions(), not(empty()));
final ConditionsType conditionsType = rt.getAssertions().get(0).getAssertion().getConditions();
assertThat(conditionsType, notNullValue());
assertThat(conditionsType.getConditions(), not(empty()));
final List<ConditionAbstractType> conditions = conditionsType.getConditions();
final Collection<ConditionAbstractType> oneTimeUseConditions = Collections2.filter(conditions, input -> input instanceof OneTimeUseType);
final boolean oneTimeUseConditionAdded = !oneTimeUseConditions.isEmpty();
assertThat(oneTimeUseConditionAdded, is(oneTimeUseConditionShouldBeIncluded));
}
}
Also used :
OneTimeUseType(org.keycloak.dom.saml.v2.assertion.OneTimeUseType)
ConditionAbstractType(org.keycloak.dom.saml.v2.assertion.ConditionAbstractType)
SAMLDocumentHolder(org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder)
SamlClientBuilder(org.keycloak.testsuite.util.SamlClientBuilder)
Closeable(java.io.Closeable)
ConditionsType(org.keycloak.dom.saml.v2.assertion.ConditionsType)
ResponseType(org.keycloak.dom.saml.v2.protocol.ResponseType)
Example 8 with ConditionsType
use of org.keycloak.dom.saml.v2.assertion.ConditionsType in project keycloak by keycloak.
the class BrokerTest method assertExpired.
private void assertExpired(XMLGregorianCalendar notBefore, XMLGregorianCalendar notOnOrAfter, boolean shouldPass) throws Exception {
Status expectedStatus = shouldPass ? Status.OK : Status.BAD_REQUEST;
final RealmResource realm = adminClient.realm(REALM_NAME);
try (IdentityProviderCreator idp = new IdentityProviderCreator(realm, addIdentityProvider("https://saml.idp/"))) {
new SamlClientBuilder().authnRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, POST).build().login().idp(SAML_BROKER_ALIAS).build().processSamlResponse(REDIRECT).transformObject(this::createAuthnResponse).transformObject(resp -> {
// always invent a new user identified by a different email address
ResponseType rt = (ResponseType) resp;
AssertionType a = rt.getAssertions().get(0).getAssertion();
NameIDType nameId = new NameIDType();
nameId.setFormat(URI.create(JBossSAMLURIConstants.NAMEID_FORMAT_EMAIL.get()));
nameId.setValue(UUID.randomUUID() + "@random.email.org");
SubjectType subject = new SubjectType();
SubjectType.STSubType subType = new SubjectType.STSubType();
subType.addBaseID(nameId);
subject.setSubType(subType);
a.setSubject(subject);
ConditionsType conditions = a.getConditions();
conditions.setNotBefore(notBefore);
conditions.setNotOnOrAfter(notOnOrAfter);
return rt;
}).targetAttributeSamlResponse().targetUri(getSamlBrokerUrl(REALM_NAME)).build().assertResponse(org.keycloak.testsuite.util.Matchers.statusCodeIsHC(expectedStatus)).execute();
}
}
Also used :
Status(javax.ws.rs.core.Response.Status)
XMLTimeUtil(org.keycloak.saml.processing.core.saml.v2.util.XMLTimeUtil)
KeyPair(java.security.KeyPair)
ASTChoiceType(org.keycloak.dom.saml.v2.assertion.AttributeStatementType.ASTChoiceType)
POST(org.keycloak.testsuite.util.SamlClient.Binding.POST)
Header(org.apache.http.Header)
AttributeStatementType(org.keycloak.dom.saml.v2.assertion.AttributeStatementType)
SAML2Object(org.keycloak.dom.saml.v2.SAML2Object)
SAMLIdentityProviderConfig(org.keycloak.broker.saml.SAMLIdentityProviderConfig)
SAMLIdentityProviderFactory(org.keycloak.broker.saml.SAMLIdentityProviderFactory)
ClientsResource(org.keycloak.admin.client.resource.ClientsResource)
ConditionsType(org.keycloak.dom.saml.v2.assertion.ConditionsType)
Document(org.w3c.dom.Document)
Requirement(org.keycloak.models.AuthenticationExecutionModel.Requirement)
NameIDPolicyType(org.keycloak.dom.saml.v2.protocol.NameIDPolicyType)
HasQName(org.keycloak.saml.processing.core.parsers.util.HasQName)
URI(java.net.URI)
HttpHeaders(org.apache.http.HttpHeaders)
SAMLDocumentHolder(org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder)
RealmResource(org.keycloak.admin.client.resource.RealmResource)
IdentityProviderBuilder(org.keycloak.testsuite.util.IdentityProviderBuilder)
UUID(java.util.UUID)
Objects(java.util.Objects)
List(java.util.List)
Matchers.isSamlStatusResponse(org.keycloak.testsuite.util.Matchers.isSamlStatusResponse)
Matchers.is(org.hamcrest.Matchers.is)
SAML_CLIENT_ID_SALES_POST(org.keycloak.testsuite.saml.AbstractSamlTest.SAML_CLIENT_ID_SALES_POST)
QName(javax.xml.namespace.QName)
SamlPrincipalType(org.keycloak.protocol.saml.SamlPrincipalType)
XmlDSigQNames(org.keycloak.saml.processing.core.parsers.saml.xmldsig.XmlDSigQNames)
SamlClientBuilder(org.keycloak.testsuite.util.SamlClientBuilder)
IdentityProviderRepresentation(org.keycloak.representations.idm.IdentityProviderRepresentation)
UserSessionRepresentation(org.keycloak.representations.idm.UserSessionRepresentation)
ResponseType(org.keycloak.dom.saml.v2.protocol.ResponseType)
AtomicReference(java.util.concurrent.atomic.AtomicReference)
AttributeType(org.keycloak.dom.saml.v2.assertion.AttributeType)
AuthenticationExecutionInfoRepresentation(org.keycloak.representations.idm.AuthenticationExecutionInfoRepresentation)
RSA_SHA1(org.keycloak.saml.SignatureAlgorithm.RSA_SHA1)
REDIRECT(org.keycloak.testsuite.util.SamlClient.Binding.REDIRECT)
SAML2LoginResponseBuilder(org.keycloak.saml.SAML2LoginResponseBuilder)
ProcessingException(org.keycloak.saml.common.exceptions.ProcessingException)
DOMException(org.w3c.dom.DOMException)
Matchers.hasSize(org.hamcrest.Matchers.hasSize)
MatcherAssert.assertThat(org.hamcrest.MatcherAssert.assertThat)
UserResource(org.keycloak.admin.client.resource.UserResource)
Status(javax.ws.rs.core.Response.Status)
ConfigurationException(org.keycloak.saml.common.exceptions.ConfigurationException)
UserRepresentation(org.keycloak.representations.idm.UserRepresentation)
NodeList(org.w3c.dom.NodeList)
AuthnRequestType(org.keycloak.dom.saml.v2.protocol.AuthnRequestType)
JBossSAMLURIConstants(org.keycloak.saml.common.constants.JBossSAMLURIConstants)
REALM_NAME(org.keycloak.testsuite.saml.AbstractSamlTest.REALM_NAME)
Matchers(org.hamcrest.Matchers)
IOException(java.io.IOException)
Test(org.junit.Test)
AssertionType(org.keycloak.dom.saml.v2.assertion.AssertionType)
XMLGregorianCalendar(javax.xml.datatype.XMLGregorianCalendar)
SAML_ASSERTION_CONSUMER_URL_SALES_POST(org.keycloak.testsuite.saml.AbstractSamlTest.SAML_ASSERTION_CONSUMER_URL_SALES_POST)
NameIDType(org.keycloak.dom.saml.v2.assertion.NameIDType)
SubjectType(org.keycloak.dom.saml.v2.assertion.SubjectType)
IdentityProviderCreator(org.keycloak.testsuite.updaters.IdentityProviderCreator)
IdpReviewProfileAuthenticatorFactory(org.keycloak.authentication.authenticators.broker.IdpReviewProfileAuthenticatorFactory)
BaseSAML2BindingBuilder(org.keycloak.saml.BaseSAML2BindingBuilder)
Element(org.w3c.dom.Element)
Assert(org.junit.Assert)
SubjectType(org.keycloak.dom.saml.v2.assertion.SubjectType)
RealmResource(org.keycloak.admin.client.resource.RealmResource)
SamlClientBuilder(org.keycloak.testsuite.util.SamlClientBuilder)
IdentityProviderCreator(org.keycloak.testsuite.updaters.IdentityProviderCreator)
ConditionsType(org.keycloak.dom.saml.v2.assertion.ConditionsType)
AssertionType(org.keycloak.dom.saml.v2.assertion.AssertionType)
NameIDType(org.keycloak.dom.saml.v2.assertion.NameIDType)
ResponseType(org.keycloak.dom.saml.v2.protocol.ResponseType)
Example 9 with ConditionsType
use of org.keycloak.dom.saml.v2.assertion.ConditionsType in project keycloak by keycloak.
the class SAML2Response method createResponseType.
/**
* Create a ResponseType
*
* <b>NOTE:</b>: The PicketLink STS is used to issue/update the assertion
*
* If you want to control over the assertion being issued, then use
* {@link #createResponseType(String, SPInfoHolder, IDPInfoHolder, IssuerInfoHolder, AssertionType)}
*
* @param ID id of the response
* @param sp holder with the information about the Service Provider
* @param idp holder with the information on the Identity Provider
* @param issuerInfo holder with information on the issuer
*
* @return
*
* @throws ConfigurationException
* @throws ProcessingException
*/
public ResponseType createResponseType(String ID, SPInfoHolder sp, IDPInfoHolder idp, IssuerInfoHolder issuerInfo) throws ProcessingException {
String responseDestinationURI = sp.getResponseDestinationURI();
XMLGregorianCalendar issueInstant = XMLTimeUtil.getIssueInstant();
// Create assertion -> subject
SubjectType subjectType = new SubjectType();
// subject -> nameid
NameIDType nameIDType = new NameIDType();
nameIDType.setFormat(idp.getNameIDFormat() == null ? null : URI.create(idp.getNameIDFormat()));
nameIDType.setValue(idp.getNameIDFormatValue());
SubjectType.STSubType subType = new SubjectType.STSubType();
subType.addBaseID(nameIDType);
subjectType.setSubType(subType);
SubjectConfirmationType subjectConfirmation = new SubjectConfirmationType();
subjectConfirmation.setMethod(idp.getSubjectConfirmationMethod());
SubjectConfirmationDataType subjectConfirmationData = new SubjectConfirmationDataType();
subjectConfirmationData.setInResponseTo(sp.getRequestID());
subjectConfirmationData.setRecipient(responseDestinationURI);
// subjectConfirmationData.setNotBefore(issueInstant);
subjectConfirmationData.setNotOnOrAfter(issueInstant);
subjectConfirmation.setSubjectConfirmationData(subjectConfirmationData);
subjectType.addConfirmation(subjectConfirmation);
AssertionType assertionType;
NameIDType issuerID = issuerInfo.getIssuer();
issueInstant = XMLTimeUtil.getIssueInstant();
ConditionsType conditions = null;
List<StatementAbstractType> statements = new LinkedList<>();
// generate an id for the new assertion.
String assertionID = IDGenerator.create("ID_");
assertionType = SAMLAssertionFactory.createAssertion(assertionID, issuerID, issueInstant, conditions, subjectType, statements);
try {
AssertionUtil.createTimedConditions(assertionType, ASSERTION_VALIDITY, CLOCK_SKEW);
} catch (ConfigurationException e) {
throw logger.processingError(e);
} catch (IssueInstantMissingException e) {
throw logger.processingError(e);
}
ResponseType responseType = createResponseType(ID, issuerInfo, assertionType);
// InResponseTo ID
responseType.setInResponseTo(sp.getRequestID());
// Destination
responseType.setDestination(responseDestinationURI);
return responseType;
}
Also used :
EncryptedAssertionType(org.keycloak.dom.saml.v2.assertion.EncryptedAssertionType)
AssertionType(org.keycloak.dom.saml.v2.assertion.AssertionType)
LinkedList(java.util.LinkedList)
IssueInstantMissingException(org.keycloak.saml.common.exceptions.fed.IssueInstantMissingException)
ResponseType(org.keycloak.dom.saml.v2.protocol.ResponseType)
StatusResponseType(org.keycloak.dom.saml.v2.protocol.StatusResponseType)
XMLGregorianCalendar(javax.xml.datatype.XMLGregorianCalendar)
SubjectType(org.keycloak.dom.saml.v2.assertion.SubjectType)
SubjectConfirmationDataType(org.keycloak.dom.saml.v2.assertion.SubjectConfirmationDataType)
SubjectConfirmationType(org.keycloak.dom.saml.v2.assertion.SubjectConfirmationType)
ConfigurationException(org.keycloak.saml.common.exceptions.ConfigurationException)
ConditionsType(org.keycloak.dom.saml.v2.assertion.ConditionsType)
NameIDType(org.keycloak.dom.saml.v2.assertion.NameIDType)
StatementAbstractType(org.keycloak.dom.saml.v2.assertion.StatementAbstractType)
Example 10 with ConditionsType
use of org.keycloak.dom.saml.v2.assertion.ConditionsType in project keycloak by keycloak.
the class SAML2LoginResponseBuilder method buildModel.
public ResponseType buildModel() throws ConfigurationException, ProcessingException {
ResponseType responseType = null;
SAML2Response saml2Response = new SAML2Response();
// Create a response type
String id = IDGenerator.create("ID_");
IssuerInfoHolder issuerHolder = new IssuerInfoHolder(issuer);
issuerHolder.setStatusCode(JBossSAMLURIConstants.STATUS_SUCCESS.get());
IDPInfoHolder idp = new IDPInfoHolder();
idp.setNameIDFormatValue(nameId);
idp.setNameIDFormat(nameIdFormat);
SPInfoHolder sp = new SPInfoHolder();
sp.setResponseDestinationURI(destination);
sp.setRequestID(requestID);
sp.setIssuer(requestIssuer);
responseType = saml2Response.createResponseType(id, sp, idp, issuerHolder);
AssertionType assertion = responseType.getAssertions().get(0).getAssertion();
// Add request issuer as the audience restriction
AudienceRestrictionType audience = new AudienceRestrictionType();
audience.addAudience(URI.create(requestIssuer));
assertion.getConditions().addCondition(audience);
// Update Conditions NotOnOrAfter
if (assertionExpiration > 0) {
ConditionsType conditions = assertion.getConditions();
conditions.setNotOnOrAfter(XMLTimeUtil.add(conditions.getNotBefore(), assertionExpiration * 1000L));
}
// Update SubjectConfirmationData NotOnOrAfter
if (subjectExpiration > 0) {
SubjectConfirmationDataType subjectConfirmationData = assertion.getSubject().getConfirmation().get(0).getSubjectConfirmationData();
subjectConfirmationData.setNotOnOrAfter(XMLTimeUtil.add(assertion.getConditions().getNotBefore(), subjectExpiration * 1000L));
}
// Create an AuthnStatementType
if (!disableAuthnStatement) {
String authContextRef = JBossSAMLURIConstants.AC_UNSPECIFIED.get();
if (isNotNull(authMethod))
authContextRef = authMethod;
AuthnStatementType authnStatement = StatementUtil.createAuthnStatement(XMLTimeUtil.getIssueInstant(), authContextRef);
if (sessionExpiration > 0)
authnStatement.setSessionNotOnOrAfter(XMLTimeUtil.add(authnStatement.getAuthnInstant(), sessionExpiration * 1000L));
if (sessionIndex != null)
authnStatement.setSessionIndex(sessionIndex);
else
authnStatement.setSessionIndex(assertion.getID());
assertion.addStatement(authnStatement);
}
if (includeOneTimeUseCondition) {
assertion.getConditions().addCondition(new OneTimeUseType());
}
if (!this.extensions.isEmpty()) {
ExtensionsType extensionsType = new ExtensionsType();
for (NodeGenerator extension : this.extensions) {
extensionsType.addExtension(extension);
}
responseType.setExtensions(extensionsType);
}
return responseType;
}
Also used :
AudienceRestrictionType(org.keycloak.dom.saml.v2.assertion.AudienceRestrictionType)
AssertionType(org.keycloak.dom.saml.v2.assertion.AssertionType)
ResponseType(org.keycloak.dom.saml.v2.protocol.ResponseType)
AuthnStatementType(org.keycloak.dom.saml.v2.assertion.AuthnStatementType)
OneTimeUseType(org.keycloak.dom.saml.v2.assertion.OneTimeUseType)
SubjectConfirmationDataType(org.keycloak.dom.saml.v2.assertion.SubjectConfirmationDataType)
SPInfoHolder(org.keycloak.saml.processing.core.saml.v2.holders.SPInfoHolder)
ExtensionsType(org.keycloak.dom.saml.v2.protocol.ExtensionsType)
IssuerInfoHolder(org.keycloak.saml.processing.core.saml.v2.holders.IssuerInfoHolder)
SAML2Response(org.keycloak.saml.processing.api.saml.v2.response.SAML2Response)
ConditionsType(org.keycloak.dom.saml.v2.assertion.ConditionsType)
IDPInfoHolder(org.keycloak.saml.processing.core.saml.v2.holders.IDPInfoHolder)
Aggregations
ConditionsType (org.keycloak.dom.saml.v2.assertion.ConditionsType)12
XMLGregorianCalendar (javax.xml.datatype.XMLGregorianCalendar)6
OneTimeUseType (org.keycloak.dom.saml.v2.assertion.OneTimeUseType)5
ResponseType (org.keycloak.dom.saml.v2.protocol.ResponseType)5
SAML11ConditionsType (org.keycloak.dom.saml.v1.assertion.SAML11ConditionsType)4
AssertionType (org.keycloak.dom.saml.v2.assertion.AssertionType)4
AudienceRestrictionType (org.keycloak.dom.saml.v2.assertion.AudienceRestrictionType)4
ConditionAbstractType (org.keycloak.dom.saml.v2.assertion.ConditionAbstractType)4
StatementAbstractType (org.keycloak.dom.saml.v2.assertion.StatementAbstractType)4
AuthnStatementType (org.keycloak.dom.saml.v2.assertion.AuthnStatementType)3
NameIDType (org.keycloak.dom.saml.v2.assertion.NameIDType)3
SubjectConfirmationDataType (org.keycloak.dom.saml.v2.assertion.SubjectConfirmationDataType)3
URI (java.net.URI)2
List (java.util.List)2
QName (javax.xml.namespace.QName)2
Matchers.is (org.hamcrest.Matchers.is)2
Assert (org.junit.Assert)2
Test (org.junit.Test)2
SAML2Object (org.keycloak.dom.saml.v2.SAML2Object)2
AttributeStatementType (org.keycloak.dom.saml.v2.assertion.AttributeStatementType)2
