Examples with NameIDType org.keycloak.dom.saml.v2.assertion.NameIDType used on opensource projects

Search in sources :

Example 1 with NameIDType

use of org.keycloak.dom.saml.v2.assertion.NameIDType in project keycloak by keycloak.

the class SAMLLogoutAdapterTest method employeeGlobalLogoutTest.

@Test
public void employeeGlobalLogoutTest() {
    SAMLDocumentHolder b = new SamlClientBuilder().navigateTo(employeeServletPage).processSamlResponse(Binding.POST).build().login().user(bburkeUser).build().processSamlResponse(Binding.POST).targetAttributeSamlResponse().transformObject(this::extractNameId).transformObject((SAML2Object o) -> {
        assertThat(o, isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
        ResponseType rt = (ResponseType) o;
        NameIDType t = (NameIDType) rt.getAssertions().get(0).getAssertion().getSubject().getSubType().getBaseID();
        t.setNameQualifier(NAME_QUALIFIER);
        t.setSPNameQualifier(SP_NAME_QUALIFIER);
        t.setSPProvidedID(SP_PROVIDED_ID);
    }).build().navigateTo(employeeServletPage.getUriBuilder().clone().queryParam("GLO", "true").build()).getSamlResponse(Binding.POST);
    assertThat(b.getSamlObject(), instanceOf(LogoutRequestType.class));
    LogoutRequestType lr = (LogoutRequestType) b.getSamlObject();
    NameIDType logoutRequestNameID = lr.getNameID();
    assertThat(logoutRequestNameID.getFormat(), is(nameIdRef.get().getFormat()));
    assertThat(logoutRequestNameID.getValue(), is(nameIdRef.get().getValue()));
    assertThat(logoutRequestNameID.getNameQualifier(), is(NAME_QUALIFIER));
    assertThat(logoutRequestNameID.getSPProvidedID(), is(SP_PROVIDED_ID));
    assertThat(logoutRequestNameID.getSPNameQualifier(), is(SP_NAME_QUALIFIER));
}
Also used : SAMLDocumentHolder(org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder) SAML2Object(org.keycloak.dom.saml.v2.SAML2Object) SamlClientBuilder(org.keycloak.testsuite.util.SamlClientBuilder) LogoutRequestType(org.keycloak.dom.saml.v2.protocol.LogoutRequestType) NameIDType(org.keycloak.dom.saml.v2.assertion.NameIDType) ResponseType(org.keycloak.dom.saml.v2.protocol.ResponseType) Test(org.junit.Test) AbstractServletsAdapterTest(org.keycloak.testsuite.adapter.AbstractServletsAdapterTest)

Example 2 with NameIDType

use of org.keycloak.dom.saml.v2.assertion.NameIDType in project keycloak by keycloak.

the class SAMLLogoutAdapterTest method extractNameId.

private SAML2Object extractNameId(SAML2Object so) {
    assertThat(so, isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
    ResponseType loginResp1 = (ResponseType) so;
    final AssertionType firstAssertion = loginResp1.getAssertions().get(0).getAssertion();
    assertThat(firstAssertion, org.hamcrest.Matchers.notNullValue());
    assertThat(firstAssertion.getSubject().getSubType().getBaseID(), instanceOf(NameIDType.class));
    NameIDType nameId = (NameIDType) firstAssertion.getSubject().getSubType().getBaseID();
    AuthnStatementType firstAssertionStatement = (AuthnStatementType) firstAssertion.getStatements().iterator().next();
    nameIdRef.set(nameId);
    sessionIndexRef.set(firstAssertionStatement.getSessionIndex());
    return so;
}
Also used : AuthnStatementType(org.keycloak.dom.saml.v2.assertion.AuthnStatementType) AssertionType(org.keycloak.dom.saml.v2.assertion.AssertionType) NameIDType(org.keycloak.dom.saml.v2.assertion.NameIDType) ResponseType(org.keycloak.dom.saml.v2.protocol.ResponseType)

Example 3 with NameIDType

use of org.keycloak.dom.saml.v2.assertion.NameIDType in project keycloak by keycloak.

the class ClientTokenExchangeSAML2Test method testExchangeToSAML2EncryptedAssertion.

@Test
@UncaughtServerErrorExpected
public void testExchangeToSAML2EncryptedAssertion() throws Exception {
    testingClient.server().run(ClientTokenExchangeSAML2Test::setupRealm);
    oauth.realm(TEST);
    oauth.clientId("client-exchanger");
    OAuthClient.AccessTokenResponse response = oauth.doGrantAccessTokenRequest("secret", "user", "password");
    String accessToken = response.getAccessToken();
    TokenVerifier<AccessToken> accessTokenVerifier = TokenVerifier.create(accessToken, AccessToken.class);
    AccessToken token = accessTokenVerifier.parse().getToken();
    Assert.assertEquals(token.getPreferredUsername(), "user");
    Assert.assertTrue(token.getRealmAccess() == null || !token.getRealmAccess().isUserInRole("example"));
    Map<String, String> params = new HashMap<>();
    params.put(OAuth2Constants.REQUESTED_TOKEN_TYPE, OAuth2Constants.SAML2_TOKEN_TYPE);
    {
        response = oauth.doTokenExchange(TEST, accessToken, SAML_ENCRYPTED_TARGET, "client-exchanger", "secret", params);
        String exchangedTokenString = response.getAccessToken();
        String assertionXML = new String(Base64Url.decode(exchangedTokenString), "UTF-8");
        // Verify issued_token_type
        Assert.assertEquals(OAuth2Constants.SAML2_TOKEN_TYPE, response.getIssuedTokenType());
        // Decrypt assertion
        Document assertionDoc = DocumentUtil.getDocument(assertionXML);
        Element assertionElement = XMLEncryptionUtil.decryptElementInDocument(assertionDoc, privateKeyFromString(ENCRYPTION_PRIVATE_KEY));
        Assert.assertFalse(AssertionUtil.isSignedElement(assertionElement));
        AssertionType assertion = (AssertionType) SAMLParser.getInstance().parse(assertionElement);
        // Expires
        Assert.assertEquals(30, response.getExpiresIn());
        // Audience
        AudienceRestrictionType aud = (AudienceRestrictionType) assertion.getConditions().getConditions().get(0);
        Assert.assertEquals(SAML_ENCRYPTED_TARGET, aud.getAudience().get(0).toString());
        // NameID
        Assert.assertEquals("user", ((NameIDType) assertion.getSubject().getSubType().getBaseID()).getValue());
        // Role mapping
        List<String> roles = AssertionUtil.getRoles(assertion, null);
        Assert.assertTrue(roles.contains("example"));
    }
}
Also used : OAuthClient(org.keycloak.testsuite.util.OAuthClient) HashMap(java.util.HashMap) AudienceRestrictionType(org.keycloak.dom.saml.v2.assertion.AudienceRestrictionType) Element(org.w3c.dom.Element) AssertionType(org.keycloak.dom.saml.v2.assertion.AssertionType) Document(org.w3c.dom.Document) AccessToken(org.keycloak.representations.AccessToken) List(java.util.List) NameIDType(org.keycloak.dom.saml.v2.assertion.NameIDType) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test) UncaughtServerErrorExpected(org.keycloak.testsuite.arquillian.annotation.UncaughtServerErrorExpected)

Example 4 with NameIDType

use of org.keycloak.dom.saml.v2.assertion.NameIDType in project keycloak by keycloak.

the class ClientTokenExchangeSAML2Test method testExchangeToSAML2SignedAssertion.

@Test
@UncaughtServerErrorExpected
public void testExchangeToSAML2SignedAssertion() throws Exception {
    testingClient.server().run(ClientTokenExchangeSAML2Test::setupRealm);
    oauth.realm(TEST);
    oauth.clientId("client-exchanger");
    OAuthClient.AccessTokenResponse response = oauth.doGrantAccessTokenRequest("secret", "user", "password");
    String accessToken = response.getAccessToken();
    TokenVerifier<AccessToken> accessTokenVerifier = TokenVerifier.create(accessToken, AccessToken.class);
    AccessToken token = accessTokenVerifier.parse().getToken();
    Assert.assertEquals(token.getPreferredUsername(), "user");
    Assert.assertTrue(token.getRealmAccess() == null || !token.getRealmAccess().isUserInRole("example"));
    Map<String, String> params = new HashMap<>();
    params.put(OAuth2Constants.REQUESTED_TOKEN_TYPE, OAuth2Constants.SAML2_TOKEN_TYPE);
    {
        response = oauth.doTokenExchange(TEST, accessToken, SAML_SIGNED_TARGET, "client-exchanger", "secret", params);
        String exchangedTokenString = response.getAccessToken();
        String assertionXML = new String(Base64Url.decode(exchangedTokenString), "UTF-8");
        // Verify issued_token_type
        Assert.assertEquals(OAuth2Constants.SAML2_TOKEN_TYPE, response.getIssuedTokenType());
        // Verify assertion
        Element assertionElement = DocumentUtil.getDocument(assertionXML).getDocumentElement();
        Assert.assertTrue(AssertionUtil.isSignedElement(assertionElement));
        AssertionType assertion = (AssertionType) SAMLParser.getInstance().parse(assertionElement);
        Assert.assertTrue(AssertionUtil.isSignatureValid(assertionElement, publicKeyFromString(REALM_PUBLIC_KEY)));
        // Expires
        Assert.assertEquals(60, response.getExpiresIn());
        // Audience
        AudienceRestrictionType aud = (AudienceRestrictionType) assertion.getConditions().getConditions().get(0);
        Assert.assertEquals(SAML_SIGNED_TARGET, aud.getAudience().get(0).toString());
        // NameID
        Assert.assertEquals("user", ((NameIDType) assertion.getSubject().getSubType().getBaseID()).getValue());
        // Role mapping
        List<String> roles = AssertionUtil.getRoles(assertion, null);
        Assert.assertTrue(roles.contains("example"));
    }
    {
        response = oauth.doTokenExchange(TEST, accessToken, SAML_SIGNED_TARGET, "legal", "secret", params);
        String exchangedTokenString = response.getAccessToken();
        String assertionXML = new String(Base64Url.decode(exchangedTokenString), "UTF-8");
        // Verify issued_token_type
        Assert.assertEquals(OAuth2Constants.SAML2_TOKEN_TYPE, response.getIssuedTokenType());
        // Verify assertion
        Element assertionElement = DocumentUtil.getDocument(assertionXML).getDocumentElement();
        Assert.assertTrue(AssertionUtil.isSignedElement(assertionElement));
        AssertionType assertion = (AssertionType) SAMLParser.getInstance().parse(assertionElement);
        Assert.assertTrue(AssertionUtil.isSignatureValid(assertionElement, publicKeyFromString(REALM_PUBLIC_KEY)));
        // Audience
        AudienceRestrictionType aud = (AudienceRestrictionType) assertion.getConditions().getConditions().get(0);
        Assert.assertEquals(SAML_SIGNED_TARGET, aud.getAudience().get(0).toString());
        // NameID
        Assert.assertEquals("user", ((NameIDType) assertion.getSubject().getSubType().getBaseID()).getValue());
        // Role mapping
        List<String> roles = AssertionUtil.getRoles(assertion, null);
        Assert.assertTrue(roles.contains("example"));
    }
    {
        response = oauth.doTokenExchange(TEST, accessToken, SAML_SIGNED_TARGET, "illegal", "secret", params);
        Assert.assertEquals(403, response.getStatusCode());
    }
}
Also used : OAuthClient(org.keycloak.testsuite.util.OAuthClient) HashMap(java.util.HashMap) AudienceRestrictionType(org.keycloak.dom.saml.v2.assertion.AudienceRestrictionType) Element(org.w3c.dom.Element) AssertionType(org.keycloak.dom.saml.v2.assertion.AssertionType) AccessToken(org.keycloak.representations.AccessToken) List(java.util.List) NameIDType(org.keycloak.dom.saml.v2.assertion.NameIDType) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test) UncaughtServerErrorExpected(org.keycloak.testsuite.arquillian.annotation.UncaughtServerErrorExpected)

Example 5 with NameIDType

use of org.keycloak.dom.saml.v2.assertion.NameIDType in project keycloak by keycloak.

the class SamlPrincipal method getNameID.

/**
 * Subject nameID format
 *
 * @return
 */
public NameIDType getNameID() {
    if (assertion != null && assertion.getSubject() != null && assertion.getSubject().getSubType() != null && assertion.getSubject().getSubType().getBaseID() instanceof NameIDType) {
        return (NameIDType) assertion.getSubject().getSubType().getBaseID();
    }
    NameIDType res = new NameIDType();
    res.setValue(getSamlSubject());
    if (getNameIDFormat() != null) {
        res.setFormat(URI.create(getNameIDFormat()));
    }
    return res;
}
Also used : NameIDType(org.keycloak.dom.saml.v2.assertion.NameIDType)

Aggregations

NameIDType (org.keycloak.dom.saml.v2.assertion.NameIDType)54 AssertionType (org.keycloak.dom.saml.v2.assertion.AssertionType)22 Element (org.w3c.dom.Element)21 Test (org.junit.Test)20 ResponseType (org.keycloak.dom.saml.v2.protocol.ResponseType)19 SubjectType (org.keycloak.dom.saml.v2.assertion.SubjectType)15 QName (javax.xml.namespace.QName)12 List (java.util.List)11 URI (java.net.URI)9 AudienceRestrictionType (org.keycloak.dom.saml.v2.assertion.AudienceRestrictionType)8 XMLGregorianCalendar (javax.xml.datatype.XMLGregorianCalendar)7 ExtensionsType (org.keycloak.dom.saml.v2.protocol.ExtensionsType)7 StatusResponseType (org.keycloak.dom.saml.v2.protocol.StatusResponseType)7 AbstractKeycloakTest (org.keycloak.testsuite.AbstractKeycloakTest)7 Document (org.w3c.dom.Document)7 InputStream (java.io.InputStream)5 HashMap (java.util.HashMap)5 AttributeStatementType (org.keycloak.dom.saml.v2.assertion.AttributeStatementType)5 AuthnStatementType (org.keycloak.dom.saml.v2.assertion.AuthnStatementType)5 EncryptedAssertionType (org.keycloak.dom.saml.v2.assertion.EncryptedAssertionType)5
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial