Example 6 with EndpointType
use of org.keycloak.dom.saml.v2.metadata.EndpointType in project keycloak by keycloak.
the class SAMLIdentityProviderFactory method parseConfig.
@Override
public Map<String, String> parseConfig(KeycloakSession session, InputStream inputStream) {
try {
Object parsedObject = SAMLParser.getInstance().parse(inputStream);
EntityDescriptorType entityType;
if (EntitiesDescriptorType.class.isInstance(parsedObject)) {
entityType = (EntityDescriptorType) ((EntitiesDescriptorType) parsedObject).getEntityDescriptor().get(0);
} else {
entityType = (EntityDescriptorType) parsedObject;
}
List<EntityDescriptorType.EDTChoiceType> choiceType = entityType.getChoiceType();
if (!choiceType.isEmpty()) {
IDPSSODescriptorType idpDescriptor = null;
// So we need to loop through to find the IDPSSODescriptor.
for (EntityDescriptorType.EDTChoiceType edtChoiceType : entityType.getChoiceType()) {
List<EntityDescriptorType.EDTDescriptorChoiceType> descriptors = edtChoiceType.getDescriptors();
if (!descriptors.isEmpty() && descriptors.get(0).getIdpDescriptor() != null) {
idpDescriptor = descriptors.get(0).getIdpDescriptor();
}
}
if (idpDescriptor != null) {
SAMLIdentityProviderConfig samlIdentityProviderConfig = new SAMLIdentityProviderConfig();
String singleSignOnServiceUrl = null;
boolean postBindingResponse = false;
boolean postBindingLogout = false;
for (EndpointType endpoint : idpDescriptor.getSingleSignOnService()) {
if (endpoint.getBinding().toString().equals(JBossSAMLURIConstants.SAML_HTTP_POST_BINDING.get())) {
singleSignOnServiceUrl = endpoint.getLocation().toString();
postBindingResponse = true;
break;
} else if (endpoint.getBinding().toString().equals(JBossSAMLURIConstants.SAML_HTTP_REDIRECT_BINDING.get())) {
singleSignOnServiceUrl = endpoint.getLocation().toString();
}
}
String singleLogoutServiceUrl = null;
for (EndpointType endpoint : idpDescriptor.getSingleLogoutService()) {
if (postBindingResponse && endpoint.getBinding().toString().equals(JBossSAMLURIConstants.SAML_HTTP_POST_BINDING.get())) {
singleLogoutServiceUrl = endpoint.getLocation().toString();
postBindingLogout = true;
break;
} else if (!postBindingResponse && endpoint.getBinding().toString().equals(JBossSAMLURIConstants.SAML_HTTP_REDIRECT_BINDING.get())) {
singleLogoutServiceUrl = endpoint.getLocation().toString();
break;
}
}
samlIdentityProviderConfig.setSingleLogoutServiceUrl(singleLogoutServiceUrl);
samlIdentityProviderConfig.setSingleSignOnServiceUrl(singleSignOnServiceUrl);
samlIdentityProviderConfig.setWantAuthnRequestsSigned(idpDescriptor.isWantAuthnRequestsSigned());
samlIdentityProviderConfig.setAddExtensionsElementWithKeyInfo(false);
samlIdentityProviderConfig.setValidateSignature(idpDescriptor.isWantAuthnRequestsSigned());
samlIdentityProviderConfig.setPostBindingResponse(postBindingResponse);
samlIdentityProviderConfig.setPostBindingAuthnRequest(postBindingResponse);
samlIdentityProviderConfig.setPostBindingLogout(postBindingLogout);
samlIdentityProviderConfig.setLoginHint(false);
List<String> nameIdFormatList = idpDescriptor.getNameIDFormat();
if (nameIdFormatList != null && !nameIdFormatList.isEmpty())
samlIdentityProviderConfig.setNameIDPolicyFormat(nameIdFormatList.get(0));
List<KeyDescriptorType> keyDescriptor = idpDescriptor.getKeyDescriptor();
String defaultCertificate = null;
if (keyDescriptor != null) {
for (KeyDescriptorType keyDescriptorType : keyDescriptor) {
Element keyInfo = keyDescriptorType.getKeyInfo();
Element x509KeyInfo = DocumentUtil.getChildElement(keyInfo, new QName("dsig", "X509Certificate"));
if (KeyTypes.SIGNING.equals(keyDescriptorType.getUse())) {
samlIdentityProviderConfig.addSigningCertificate(x509KeyInfo.getTextContent());
} else if (KeyTypes.ENCRYPTION.equals(keyDescriptorType.getUse())) {
samlIdentityProviderConfig.setEncryptionPublicKey(x509KeyInfo.getTextContent());
} else if (keyDescriptorType.getUse() == null) {
defaultCertificate = x509KeyInfo.getTextContent();
}
}
}
if (defaultCertificate != null) {
if (samlIdentityProviderConfig.getSigningCertificates().length == 0) {
samlIdentityProviderConfig.addSigningCertificate(defaultCertificate);
}
if (samlIdentityProviderConfig.getEncryptionPublicKey() == null) {
samlIdentityProviderConfig.setEncryptionPublicKey(defaultCertificate);
}
}
samlIdentityProviderConfig.setEnabledFromMetadata(entityType.getValidUntil() == null || entityType.getValidUntil().toGregorianCalendar().getTime().after(new Date(System.currentTimeMillis())));
// check for hide on login attribute
if (entityType.getExtensions() != null && entityType.getExtensions().getEntityAttributes() != null) {
for (AttributeType attribute : entityType.getExtensions().getEntityAttributes().getAttribute()) {
if (MACEDIR_ENTITY_CATEGORY.equals(attribute.getName()) && attribute.getAttributeValue().contains(REFEDS_HIDE_FROM_DISCOVERY)) {
samlIdentityProviderConfig.setHideOnLogin(true);
}
}
}
return samlIdentityProviderConfig.getConfig();
}
}
} catch (ParsingException pe) {
throw new RuntimeException("Could not parse IdP SAML Metadata", pe);
}
return new HashMap<>();
}
Also used :
IDPSSODescriptorType(org.keycloak.dom.saml.v2.metadata.IDPSSODescriptorType)
HashMap(java.util.HashMap)
QName(javax.xml.namespace.QName)
Element(org.w3c.dom.Element)
Date(java.util.Date)
AttributeType(org.keycloak.dom.saml.v2.assertion.AttributeType)
ParsingException(org.keycloak.saml.common.exceptions.ParsingException)
EndpointType(org.keycloak.dom.saml.v2.metadata.EndpointType)
EntityDescriptorType(org.keycloak.dom.saml.v2.metadata.EntityDescriptorType)
KeyDescriptorType(org.keycloak.dom.saml.v2.metadata.KeyDescriptorType)
Example 7 with EndpointType
use of org.keycloak.dom.saml.v2.metadata.EndpointType in project keycloak by keycloak.
the class FixedHostnameTest method assertSamlIdPDescriptor.
private void assertSamlIdPDescriptor(String realm, String expectedBaseUrl) throws Exception {
final String realmUrl = expectedBaseUrl + "/auth/realms/" + realm;
final String baseSamlEndpointUrl = realmUrl + "/protocol/saml";
String entityDescriptor = null;
try (CloseableHttpClient client = HttpClientBuilder.create().build();
CloseableHttpResponse resp = client.execute(new HttpGet(baseSamlEndpointUrl + "/descriptor"))) {
entityDescriptor = EntityUtils.toString(resp.getEntity(), GeneralConstants.SAML_CHARSET);
Object metadataO = SAMLParser.getInstance().parse(new ByteArrayInputStream(entityDescriptor.getBytes(GeneralConstants.SAML_CHARSET)));
assertThat(metadataO, instanceOf(EntityDescriptorType.class));
EntityDescriptorType ed = (EntityDescriptorType) metadataO;
assertThat(ed.getEntityID(), is(realmUrl));
IDPSSODescriptorType idpDescriptor = ed.getChoiceType().get(0).getDescriptors().get(0).getIdpDescriptor();
assertThat(idpDescriptor, notNullValue());
final List<String> locations = idpDescriptor.getSingleSignOnService().stream().map(EndpointType::getLocation).map(URI::toString).collect(Collectors.toList());
assertThat(locations, Matchers.everyItem(is(baseSamlEndpointUrl)));
} catch (Exception e) {
log.errorf("Caught exception while parsing SAML descriptor %s", entityDescriptor);
}
}
Also used :
CloseableHttpClient(org.apache.http.impl.client.CloseableHttpClient)
IDPSSODescriptorType(org.keycloak.dom.saml.v2.metadata.IDPSSODescriptorType)
ByteArrayInputStream(java.io.ByteArrayInputStream)
HttpGet(org.apache.http.client.methods.HttpGet)
CloseableHttpResponse(org.apache.http.client.methods.CloseableHttpResponse)
EndpointType(org.keycloak.dom.saml.v2.metadata.EndpointType)
EntityDescriptorType(org.keycloak.dom.saml.v2.metadata.EntityDescriptorType)
ClientRegistrationException(org.keycloak.client.registration.ClientRegistrationException)
JWSInputException(org.keycloak.jose.jws.JWSInputException)
Example 8 with EndpointType
use of org.keycloak.dom.saml.v2.metadata.EndpointType in project keycloak by keycloak.
the class SPMetadataDescriptor method buildSPdescriptor.
public static EntityDescriptorType buildSPdescriptor(URI loginBinding, URI logoutBinding, URI assertionEndpoint, URI logoutEndpoint, boolean wantAuthnRequestsSigned, boolean wantAssertionsSigned, boolean wantAssertionsEncrypted, String entityId, String nameIDPolicyFormat, List<Element> signingCerts, List<Element> encryptionCerts) {
EntityDescriptorType entityDescriptor = new EntityDescriptorType(entityId);
entityDescriptor.setID(IDGenerator.create("ID_"));
SPSSODescriptorType spSSODescriptor = new SPSSODescriptorType(Arrays.asList(PROTOCOL_NSURI.get()));
spSSODescriptor.setAuthnRequestsSigned(wantAuthnRequestsSigned);
spSSODescriptor.setWantAssertionsSigned(wantAssertionsSigned);
spSSODescriptor.addNameIDFormat(nameIDPolicyFormat);
spSSODescriptor.addSingleLogoutService(new EndpointType(logoutBinding, logoutEndpoint));
if (wantAuthnRequestsSigned && signingCerts != null) {
for (Element key : signingCerts) {
KeyDescriptorType keyDescriptor = new KeyDescriptorType();
keyDescriptor.setUse(KeyTypes.SIGNING);
keyDescriptor.setKeyInfo(key);
spSSODescriptor.addKeyDescriptor(keyDescriptor);
}
}
if (wantAssertionsEncrypted && encryptionCerts != null) {
for (Element key : encryptionCerts) {
KeyDescriptorType keyDescriptor = new KeyDescriptorType();
keyDescriptor.setUse(KeyTypes.ENCRYPTION);
keyDescriptor.setKeyInfo(key);
spSSODescriptor.addKeyDescriptor(keyDescriptor);
}
}
IndexedEndpointType assertionConsumerEndpoint = new IndexedEndpointType(loginBinding, assertionEndpoint);
assertionConsumerEndpoint.setIsDefault(true);
assertionConsumerEndpoint.setIndex(1);
spSSODescriptor.addAssertionConsumerService(assertionConsumerEndpoint);
entityDescriptor.addChoiceType(new EntityDescriptorType.EDTChoiceType(Arrays.asList(new EntityDescriptorType.EDTDescriptorChoiceType(spSSODescriptor))));
return entityDescriptor;
}
Also used :
Element(org.w3c.dom.Element)
EndpointType(org.keycloak.dom.saml.v2.metadata.EndpointType)
IndexedEndpointType(org.keycloak.dom.saml.v2.metadata.IndexedEndpointType)
EntityDescriptorType(org.keycloak.dom.saml.v2.metadata.EntityDescriptorType)
KeyDescriptorType(org.keycloak.dom.saml.v2.metadata.KeyDescriptorType)
IndexedEndpointType(org.keycloak.dom.saml.v2.metadata.IndexedEndpointType)
SPSSODescriptorType(org.keycloak.dom.saml.v2.metadata.SPSSODescriptorType)
Example 9 with EndpointType
use of org.keycloak.dom.saml.v2.metadata.EndpointType in project keycloak by keycloak.
the class SAMLIndexedEndpointTypeParser method instantiateElement.
@Override
protected IndexedEndpointType instantiateElement(XMLEventReader xmlEventReader, StartElement element) throws ParsingException {
String binding = StaxParserUtil.getRequiredAttributeValue(element, SAMLMetadataQNames.ATTR_BINDING);
String location = StaxParserUtil.getRequiredAttributeValue(element, SAMLMetadataQNames.ATTR_LOCATION);
IndexedEndpointType endpoint = new IndexedEndpointType(URI.create(binding), URI.create(location));
Boolean isDefault = StaxParserUtil.getBooleanAttributeValue(element, SAMLMetadataQNames.ATTR_IS_DEFAULT);
if (isDefault != null) {
endpoint.setIsDefault(isDefault);
}
Integer index = StaxParserUtil.getIntegerAttributeValue(element, SAMLMetadataQNames.ATTR_INDEX);
if (index != null)
endpoint.setIndex(index);
// EndpointType attributes
String responseLocation = StaxParserUtil.getAttributeValue(element, SAMLMetadataQNames.ATTR_RESPONSE_LOCATION);
if (responseLocation != null) {
endpoint.setResponseLocation(URI.create(responseLocation));
}
return endpoint;
}
Also used :
IndexedEndpointType(org.keycloak.dom.saml.v2.metadata.IndexedEndpointType)
Example 10 with EndpointType
use of org.keycloak.dom.saml.v2.metadata.EndpointType in project keycloak by keycloak.
the class SAMLEndpointTypeParser method instantiateElement.
@Override
protected EndpointType instantiateElement(XMLEventReader xmlEventReader, StartElement element) throws ParsingException {
String binding = StaxParserUtil.getRequiredAttributeValue(element, SAMLMetadataQNames.ATTR_BINDING);
String location = StaxParserUtil.getRequiredAttributeValue(element, SAMLMetadataQNames.ATTR_LOCATION);
EndpointType endpoint = new EndpointType(URI.create(binding), URI.create(location));
String responseLocation = StaxParserUtil.getAttributeValue(element, SAMLMetadataQNames.ATTR_RESPONSE_LOCATION);
if (responseLocation != null) {
endpoint.setResponseLocation(URI.create(responseLocation));
}
return endpoint;
}
Also used :
EndpointType(org.keycloak.dom.saml.v2.metadata.EndpointType)
Aggregations
EndpointType (org.keycloak.dom.saml.v2.metadata.EndpointType)13
IndexedEndpointType (org.keycloak.dom.saml.v2.metadata.IndexedEndpointType)11
KeyDescriptorType (org.keycloak.dom.saml.v2.metadata.KeyDescriptorType)11
EntityDescriptorType (org.keycloak.dom.saml.v2.metadata.EntityDescriptorType)9
QName (javax.xml.namespace.QName)6
AttributeType (org.keycloak.dom.saml.v2.assertion.AttributeType)5
RequestedAttributeType (org.keycloak.dom.saml.v2.metadata.RequestedAttributeType)5
Matchers.containsString (org.hamcrest.Matchers.containsString)4
Test (org.junit.Test)4
IDPSSODescriptorType (org.keycloak.dom.saml.v2.metadata.IDPSSODescriptorType)4
Element (org.w3c.dom.Element)4
SPSSODescriptorType (org.keycloak.dom.saml.v2.metadata.SPSSODescriptorType)3
ByteArrayInputStream (java.io.ByteArrayInputStream)2
SAML2Object (org.keycloak.dom.saml.v2.SAML2Object)2
AttributeConsumingServiceType (org.keycloak.dom.saml.v2.metadata.AttributeConsumingServiceType)2
LocalizedNameType (org.keycloak.dom.saml.v2.metadata.LocalizedNameType)2
LocalizedURIType (org.keycloak.dom.saml.v2.metadata.LocalizedURIType)2
EncryptionMethodType (org.keycloak.dom.xmlsec.w3.xmlenc.EncryptionMethodType)2
StringWriter (java.io.StringWriter)1
URI (java.net.URI)1
