Search in sources :

Example 1 with EntityDescriptorType

use of org.keycloak.dom.saml.v2.metadata.EntityDescriptorType in project keycloak by keycloak.

the class SAMLParserTest method testSaml20MetadataEntityDescriptorSP.

@Test
public void testSaml20MetadataEntityDescriptorSP() throws Exception {
    EntityDescriptorType entityDescriptor = assertParsed("saml20-entity-descriptor-sp.xml", EntityDescriptorType.class);
    assertThat(entityDescriptor.getEntityID(), is("https://ServiceProvider.com/SAML"));
    assertThat(entityDescriptor.getValidUntil(), is(nullValue()));
    assertThat(entityDescriptor.getCacheDuration(), is(nullValue()));
    assertThat(entityDescriptor.getID(), is(nullValue()));
    assertThat(entityDescriptor.getExtensions(), is(nullValue()));
    List<EntityDescriptorType.EDTChoiceType> descriptors = entityDescriptor.getChoiceType();
    assertThat(descriptors, hasSize(1));
    // SP Descriptor
    SPSSODescriptorType spDescriptor = descriptors.get(0).getDescriptors().get(0).getSpDescriptor();
    assertThat(spDescriptor, is(notNullValue()));
    assertThat(spDescriptor.isAuthnRequestsSigned(), is(true));
    assertThat(spDescriptor.isWantAssertionsSigned(), is(false));
    assertThat(spDescriptor.getProtocolSupportEnumeration(), contains("urn:oasis:names:tc:SAML:2.0:protocol"));
    // Key descriptor
    List<KeyDescriptorType> keyDescriptors = spDescriptor.getKeyDescriptor();
    assertThat(keyDescriptors, hasSize(2));
    KeyDescriptorType signingKey = keyDescriptors.get(0);
    assertThat(signingKey.getUse(), is(KeyTypes.SIGNING));
    assertThat(signingKey.getEncryptionMethod(), is(emptyCollectionOf(EncryptionMethodType.class)));
    assertThat(signingKey.getKeyInfo().getElementsByTagName("ds:KeyName").item(0).getTextContent(), is("ServiceProvider.com SSO Key"));
    KeyDescriptorType encryptionKey = keyDescriptors.get(1);
    assertThat(encryptionKey.getUse(), is(KeyTypes.ENCRYPTION));
    assertThat(encryptionKey.getKeyInfo().getElementsByTagName("ds:KeyName").item(0).getTextContent(), is("ServiceProvider.com Encrypt Key"));
    List<EncryptionMethodType> encryptionMethods = encryptionKey.getEncryptionMethod();
    assertThat(encryptionMethods, Matchers.<EncryptionMethodType>hasSize(1));
    assertThat(encryptionMethods.get(0).getAlgorithm(), is("http://www.w3.org/2001/04/xmlenc#rsa-1_5"));
    assertThat(encryptionMethods.get(0).getEncryptionMethod(), is(nullValue()));
    // Single logout services
    assertThat(spDescriptor.getSingleLogoutService(), hasSize(2));
    EndpointType singleLS1 = spDescriptor.getSingleLogoutService().get(0);
    assertThat(singleLS1.getBinding(), is(URI.create("urn:oasis:names:tc:SAML:2.0:bindings:SOAP")));
    assertThat(singleLS1.getLocation(), is(URI.create("https://ServiceProvider.com/SAML/SLO/SOAP")));
    assertThat(singleLS1.getResponseLocation(), is(nullValue()));
    assertThat(singleLS1.getAny(), is(emptyCollectionOf(Object.class)));
    assertThat(singleLS1.getOtherAttributes(), is(Collections.<QName, String>emptyMap()));
    EndpointType singleLS2 = spDescriptor.getSingleLogoutService().get(1);
    assertThat(singleLS2.getBinding(), is(URI.create("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect")));
    assertThat(singleLS2.getLocation(), is(URI.create("https://ServiceProvider.com/SAML/SLO/Browser")));
    assertThat(singleLS2.getResponseLocation(), is(URI.create("https://ServiceProvider.com/SAML/SLO/Response")));
    assertThat(singleLS2.getAny(), is(emptyCollectionOf(Object.class)));
    assertThat(singleLS2.getOtherAttributes(), is(Collections.<QName, String>emptyMap()));
    // NameID
    assertThat(spDescriptor.getNameIDFormat(), contains("urn:oasis:names:tc:SAML:2.0:nameid-format:transient"));
    // Assertion consumer services
    List<IndexedEndpointType> assertionConsumerServices = spDescriptor.getAssertionConsumerService();
    assertThat(assertionConsumerServices, hasSize(2));
    IndexedEndpointType assertionCS1 = assertionConsumerServices.get(0);
    assertThat(assertionCS1.getIndex(), is(0));
    assertThat(assertionCS1.isIsDefault(), is(true));
    assertThat(assertionCS1.getBinding(), is(URI.create("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact")));
    assertThat(assertionCS1.getLocation(), is(URI.create("https://ServiceProvider.com/SAML/SSO/Artifact")));
    assertThat(assertionCS1.getResponseLocation(), is(nullValue()));
    assertThat(assertionCS1.getOtherAttributes(), is(Collections.<QName, String>emptyMap()));
    IndexedEndpointType assertionCS2 = assertionConsumerServices.get(1);
    assertThat(assertionCS2.getIndex(), is(1));
    assertThat(assertionCS2.isIsDefault(), is(nullValue()));
    assertThat(assertionCS2.getBinding(), is(URI.create("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST")));
    assertThat(assertionCS2.getLocation(), is(URI.create("https://ServiceProvider.com/SAML/SSO/POST")));
    assertThat(assertionCS2.getResponseLocation(), is(nullValue()));
    assertThat(assertionCS2.getOtherAttributes(), is(Collections.<QName, String>emptyMap()));
    // Attribute consuming services
    List<AttributeConsumingServiceType> attributeConsumingServices = spDescriptor.getAttributeConsumingService();
    assertThat(attributeConsumingServices, hasSize(1));
    AttributeConsumingServiceType attributeConsumingService = attributeConsumingServices.get(0);
    assertThat(attributeConsumingService.getIndex(), is(0));
    assertThat(attributeConsumingService.getServiceName(), hasSize(1));
    LocalizedNameType servName = attributeConsumingService.getServiceName().get(0);
    assertThat(servName.getLang(), is("en"));
    assertThat(servName.getValue(), is("Academic Journals R US"));
    assertThat(attributeConsumingService.getServiceDescription(), is(emptyCollectionOf(LocalizedNameType.class)));
    List<RequestedAttributeType> requestedAttributes = attributeConsumingService.getRequestedAttribute();
    assertThat(requestedAttributes, hasSize(1));
    // Requested attribute
    RequestedAttributeType requestedAttribute = requestedAttributes.get(0);
    assertThat(requestedAttribute.getNameFormat(), is("urn:oasis:names:tc:SAML:2.0:attrname-format:uri"));
    assertThat(requestedAttribute.getName(), is("urn:oid:1.3.6.1.4.1.5923.1.1.1.7"));
    assertThat(requestedAttribute.getFriendlyName(), is("eduPersonEntitlement"));
    assertThat(requestedAttribute.getAttributeValue(), hasSize(1));
    assertThat((String) requestedAttribute.getAttributeValue().get(0), is("https://ServiceProvider.com/entitlements/123456789"));
    assertThat(requestedAttribute.getOtherAttributes(), is(Collections.<QName, String>emptyMap()));
    // Organization
    assertThat(entityDescriptor.getOrganization().getOrganizationName(), hasSize(1));
    LocalizedNameType orgName = entityDescriptor.getOrganization().getOrganizationName().get(0);
    assertThat(orgName.getLang(), is("en"));
    assertThat(orgName.getValue(), is("Academic Journals R\n            US"));
    assertThat(entityDescriptor.getOrganization().getOrganizationDisplayName(), hasSize(1));
    LocalizedNameType orgDispName = entityDescriptor.getOrganization().getOrganizationDisplayName().get(0);
    assertThat(orgDispName.getLang(), is("en"));
    assertThat(orgDispName.getValue(), is("Academic Journals R US, a Division of Dirk Corp."));
    assertThat(entityDescriptor.getOrganization().getOrganizationURL(), hasSize(1));
    LocalizedURIType orgURL = entityDescriptor.getOrganization().getOrganizationURL().get(0);
    assertThat(orgURL.getLang(), is("en"));
    assertThat(orgURL.getValue(), is(URI.create("https://ServiceProvider.com")));
}
Also used : QName(javax.xml.namespace.QName) EncryptionMethodType(org.keycloak.dom.xmlsec.w3.xmlenc.EncryptionMethodType) Matchers.containsString(org.hamcrest.Matchers.containsString) IndexedEndpointType(org.keycloak.dom.saml.v2.metadata.IndexedEndpointType) SPSSODescriptorType(org.keycloak.dom.saml.v2.metadata.SPSSODescriptorType) RequestedAttributeType(org.keycloak.dom.saml.v2.metadata.RequestedAttributeType) LocalizedURIType(org.keycloak.dom.saml.v2.metadata.LocalizedURIType) LocalizedNameType(org.keycloak.dom.saml.v2.metadata.LocalizedNameType) EndpointType(org.keycloak.dom.saml.v2.metadata.EndpointType) IndexedEndpointType(org.keycloak.dom.saml.v2.metadata.IndexedEndpointType) EntityDescriptorType(org.keycloak.dom.saml.v2.metadata.EntityDescriptorType) KeyDescriptorType(org.keycloak.dom.saml.v2.metadata.KeyDescriptorType) AttributeConsumingServiceType(org.keycloak.dom.saml.v2.metadata.AttributeConsumingServiceType) Test(org.junit.Test)

Example 2 with EntityDescriptorType

use of org.keycloak.dom.saml.v2.metadata.EntityDescriptorType in project keycloak by keycloak.

the class SAMLParserTest method testSAML20MetadataEntityDescriptorAttrA.

@Test
public void testSAML20MetadataEntityDescriptorAttrA() throws Exception {
    EntityDescriptorType entityDescriptor = assertParsed("saml20-entity-descriptor-idp.xml", EntityDescriptorType.class);
    List<EntityDescriptorType.EDTChoiceType> descriptors = entityDescriptor.getChoiceType();
    assertThat(descriptors, hasSize(2));
    AttributeAuthorityDescriptorType aaDescriptor = descriptors.get(1).getDescriptors().get(0).getAttribDescriptor();
    assertThat(aaDescriptor, is(notNullValue()));
    assertThat(aaDescriptor.getProtocolSupportEnumeration(), contains("urn:oasis:names:tc:SAML:2.0:protocol"));
    // Key descriptor
    List<KeyDescriptorType> keyDescriptors = aaDescriptor.getKeyDescriptor();
    assertThat(keyDescriptors, hasSize(1));
    KeyDescriptorType signingKey = keyDescriptors.get(0);
    assertThat(signingKey.getUse(), is(KeyTypes.SIGNING));
    assertThat(signingKey.getEncryptionMethod(), is(emptyCollectionOf(EncryptionMethodType.class)));
    assertThat(signingKey.getKeyInfo().getElementsByTagName("ds:KeyName").item(0).getTextContent(), is("IdentityProvider.com AA Key"));
    // Attribute service
    assertThat(aaDescriptor.getAttributeService(), hasSize(1));
    EndpointType attrServ = aaDescriptor.getAttributeService().get(0);
    assertThat(attrServ.getBinding(), is(URI.create("urn:oasis:names:tc:SAML:2.0:bindings:SOAP")));
    assertThat(attrServ.getLocation(), is(URI.create("https://IdentityProvider.com/SAML/AA/SOAP")));
    assertThat(attrServ.getResponseLocation(), is(nullValue()));
    assertThat(attrServ.getAny(), is(emptyCollectionOf(Object.class)));
    assertThat(attrServ.getOtherAttributes(), is(Collections.<QName, String>emptyMap()));
    // AssertionIDRequestService
    assertThat(aaDescriptor.getAssertionIDRequestService(), hasSize(1));
    EndpointType assertIDRServ = aaDescriptor.getAssertionIDRequestService().get(0);
    assertThat(assertIDRServ.getBinding(), is(URI.create("urn:oasis:names:tc:SAML:2.0:bindings:URI")));
    assertThat(assertIDRServ.getLocation(), is(URI.create("https://IdentityProvider.com/SAML/AA/URI")));
    assertThat(assertIDRServ.getResponseLocation(), is(nullValue()));
    assertThat(assertIDRServ.getAny(), is(emptyCollectionOf(Object.class)));
    assertThat(assertIDRServ.getOtherAttributes(), is(Collections.<QName, String>emptyMap()));
    // NameID
    assertThat(aaDescriptor.getNameIDFormat(), containsInAnyOrder("urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName", "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent", "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"));
    assertThat(aaDescriptor.getAttribute(), hasSize(2));
    AttributeType attr1 = aaDescriptor.getAttribute().get(0);
    assertThat(attr1.getNameFormat(), is("urn:oasis:names:tc:SAML:2.0:attrname-format:uri"));
    assertThat(attr1.getName(), is("urn:oid:1.3.6.1.4.1.5923.1.1.1.6"));
    assertThat(attr1.getFriendlyName(), is("eduPersonPrincipalName"));
    assertThat(attr1.getOtherAttributes(), is(Collections.<QName, String>emptyMap()));
    assertThat(attr1.getAttributeValue(), is(emptyCollectionOf(Object.class)));
    AttributeType attr2 = aaDescriptor.getAttribute().get(1);
    assertThat(attr2.getNameFormat(), is("urn:oasis:names:tc:SAML:2.0:attrname-format:uri"));
    assertThat(attr2.getName(), is("urn:oid:1.3.6.1.4.1.5923.1.1.1.1"));
    assertThat(attr2.getFriendlyName(), is("eduPersonAffiliation"));
    assertThat(attr2.getOtherAttributes(), is(Collections.<QName, String>emptyMap()));
    assertThat(attr2.getAttributeValue(), containsInAnyOrder((Object) "member", "student", "faculty", "employee", "staff"));
}
Also used : QName(javax.xml.namespace.QName) RequestedAttributeType(org.keycloak.dom.saml.v2.metadata.RequestedAttributeType) AttributeType(org.keycloak.dom.saml.v2.assertion.AttributeType) AttributeAuthorityDescriptorType(org.keycloak.dom.saml.v2.metadata.AttributeAuthorityDescriptorType) EndpointType(org.keycloak.dom.saml.v2.metadata.EndpointType) IndexedEndpointType(org.keycloak.dom.saml.v2.metadata.IndexedEndpointType) SAML2Object(org.keycloak.dom.saml.v2.SAML2Object) EntityDescriptorType(org.keycloak.dom.saml.v2.metadata.EntityDescriptorType) Matchers.containsString(org.hamcrest.Matchers.containsString) KeyDescriptorType(org.keycloak.dom.saml.v2.metadata.KeyDescriptorType) Test(org.junit.Test)

Example 3 with EntityDescriptorType

use of org.keycloak.dom.saml.v2.metadata.EntityDescriptorType in project keycloak by keycloak.

the class SAMLEntityDescriptorParser method instantiateElement.

@Override
protected EntityDescriptorType instantiateElement(XMLEventReader xmlEventReader, StartElement element) throws ParsingException {
    String entityID = StaxParserUtil.getRequiredAttributeValue(element, SAMLMetadataQNames.ATTR_ENTITY_ID);
    EntityDescriptorType descriptor = new EntityDescriptorType(entityID);
    descriptor.setValidUntil(StaxParserUtil.getXmlTimeAttributeValue(element, SAMLMetadataQNames.ATTR_VALID_UNTIL));
    descriptor.setCacheDuration(StaxParserUtil.getXmlDurationAttributeValue(element, SAMLMetadataQNames.ATTR_CACHE_DURATION));
    descriptor.setID(StaxParserUtil.getAttributeValue(element, SAMLMetadataQNames.ATTR_ID));
    return descriptor;
}
Also used : EntityDescriptorType(org.keycloak.dom.saml.v2.metadata.EntityDescriptorType)

Example 4 with EntityDescriptorType

use of org.keycloak.dom.saml.v2.metadata.EntityDescriptorType in project keycloak by keycloak.

the class EntityDescriptorDescriptionConverter method loadEntityDescriptors.

private static ClientRepresentation loadEntityDescriptors(InputStream is) {
    Object metadata;
    try {
        metadata = SAMLParser.getInstance().parse(is);
    } catch (ParsingException e) {
        throw new RuntimeException(e);
    }
    EntitiesDescriptorType entities;
    if (EntitiesDescriptorType.class.isInstance(metadata)) {
        entities = (EntitiesDescriptorType) metadata;
    } else {
        entities = new EntitiesDescriptorType();
        entities.addEntityDescriptor(metadata);
    }
    if (entities.getEntityDescriptor().size() != 1) {
        throw new RuntimeException("Expected one entity descriptor");
    }
    EntityDescriptorType entity = (EntityDescriptorType) entities.getEntityDescriptor().get(0);
    String entityId = entity.getEntityID();
    ClientRepresentation app = new ClientRepresentation();
    app.setClientId(entityId);
    Map<String, String> attributes = new HashMap<>();
    app.setAttributes(attributes);
    List<String> redirectUris = new LinkedList<>();
    app.setRedirectUris(redirectUris);
    app.setFullScopeAllowed(true);
    app.setProtocol(SamlProtocol.LOGIN_PROTOCOL);
    // default to true
    attributes.put(SamlConfigAttributes.SAML_SERVER_SIGNATURE, SamlProtocol.ATTRIBUTE_TRUE_VALUE);
    // default to false
    attributes.put(SamlConfigAttributes.SAML_SERVER_SIGNATURE_KEYINFO_EXT, SamlProtocol.ATTRIBUTE_FALSE_VALUE);
    attributes.put(SamlConfigAttributes.SAML_SIGNATURE_ALGORITHM, SignatureAlgorithm.RSA_SHA256.toString());
    attributes.put(SamlConfigAttributes.SAML_AUTHNSTATEMENT, SamlProtocol.ATTRIBUTE_TRUE_VALUE);
    SPSSODescriptorType spDescriptorType = getSPDescriptor(entity);
    if (spDescriptorType.isWantAssertionsSigned()) {
        attributes.put(SamlConfigAttributes.SAML_ASSERTION_SIGNATURE, SamlProtocol.ATTRIBUTE_TRUE_VALUE);
    }
    String logoutPost = getLogoutLocation(spDescriptorType, JBossSAMLURIConstants.SAML_HTTP_POST_BINDING.get());
    if (logoutPost != null)
        attributes.put(SamlProtocol.SAML_SINGLE_LOGOUT_SERVICE_URL_POST_ATTRIBUTE, logoutPost);
    String logoutRedirect = getLogoutLocation(spDescriptorType, JBossSAMLURIConstants.SAML_HTTP_REDIRECT_BINDING.get());
    if (logoutRedirect != null)
        attributes.put(SamlProtocol.SAML_SINGLE_LOGOUT_SERVICE_URL_REDIRECT_ATTRIBUTE, logoutRedirect);
    String assertionConsumerServicePostBinding = getServiceURL(spDescriptorType, JBossSAMLURIConstants.SAML_HTTP_POST_BINDING.get());
    if (assertionConsumerServicePostBinding != null) {
        attributes.put(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_POST_ATTRIBUTE, assertionConsumerServicePostBinding);
        redirectUris.add(assertionConsumerServicePostBinding);
    }
    String assertionConsumerServiceRedirectBinding = getServiceURL(spDescriptorType, JBossSAMLURIConstants.SAML_HTTP_REDIRECT_BINDING.get());
    if (assertionConsumerServiceRedirectBinding != null) {
        attributes.put(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_REDIRECT_ATTRIBUTE, assertionConsumerServiceRedirectBinding);
        redirectUris.add(assertionConsumerServiceRedirectBinding);
    }
    String assertionConsumerServiceSoapBinding = getServiceURL(spDescriptorType, JBossSAMLURIConstants.SAML_SOAP_BINDING.get());
    if (assertionConsumerServiceSoapBinding != null) {
        redirectUris.add(assertionConsumerServiceSoapBinding);
    }
    String assertionConsumerServicePaosBinding = getServiceURL(spDescriptorType, JBossSAMLURIConstants.SAML_PAOS_BINDING.get());
    if (assertionConsumerServicePaosBinding != null) {
        redirectUris.add(assertionConsumerServicePaosBinding);
    }
    String assertionConsumerServiceArtifactBinding = getServiceURL(spDescriptorType, JBossSAMLURIConstants.SAML_HTTP_ARTIFACT_BINDING.get());
    if (assertionConsumerServiceArtifactBinding != null) {
        attributes.put(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_ARTIFACT_ATTRIBUTE, assertionConsumerServiceArtifactBinding);
        redirectUris.add(assertionConsumerServiceArtifactBinding);
    }
    String artifactResolutionService = getArtifactResolutionService(spDescriptorType);
    if (artifactResolutionService != null) {
        attributes.put(SamlProtocol.SAML_ARTIFACT_RESOLUTION_SERVICE_URL_ATTRIBUTE, artifactResolutionService);
    }
    if (spDescriptorType.getNameIDFormat() != null) {
        for (String format : spDescriptorType.getNameIDFormat()) {
            String attribute = SamlClient.samlNameIDFormatToClientAttribute(format);
            if (attribute != null) {
                attributes.put(SamlConfigAttributes.SAML_NAME_ID_FORMAT_ATTRIBUTE, attribute);
                break;
            }
        }
    }
    if (spDescriptorType.getExtensions() != null && spDescriptorType.getExtensions().getUIInfo() != null) {
        if (!spDescriptorType.getExtensions().getUIInfo().getLogo().isEmpty()) {
            attributes.put(ClientModel.LOGO_URI, spDescriptorType.getExtensions().getUIInfo().getLogo().get(0).getValue().toString());
        }
        if (!spDescriptorType.getExtensions().getUIInfo().getPrivacyStatementURL().isEmpty()) {
            attributes.put(ClientModel.POLICY_URI, spDescriptorType.getExtensions().getUIInfo().getPrivacyStatementURL().stream().filter(dn -> "en".equals(dn.getLang())).findFirst().orElse(spDescriptorType.getExtensions().getUIInfo().getPrivacyStatementURL().get(0)).getValue().toString());
        }
    }
    app.setProtocolMappers(spDescriptorType.getAttributeConsumingService().stream().flatMap(att -> att.getRequestedAttribute().stream()).map(attr -> {
        ProtocolMapperRepresentation mapper = new ProtocolMapperRepresentation();
        mapper.setName(attr.getName());
        mapper.setProtocol("saml");
        mapper.setProtocolMapper(UserAttributeStatementMapper.PROVIDER_ID);
        Map<String, String> config = new HashMap<>();
        config.put(AttributeStatementHelper.SAML_ATTRIBUTE_NAME, attr.getName());
        if (attr.getFriendlyName() != null)
            config.put(AttributeStatementHelper.FRIENDLY_NAME, attr.getFriendlyName());
        if (attr.getNameFormat() != null)
            config.put(AttributeStatementHelper.SAML_ATTRIBUTE_NAMEFORMAT, getSAMLNameFormat(attr.getNameFormat()));
        mapper.setConfig(config);
        return mapper;
    }).collect(Collectors.toList()));
    for (KeyDescriptorType keyDescriptor : spDescriptorType.getKeyDescriptor()) {
        X509Certificate cert = null;
        try {
            cert = SAMLMetadataUtil.getCertificate(keyDescriptor);
        } catch (ConfigurationException e) {
            throw new RuntimeException(e);
        } catch (ProcessingException e) {
            throw new RuntimeException(e);
        }
        String certPem = KeycloakModelUtils.getPemFromCertificate(cert);
        if (keyDescriptor.getUse() == KeyTypes.SIGNING) {
            attributes.put(SamlConfigAttributes.SAML_CLIENT_SIGNATURE_ATTRIBUTE, SamlProtocol.ATTRIBUTE_TRUE_VALUE);
            attributes.put(SamlConfigAttributes.SAML_SIGNING_CERTIFICATE_ATTRIBUTE, certPem);
        } else if (keyDescriptor.getUse() == KeyTypes.ENCRYPTION) {
            attributes.put(SamlConfigAttributes.SAML_ENCRYPT, SamlProtocol.ATTRIBUTE_TRUE_VALUE);
            attributes.put(SamlConfigAttributes.SAML_ENCRYPTION_CERTIFICATE_ATTRIBUTE, certPem);
        }
    }
    return app;
}
Also used : ClientModel(org.keycloak.models.ClientModel) AttributeStatementHelper(org.keycloak.protocol.saml.mappers.AttributeStatementHelper) UserAttributeStatementMapper(org.keycloak.protocol.saml.mappers.UserAttributeStatementMapper) SAMLParser(org.keycloak.saml.processing.core.parsers.saml.SAMLParser) X509Certificate(java.security.cert.X509Certificate) EndpointType(org.keycloak.dom.saml.v2.metadata.EndpointType) KeycloakModelUtils(org.keycloak.models.utils.KeycloakModelUtils) HashMap(java.util.HashMap) Config(org.keycloak.Config) ProcessingException(org.keycloak.saml.common.exceptions.ProcessingException) ByteArrayInputStream(java.io.ByteArrayInputStream) IndexedEndpointType(org.keycloak.dom.saml.v2.metadata.IndexedEndpointType) Map(java.util.Map) SignatureAlgorithm(org.keycloak.saml.SignatureAlgorithm) LinkedList(java.util.LinkedList) ConfigurationException(org.keycloak.saml.common.exceptions.ConfigurationException) SPSSODescriptorType(org.keycloak.dom.saml.v2.metadata.SPSSODescriptorType) EntityDescriptorType(org.keycloak.dom.saml.v2.metadata.EntityDescriptorType) ClientDescriptionConverterFactory(org.keycloak.exportimport.ClientDescriptionConverterFactory) KeyTypes(org.keycloak.dom.saml.v2.metadata.KeyTypes) JBossSAMLURIConstants(org.keycloak.saml.common.constants.JBossSAMLURIConstants) ClientDescriptionConverter(org.keycloak.exportimport.ClientDescriptionConverter) KeycloakSession(org.keycloak.models.KeycloakSession) EDTDescriptorChoiceType(org.keycloak.dom.saml.v2.metadata.EntityDescriptorType.EDTDescriptorChoiceType) EntitiesDescriptorType(org.keycloak.dom.saml.v2.metadata.EntitiesDescriptorType) Collectors(java.util.stream.Collectors) ProtocolMapperRepresentation(org.keycloak.representations.idm.ProtocolMapperRepresentation) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) Objects(java.util.Objects) ParsingException(org.keycloak.saml.common.exceptions.ParsingException) List(java.util.List) KeycloakSessionFactory(org.keycloak.models.KeycloakSessionFactory) KeyDescriptorType(org.keycloak.dom.saml.v2.metadata.KeyDescriptorType) SAMLMetadataUtil(org.keycloak.saml.processing.core.saml.v2.util.SAMLMetadataUtil) InputStream(java.io.InputStream) EntitiesDescriptorType(org.keycloak.dom.saml.v2.metadata.EntitiesDescriptorType) HashMap(java.util.HashMap) SPSSODescriptorType(org.keycloak.dom.saml.v2.metadata.SPSSODescriptorType) LinkedList(java.util.LinkedList) X509Certificate(java.security.cert.X509Certificate) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) ConfigurationException(org.keycloak.saml.common.exceptions.ConfigurationException) ParsingException(org.keycloak.saml.common.exceptions.ParsingException) ProtocolMapperRepresentation(org.keycloak.representations.idm.ProtocolMapperRepresentation) EntityDescriptorType(org.keycloak.dom.saml.v2.metadata.EntityDescriptorType) KeyDescriptorType(org.keycloak.dom.saml.v2.metadata.KeyDescriptorType) ProcessingException(org.keycloak.saml.common.exceptions.ProcessingException)

Example 5 with EntityDescriptorType

use of org.keycloak.dom.saml.v2.metadata.EntityDescriptorType in project keycloak by keycloak.

the class SamlSPDescriptorClientInstallation method getSPDescriptorForClient.

public static String getSPDescriptorForClient(ClientModel client) {
    try {
        SamlClient samlClient = new SamlClient(client);
        String assertionUrl;
        String logoutUrl;
        URI loginBinding;
        URI logoutBinding = null;
        if (samlClient.forcePostBinding()) {
            assertionUrl = client.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_POST_ATTRIBUTE);
            logoutUrl = client.getAttribute(SamlProtocol.SAML_SINGLE_LOGOUT_SERVICE_URL_POST_ATTRIBUTE);
            loginBinding = JBossSAMLURIConstants.SAML_HTTP_POST_BINDING.getUri();
        } else {
            // redirect binding
            assertionUrl = client.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_REDIRECT_ATTRIBUTE);
            logoutUrl = client.getAttribute(SamlProtocol.SAML_SINGLE_LOGOUT_SERVICE_URL_REDIRECT_ATTRIBUTE);
            loginBinding = JBossSAMLURIConstants.SAML_HTTP_REDIRECT_BINDING.getUri();
        }
        if (samlClient.forceArtifactBinding()) {
            if (client.getAttribute(SamlProtocol.SAML_SINGLE_LOGOUT_SERVICE_URL_ARTIFACT_ATTRIBUTE) != null) {
                logoutBinding = JBossSAMLURIConstants.SAML_HTTP_ARTIFACT_BINDING.getUri();
                logoutUrl = client.getAttribute(SamlProtocol.SAML_SINGLE_LOGOUT_SERVICE_URL_ARTIFACT_ATTRIBUTE);
            } else {
                logoutBinding = loginBinding;
            }
            assertionUrl = client.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_ARTIFACT_ATTRIBUTE);
            loginBinding = JBossSAMLURIConstants.SAML_HTTP_ARTIFACT_BINDING.getUri();
        }
        if (assertionUrl == null || assertionUrl.trim().isEmpty())
            assertionUrl = client.getManagementUrl();
        if (assertionUrl == null || assertionUrl.trim().isEmpty())
            assertionUrl = FALLBACK_ERROR_URL_STRING;
        if (logoutUrl == null || logoutUrl.trim().isEmpty())
            logoutUrl = client.getManagementUrl();
        if (logoutUrl == null || logoutUrl.trim().isEmpty())
            logoutUrl = FALLBACK_ERROR_URL_STRING;
        if (logoutBinding == null)
            logoutBinding = loginBinding;
        String nameIdFormat = samlClient.getNameIDFormat();
        if (nameIdFormat == null)
            nameIdFormat = SamlProtocol.SAML_DEFAULT_NAMEID_FORMAT;
        Element spCertificate = SPMetadataDescriptor.buildKeyInfoElement(null, samlClient.getClientSigningCertificate());
        Element encCertificate = SPMetadataDescriptor.buildKeyInfoElement(null, samlClient.getClientEncryptingCertificate());
        StringWriter sw = new StringWriter();
        XMLStreamWriter writer = StaxUtil.getXMLStreamWriter(sw);
        SAMLMetadataWriter metadataWriter = new SAMLMetadataWriter(writer);
        EntityDescriptorType entityDescriptor = SPMetadataDescriptor.buildSPdescriptor(loginBinding, logoutBinding, new URI(assertionUrl), new URI(logoutUrl), samlClient.requiresClientSignature(), samlClient.requiresAssertionSignature(), samlClient.requiresEncryption(), client.getClientId(), nameIdFormat, Arrays.asList(spCertificate), Arrays.asList(encCertificate));
        metadataWriter.writeEntityDescriptor(entityDescriptor);
        return sw.toString();
    } catch (Exception ex) {
        logger.error("Cannot generate SP metadata", ex);
        return "";
    }
}
Also used : SAMLMetadataWriter(org.keycloak.saml.processing.core.saml.v2.writers.SAMLMetadataWriter) StringWriter(java.io.StringWriter) XMLStreamWriter(javax.xml.stream.XMLStreamWriter) Element(org.w3c.dom.Element) EntityDescriptorType(org.keycloak.dom.saml.v2.metadata.EntityDescriptorType) URI(java.net.URI) SamlClient(org.keycloak.protocol.saml.SamlClient)

Aggregations

EntityDescriptorType (org.keycloak.dom.saml.v2.metadata.EntityDescriptorType)23 SPSSODescriptorType (org.keycloak.dom.saml.v2.metadata.SPSSODescriptorType)10 Test (org.junit.Test)9 EndpointType (org.keycloak.dom.saml.v2.metadata.EndpointType)9 KeyDescriptorType (org.keycloak.dom.saml.v2.metadata.KeyDescriptorType)9 IndexedEndpointType (org.keycloak.dom.saml.v2.metadata.IndexedEndpointType)7 Element (org.w3c.dom.Element)7 SAMLParser (org.keycloak.saml.processing.core.parsers.saml.SAMLParser)6 StringInputStream (org.apache.tools.ant.filters.StringInputStream)5 IDPSSODescriptorType (org.keycloak.dom.saml.v2.metadata.IDPSSODescriptorType)5 RequestedAttributeType (org.keycloak.dom.saml.v2.metadata.RequestedAttributeType)5 Closeable (java.io.Closeable)4 QName (javax.xml.namespace.QName)4 Matchers.containsString (org.hamcrest.Matchers.containsString)4 AttributeConsumingServiceType (org.keycloak.dom.saml.v2.metadata.AttributeConsumingServiceType)4 ByteArrayInputStream (java.io.ByteArrayInputStream)3 StringWriter (java.io.StringWriter)3 URI (java.net.URI)3 XMLStreamWriter (javax.xml.stream.XMLStreamWriter)3 AttributeType (org.keycloak.dom.saml.v2.assertion.AttributeType)3