Search in sources :

Example 1 with IDPSSODescriptorType

use of org.keycloak.dom.saml.v2.metadata.IDPSSODescriptorType in project keycloak by keycloak.

the class SAMLIDPSSODescriptorParser method instantiateElement.

@Override
protected IDPSSODescriptorType instantiateElement(XMLEventReader xmlEventReader, StartElement element) throws ParsingException {
    List<String> protocolEnum = StaxParserUtil.getRequiredStringListAttributeValue(element, SAMLMetadataQNames.ATTR_PROTOCOL_SUPPORT_ENUMERATION);
    IDPSSODescriptorType descriptor = new IDPSSODescriptorType(protocolEnum);
    // Role descriptor optional arguments
    parseOptionalArguments(element, descriptor);
    // IDPSSODecsriptor optional attributes
    Boolean wantAuthnRequestsSigned = StaxParserUtil.getBooleanAttributeValue(element, SAMLMetadataQNames.ATTR_WANT_AUTHN_REQUESTS_SIGNED);
    if (wantAuthnRequestsSigned != null) {
        descriptor.setWantAuthnRequestsSigned(wantAuthnRequestsSigned);
    }
    return descriptor;
}
Also used : IDPSSODescriptorType(org.keycloak.dom.saml.v2.metadata.IDPSSODescriptorType)

Example 2 with IDPSSODescriptorType

use of org.keycloak.dom.saml.v2.metadata.IDPSSODescriptorType in project keycloak by keycloak.

the class IDPMetadataDescriptor method getIDPDescriptor.

public static String getIDPDescriptor(URI loginPostEndpoint, URI loginRedirectEndpoint, URI logoutEndpoint, URI artifactResolutionService, String entityId, boolean wantAuthnRequestsSigned, List<Element> signingCerts) throws ProcessingException {
    StringWriter sw = new StringWriter();
    XMLStreamWriter writer = StaxUtil.getXMLStreamWriter(sw);
    SAMLMetadataWriter metadataWriter = new SAMLMetadataWriter(writer);
    EntityDescriptorType entityDescriptor = new EntityDescriptorType(entityId);
    IDPSSODescriptorType spIDPDescriptor = new IDPSSODescriptorType(Arrays.asList(PROTOCOL_NSURI.get()));
    spIDPDescriptor.setWantAuthnRequestsSigned(wantAuthnRequestsSigned);
    spIDPDescriptor.addNameIDFormat(NAMEID_FORMAT_PERSISTENT.get());
    spIDPDescriptor.addNameIDFormat(NAMEID_FORMAT_TRANSIENT.get());
    spIDPDescriptor.addNameIDFormat(NAMEID_FORMAT_UNSPECIFIED.get());
    spIDPDescriptor.addNameIDFormat(NAMEID_FORMAT_EMAIL.get());
    spIDPDescriptor.addSingleLogoutService(new EndpointType(SAML_HTTP_POST_BINDING.getUri(), logoutEndpoint));
    spIDPDescriptor.addSingleLogoutService(new EndpointType(SAML_HTTP_REDIRECT_BINDING.getUri(), logoutEndpoint));
    spIDPDescriptor.addSingleLogoutService(new EndpointType(SAML_HTTP_ARTIFACT_BINDING.getUri(), logoutEndpoint));
    spIDPDescriptor.addSingleSignOnService(new EndpointType(SAML_HTTP_POST_BINDING.getUri(), loginPostEndpoint));
    spIDPDescriptor.addSingleSignOnService(new EndpointType(SAML_HTTP_REDIRECT_BINDING.getUri(), loginRedirectEndpoint));
    spIDPDescriptor.addSingleSignOnService(new EndpointType(SAML_SOAP_BINDING.getUri(), loginPostEndpoint));
    spIDPDescriptor.addSingleSignOnService(new EndpointType(SAML_HTTP_ARTIFACT_BINDING.getUri(), loginPostEndpoint));
    spIDPDescriptor.addArtifactResolutionService(new IndexedEndpointType(SAML_SOAP_BINDING.getUri(), artifactResolutionService));
    if (wantAuthnRequestsSigned && signingCerts != null) {
        for (Element key : signingCerts) {
            KeyDescriptorType keyDescriptor = new KeyDescriptorType();
            keyDescriptor.setUse(KeyTypes.SIGNING);
            keyDescriptor.setKeyInfo(key);
            spIDPDescriptor.addKeyDescriptor(keyDescriptor);
        }
    }
    entityDescriptor.addChoiceType(new EntityDescriptorType.EDTChoiceType(Arrays.asList(new EntityDescriptorType.EDTDescriptorChoiceType(spIDPDescriptor))));
    metadataWriter.writeEntityDescriptor(entityDescriptor);
    return sw.toString();
}
Also used : SAMLMetadataWriter(org.keycloak.saml.processing.core.saml.v2.writers.SAMLMetadataWriter) IDPSSODescriptorType(org.keycloak.dom.saml.v2.metadata.IDPSSODescriptorType) StringWriter(java.io.StringWriter) XMLStreamWriter(javax.xml.stream.XMLStreamWriter) Element(org.w3c.dom.Element) EndpointType(org.keycloak.dom.saml.v2.metadata.EndpointType) IndexedEndpointType(org.keycloak.dom.saml.v2.metadata.IndexedEndpointType) EntityDescriptorType(org.keycloak.dom.saml.v2.metadata.EntityDescriptorType) IndexedEndpointType(org.keycloak.dom.saml.v2.metadata.IndexedEndpointType) KeyDescriptorType(org.keycloak.dom.saml.v2.metadata.KeyDescriptorType)

Example 3 with IDPSSODescriptorType

use of org.keycloak.dom.saml.v2.metadata.IDPSSODescriptorType in project keycloak by keycloak.

the class SAMLMetadataWriter method writeEntityDescriptor.

public void writeEntityDescriptor(EntityDescriptorType entityDescriptor) throws ProcessingException {
    StaxUtil.writeStartElement(writer, METADATA_PREFIX, JBossSAMLConstants.ENTITY_DESCRIPTOR.get(), JBossSAMLURIConstants.METADATA_NSURI.get());
    StaxUtil.writeDefaultNameSpace(writer, JBossSAMLURIConstants.METADATA_NSURI.get());
    StaxUtil.writeNameSpace(writer, "md", JBossSAMLURIConstants.METADATA_NSURI.get());
    StaxUtil.writeNameSpace(writer, "saml", JBossSAMLURIConstants.ASSERTION_NSURI.get());
    StaxUtil.writeNameSpace(writer, "ds", JBossSAMLURIConstants.XMLDSIG_NSURI.get());
    StaxUtil.writeAttribute(writer, JBossSAMLConstants.ENTITY_ID.get(), entityDescriptor.getEntityID());
    if (entityDescriptor.getValidUntil() != null) {
        StaxUtil.writeAttribute(writer, JBossSAMLConstants.VALID_UNTIL.get(), entityDescriptor.getValidUntil().toString());
    }
    if (entityDescriptor.getID() != null) {
        StaxUtil.writeAttribute(writer, JBossSAMLConstants.ID.get(), entityDescriptor.getID());
    }
    Element signature = entityDescriptor.getSignature();
    if (signature != null) {
        StaxUtil.writeDOMElement(writer, signature);
    }
    ExtensionsType extensions = entityDescriptor.getExtensions();
    if (extensions != null) {
        write(extensions);
    }
    List<EntityDescriptorType.EDTChoiceType> choiceTypes = entityDescriptor.getChoiceType();
    for (EntityDescriptorType.EDTChoiceType edtChoice : choiceTypes) {
        AffiliationDescriptorType affliationDesc = edtChoice.getAffiliationDescriptor();
        if (affliationDesc != null)
            // TODO: affiliation
            throw logger.notImplementedYet("affliation");
        List<EntityDescriptorType.EDTDescriptorChoiceType> edtDescChoices = edtChoice.getDescriptors();
        for (EntityDescriptorType.EDTDescriptorChoiceType edtDescChoice : edtDescChoices) {
            RoleDescriptorType roleDesc = edtDescChoice.getRoleDescriptor();
            if (roleDesc != null)
                throw logger.notImplementedYet("Role Descriptor type");
            IDPSSODescriptorType idpSSO = edtDescChoice.getIdpDescriptor();
            if (idpSSO != null)
                write(idpSSO);
            SPSSODescriptorType spSSO = edtDescChoice.getSpDescriptor();
            if (spSSO != null)
                write(spSSO);
            AttributeAuthorityDescriptorType attribAuth = edtDescChoice.getAttribDescriptor();
            if (attribAuth != null)
                writeAttributeAuthorityDescriptor(attribAuth);
            AuthnAuthorityDescriptorType authNDesc = edtDescChoice.getAuthnDescriptor();
            if (authNDesc != null)
                throw logger.notImplementedYet("AuthnAuthorityDescriptorType");
            PDPDescriptorType pdpDesc = edtDescChoice.getPdpDescriptor();
            if (pdpDesc != null)
                throw logger.notImplementedYet("PDPDescriptorType");
        }
    }
    OrganizationType organization = entityDescriptor.getOrganization();
    if (organization != null) {
        writeOrganization(organization);
    }
    List<ContactType> contactPersons = entityDescriptor.getContactPerson();
    for (ContactType contact : contactPersons) {
        write(contact);
    }
    List<AdditionalMetadataLocationType> addl = entityDescriptor.getAdditionalMetadataLocation();
    if (addl.size() > 0)
        throw logger.notImplementedYet("AdditionalMetadataLocationType");
    StaxUtil.writeEndElement(writer);
    StaxUtil.flush(writer);
}
Also used : AuthnAuthorityDescriptorType(org.keycloak.dom.saml.v2.metadata.AuthnAuthorityDescriptorType) IDPSSODescriptorType(org.keycloak.dom.saml.v2.metadata.IDPSSODescriptorType) ContactType(org.keycloak.dom.saml.v2.metadata.ContactType) Element(org.w3c.dom.Element) AffiliationDescriptorType(org.keycloak.dom.saml.v2.metadata.AffiliationDescriptorType) OrganizationType(org.keycloak.dom.saml.v2.metadata.OrganizationType) SPSSODescriptorType(org.keycloak.dom.saml.v2.metadata.SPSSODescriptorType) RoleDescriptorType(org.keycloak.dom.saml.v2.metadata.RoleDescriptorType) PDPDescriptorType(org.keycloak.dom.saml.v2.metadata.PDPDescriptorType) ExtensionsType(org.keycloak.dom.saml.v2.metadata.ExtensionsType) AttributeAuthorityDescriptorType(org.keycloak.dom.saml.v2.metadata.AttributeAuthorityDescriptorType) AdditionalMetadataLocationType(org.keycloak.dom.saml.v2.metadata.AdditionalMetadataLocationType) EntityDescriptorType(org.keycloak.dom.saml.v2.metadata.EntityDescriptorType)

Example 4 with IDPSSODescriptorType

use of org.keycloak.dom.saml.v2.metadata.IDPSSODescriptorType in project keycloak by keycloak.

the class SAMLMetadataWriter method write.

public void write(IDPSSODescriptorType idpSSODescriptor) throws ProcessingException {
    if (idpSSODescriptor == null)
        throw new ProcessingException(logger.nullArgumentError("IDPSSODescriptorType"));
    StaxUtil.writeStartElement(writer, METADATA_PREFIX, JBossSAMLConstants.IDP_SSO_DESCRIPTOR.get(), JBossSAMLURIConstants.METADATA_NSURI.get());
    Boolean wantsAuthnRequestsSigned = idpSSODescriptor.isWantAuthnRequestsSigned();
    if (wantsAuthnRequestsSigned != null) {
        StaxUtil.writeAttribute(writer, new QName(JBossSAMLConstants.WANT_AUTHN_REQUESTS_SIGNED.get()), wantsAuthnRequestsSigned.toString());
    }
    writeProtocolSupportEnumeration(idpSSODescriptor.getProtocolSupportEnumeration());
    // Get the key descriptors
    List<KeyDescriptorType> keyDescriptors = idpSSODescriptor.getKeyDescriptor();
    for (KeyDescriptorType keyDescriptor : keyDescriptors) {
        writeKeyDescriptor(keyDescriptor);
    }
    List<IndexedEndpointType> artifactResolutionServices = idpSSODescriptor.getArtifactResolutionService();
    for (IndexedEndpointType indexedEndpoint : artifactResolutionServices) {
        writeArtifactResolutionService(indexedEndpoint);
    }
    List<EndpointType> sloServices = idpSSODescriptor.getSingleLogoutService();
    for (EndpointType endpoint : sloServices) {
        writeSingleLogoutService(endpoint);
    }
    List<String> nameIDFormats = idpSSODescriptor.getNameIDFormat();
    for (String nameIDFormat : nameIDFormats) {
        writeNameIDFormat(nameIDFormat);
    }
    List<EndpointType> ssoServices = idpSSODescriptor.getSingleSignOnService();
    for (EndpointType endpoint : ssoServices) {
        writeSingleSignOnService(endpoint);
    }
    List<AttributeType> attributes = idpSSODescriptor.getAttribute();
    for (AttributeType attribType : attributes) {
        write(attribType);
    }
    StaxUtil.writeEndElement(writer);
    StaxUtil.flush(writer);
}
Also used : QName(javax.xml.namespace.QName) IndexedEndpointType(org.keycloak.dom.saml.v2.metadata.IndexedEndpointType) AttributeType(org.keycloak.dom.saml.v2.assertion.AttributeType) RequestedAttributeType(org.keycloak.dom.saml.v2.metadata.RequestedAttributeType) EndpointType(org.keycloak.dom.saml.v2.metadata.EndpointType) IndexedEndpointType(org.keycloak.dom.saml.v2.metadata.IndexedEndpointType) KeyDescriptorType(org.keycloak.dom.saml.v2.metadata.KeyDescriptorType) ProcessingException(org.keycloak.saml.common.exceptions.ProcessingException)

Example 5 with IDPSSODescriptorType

use of org.keycloak.dom.saml.v2.metadata.IDPSSODescriptorType in project keycloak by keycloak.

the class SAMLIdentityProviderFactory method parseConfig.

@Override
public Map<String, String> parseConfig(KeycloakSession session, InputStream inputStream) {
    try {
        Object parsedObject = SAMLParser.getInstance().parse(inputStream);
        EntityDescriptorType entityType;
        if (EntitiesDescriptorType.class.isInstance(parsedObject)) {
            entityType = (EntityDescriptorType) ((EntitiesDescriptorType) parsedObject).getEntityDescriptor().get(0);
        } else {
            entityType = (EntityDescriptorType) parsedObject;
        }
        List<EntityDescriptorType.EDTChoiceType> choiceType = entityType.getChoiceType();
        if (!choiceType.isEmpty()) {
            IDPSSODescriptorType idpDescriptor = null;
            // So we need to loop through to find the IDPSSODescriptor.
            for (EntityDescriptorType.EDTChoiceType edtChoiceType : entityType.getChoiceType()) {
                List<EntityDescriptorType.EDTDescriptorChoiceType> descriptors = edtChoiceType.getDescriptors();
                if (!descriptors.isEmpty() && descriptors.get(0).getIdpDescriptor() != null) {
                    idpDescriptor = descriptors.get(0).getIdpDescriptor();
                }
            }
            if (idpDescriptor != null) {
                SAMLIdentityProviderConfig samlIdentityProviderConfig = new SAMLIdentityProviderConfig();
                String singleSignOnServiceUrl = null;
                boolean postBindingResponse = false;
                boolean postBindingLogout = false;
                for (EndpointType endpoint : idpDescriptor.getSingleSignOnService()) {
                    if (endpoint.getBinding().toString().equals(JBossSAMLURIConstants.SAML_HTTP_POST_BINDING.get())) {
                        singleSignOnServiceUrl = endpoint.getLocation().toString();
                        postBindingResponse = true;
                        break;
                    } else if (endpoint.getBinding().toString().equals(JBossSAMLURIConstants.SAML_HTTP_REDIRECT_BINDING.get())) {
                        singleSignOnServiceUrl = endpoint.getLocation().toString();
                    }
                }
                String singleLogoutServiceUrl = null;
                for (EndpointType endpoint : idpDescriptor.getSingleLogoutService()) {
                    if (postBindingResponse && endpoint.getBinding().toString().equals(JBossSAMLURIConstants.SAML_HTTP_POST_BINDING.get())) {
                        singleLogoutServiceUrl = endpoint.getLocation().toString();
                        postBindingLogout = true;
                        break;
                    } else if (!postBindingResponse && endpoint.getBinding().toString().equals(JBossSAMLURIConstants.SAML_HTTP_REDIRECT_BINDING.get())) {
                        singleLogoutServiceUrl = endpoint.getLocation().toString();
                        break;
                    }
                }
                samlIdentityProviderConfig.setSingleLogoutServiceUrl(singleLogoutServiceUrl);
                samlIdentityProviderConfig.setSingleSignOnServiceUrl(singleSignOnServiceUrl);
                samlIdentityProviderConfig.setWantAuthnRequestsSigned(idpDescriptor.isWantAuthnRequestsSigned());
                samlIdentityProviderConfig.setAddExtensionsElementWithKeyInfo(false);
                samlIdentityProviderConfig.setValidateSignature(idpDescriptor.isWantAuthnRequestsSigned());
                samlIdentityProviderConfig.setPostBindingResponse(postBindingResponse);
                samlIdentityProviderConfig.setPostBindingAuthnRequest(postBindingResponse);
                samlIdentityProviderConfig.setPostBindingLogout(postBindingLogout);
                samlIdentityProviderConfig.setLoginHint(false);
                List<String> nameIdFormatList = idpDescriptor.getNameIDFormat();
                if (nameIdFormatList != null && !nameIdFormatList.isEmpty())
                    samlIdentityProviderConfig.setNameIDPolicyFormat(nameIdFormatList.get(0));
                List<KeyDescriptorType> keyDescriptor = idpDescriptor.getKeyDescriptor();
                String defaultCertificate = null;
                if (keyDescriptor != null) {
                    for (KeyDescriptorType keyDescriptorType : keyDescriptor) {
                        Element keyInfo = keyDescriptorType.getKeyInfo();
                        Element x509KeyInfo = DocumentUtil.getChildElement(keyInfo, new QName("dsig", "X509Certificate"));
                        if (KeyTypes.SIGNING.equals(keyDescriptorType.getUse())) {
                            samlIdentityProviderConfig.addSigningCertificate(x509KeyInfo.getTextContent());
                        } else if (KeyTypes.ENCRYPTION.equals(keyDescriptorType.getUse())) {
                            samlIdentityProviderConfig.setEncryptionPublicKey(x509KeyInfo.getTextContent());
                        } else if (keyDescriptorType.getUse() == null) {
                            defaultCertificate = x509KeyInfo.getTextContent();
                        }
                    }
                }
                if (defaultCertificate != null) {
                    if (samlIdentityProviderConfig.getSigningCertificates().length == 0) {
                        samlIdentityProviderConfig.addSigningCertificate(defaultCertificate);
                    }
                    if (samlIdentityProviderConfig.getEncryptionPublicKey() == null) {
                        samlIdentityProviderConfig.setEncryptionPublicKey(defaultCertificate);
                    }
                }
                samlIdentityProviderConfig.setEnabledFromMetadata(entityType.getValidUntil() == null || entityType.getValidUntil().toGregorianCalendar().getTime().after(new Date(System.currentTimeMillis())));
                // check for hide on login attribute
                if (entityType.getExtensions() != null && entityType.getExtensions().getEntityAttributes() != null) {
                    for (AttributeType attribute : entityType.getExtensions().getEntityAttributes().getAttribute()) {
                        if (MACEDIR_ENTITY_CATEGORY.equals(attribute.getName()) && attribute.getAttributeValue().contains(REFEDS_HIDE_FROM_DISCOVERY)) {
                            samlIdentityProviderConfig.setHideOnLogin(true);
                        }
                    }
                }
                return samlIdentityProviderConfig.getConfig();
            }
        }
    } catch (ParsingException pe) {
        throw new RuntimeException("Could not parse IdP SAML Metadata", pe);
    }
    return new HashMap<>();
}
Also used : IDPSSODescriptorType(org.keycloak.dom.saml.v2.metadata.IDPSSODescriptorType) HashMap(java.util.HashMap) QName(javax.xml.namespace.QName) Element(org.w3c.dom.Element) Date(java.util.Date) AttributeType(org.keycloak.dom.saml.v2.assertion.AttributeType) ParsingException(org.keycloak.saml.common.exceptions.ParsingException) EndpointType(org.keycloak.dom.saml.v2.metadata.EndpointType) EntityDescriptorType(org.keycloak.dom.saml.v2.metadata.EntityDescriptorType) KeyDescriptorType(org.keycloak.dom.saml.v2.metadata.KeyDescriptorType)

Aggregations

IDPSSODescriptorType (org.keycloak.dom.saml.v2.metadata.IDPSSODescriptorType)6 EndpointType (org.keycloak.dom.saml.v2.metadata.EndpointType)5 EntityDescriptorType (org.keycloak.dom.saml.v2.metadata.EntityDescriptorType)5 KeyDescriptorType (org.keycloak.dom.saml.v2.metadata.KeyDescriptorType)4 QName (javax.xml.namespace.QName)3 AttributeType (org.keycloak.dom.saml.v2.assertion.AttributeType)3 IndexedEndpointType (org.keycloak.dom.saml.v2.metadata.IndexedEndpointType)3 Element (org.w3c.dom.Element)3 RequestedAttributeType (org.keycloak.dom.saml.v2.metadata.RequestedAttributeType)2 ByteArrayInputStream (java.io.ByteArrayInputStream)1 StringWriter (java.io.StringWriter)1 Date (java.util.Date)1 HashMap (java.util.HashMap)1 XMLStreamWriter (javax.xml.stream.XMLStreamWriter)1 CloseableHttpResponse (org.apache.http.client.methods.CloseableHttpResponse)1 HttpGet (org.apache.http.client.methods.HttpGet)1 CloseableHttpClient (org.apache.http.impl.client.CloseableHttpClient)1 Matchers.containsString (org.hamcrest.Matchers.containsString)1 Test (org.junit.Test)1 ClientRegistrationException (org.keycloak.client.registration.ClientRegistrationException)1