Example 6 with AuthnRequestType
use of org.keycloak.dom.saml.v2.protocol.AuthnRequestType in project keycloak by keycloak.
the class KcSamlSignedBrokerTest method testWithExpiredBrokerCertificate.
@Test
public void testWithExpiredBrokerCertificate() throws Exception {
try (Closeable idpUpdater = new IdentityProviderAttributeUpdater(identityProviderResource).setAttribute(SAMLIdentityProviderConfig.VALIDATE_SIGNATURE, Boolean.toString(true)).setAttribute(SAMLIdentityProviderConfig.WANT_ASSERTIONS_SIGNED, Boolean.toString(true)).setAttribute(SAMLIdentityProviderConfig.WANT_ASSERTIONS_ENCRYPTED, Boolean.toString(false)).setAttribute(SAMLIdentityProviderConfig.WANT_AUTHN_REQUESTS_SIGNED, "true").setAttribute(SAMLIdentityProviderConfig.SIGNING_CERTIFICATE_KEY, AbstractSamlTest.SAML_CLIENT_SALES_POST_SIG_EXPIRED_CERTIFICATE).update();
Closeable clientUpdater = ClientAttributeUpdater.forClient(adminClient, bc.providerRealmName(), bc.getIDPClientIdInProviderRealm()).setAttribute(SamlConfigAttributes.SAML_ENCRYPT, Boolean.toString(false)).setAttribute(SamlConfigAttributes.SAML_SERVER_SIGNATURE, "true").setAttribute(SamlConfigAttributes.SAML_ASSERTION_SIGNATURE, Boolean.toString(true)).setAttribute(SamlConfigAttributes.SAML_CLIENT_SIGNATURE_ATTRIBUTE, "false").update();
Closeable realmUpdater = new RealmAttributeUpdater(adminClient.realm(bc.providerRealmName())).setPublicKey(AbstractSamlTest.SAML_CLIENT_SALES_POST_SIG_EXPIRED_PUBLIC_KEY).setPrivateKey(AbstractSamlTest.SAML_CLIENT_SALES_POST_SIG_EXPIRED_PRIVATE_KEY).update()) {
AuthnRequestType loginRep = SamlClient.createLoginRequestDocument(AbstractSamlTest.SAML_CLIENT_ID_SALES_POST + ".dot/ted", getConsumerRoot() + "/sales-post/saml", null);
Document doc = SAML2Request.convert(loginRep);
new SamlClientBuilder().authnRequest(getConsumerSamlEndpoint(bc.consumerRealmName()), doc, Binding.POST).build().login().idp(bc.getIDPAlias()).build().assertResponse(org.keycloak.testsuite.util.Matchers.statusCodeIsHC(Status.BAD_REQUEST));
}
}
Also used :
AuthnRequestType(org.keycloak.dom.saml.v2.protocol.AuthnRequestType)
SamlClientBuilder(org.keycloak.testsuite.util.SamlClientBuilder)
Closeable(java.io.Closeable)
IdentityProviderAttributeUpdater(org.keycloak.testsuite.updaters.IdentityProviderAttributeUpdater)
RealmAttributeUpdater(org.keycloak.testsuite.updaters.RealmAttributeUpdater)
Document(org.w3c.dom.Document)
AbstractSamlTest(org.keycloak.testsuite.saml.AbstractSamlTest)
Test(org.junit.Test)
Example 7 with AuthnRequestType
use of org.keycloak.dom.saml.v2.protocol.AuthnRequestType in project keycloak by keycloak.
the class KcSamlBrokerAllowedClockSkewTest method loginClientExpiredResponseFromIdPWithClockSkew.
@Test
public void loginClientExpiredResponseFromIdPWithClockSkew() throws Exception {
try (Closeable idpUpdater = new IdentityProviderAttributeUpdater(identityProviderResource).setAttribute(SAMLIdentityProviderConfig.ALLOWED_CLOCK_SKEW, "60").update()) {
AuthnRequestType loginRep = SamlClient.createLoginRequestDocument(AbstractSamlTest.SAML_CLIENT_ID_SALES_POST, getConsumerRoot() + "/sales-post/saml", null);
Document doc = SAML2Request.convert(loginRep);
SAMLDocumentHolder samlResponse = new SamlClientBuilder().authnRequest(getConsumerSamlEndpoint(bc.consumerRealmName()), doc, SamlClient.Binding.POST).build().login().idp(bc.getIDPAlias()).build().processSamlResponse(// AuthnRequest to producer IdP
SamlClient.Binding.POST).targetAttributeSamlRequest().build().login().user(bc.getUserLogin(), bc.getUserPassword()).build().addStep(// offset to the past but inside the clock skew
() -> KcSamlBrokerAllowedClockSkewTest.this.setTimeOffset(-30)).processSamlResponse(// Response from producer IdP expired but valid with the clock skew
SamlClient.Binding.POST).build().updateProfile().firstName("a").lastName("b").email(bc.getUserEmail()).username(bc.getUserLogin()).build().followOneRedirect().getSamlResponse(// Response from consumer IdP
SamlClient.Binding.POST);
Assert.assertThat(samlResponse, Matchers.notNullValue());
Assert.assertThat(samlResponse.getSamlObject(), isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
}
}
Also used :
SAMLDocumentHolder(org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder)
AuthnRequestType(org.keycloak.dom.saml.v2.protocol.AuthnRequestType)
SamlClientBuilder(org.keycloak.testsuite.util.SamlClientBuilder)
Closeable(java.io.Closeable)
IdentityProviderAttributeUpdater(org.keycloak.testsuite.updaters.IdentityProviderAttributeUpdater)
Document(org.w3c.dom.Document)
AbstractSamlTest(org.keycloak.testsuite.saml.AbstractSamlTest)
Test(org.junit.Test)
Example 8 with AuthnRequestType
use of org.keycloak.dom.saml.v2.protocol.AuthnRequestType in project keycloak by keycloak.
the class KcSamlBrokerTest method loginInResponseToMissing.
// KEYCLOAK-17935
@Test
public void loginInResponseToMissing() throws Exception {
AuthnRequestType loginRep = SamlClient.createLoginRequestDocument(AbstractSamlTest.SAML_CLIENT_ID_SALES_POST + ".dot/ted", getConsumerRoot() + "/sales-post/saml", null);
Document doc = SAML2Request.convert(loginRep);
new SamlClientBuilder().authnRequest(getConsumerSamlEndpoint(bc.consumerRealmName()), doc, Binding.POST).build().login().idp(bc.getIDPAlias()).build().processSamlResponse(// AuthnRequest to producer IdP
Binding.POST).targetAttributeSamlRequest().build().login().user(bc.getUserLogin(), bc.getUserPassword()).build().processSamlResponse(// Response from producer IdP
Binding.POST).transformDocument(this::removeInResponseTo).build().execute(// Response from consumer IdP
hr -> assertThat(hr, statusCodeIsHC(Response.Status.BAD_REQUEST)));
}
Also used :
AuthnRequestType(org.keycloak.dom.saml.v2.protocol.AuthnRequestType)
SamlClientBuilder(org.keycloak.testsuite.util.SamlClientBuilder)
Document(org.w3c.dom.Document)
AbstractSamlTest(org.keycloak.testsuite.saml.AbstractSamlTest)
Test(org.junit.Test)
Example 9 with AuthnRequestType
use of org.keycloak.dom.saml.v2.protocol.AuthnRequestType in project keycloak by keycloak.
the class KcSamlBrokerTest method loginClientWithDotsInName.
// KEYCLOAK-6106
@Test
public void loginClientWithDotsInName() throws Exception {
AuthnRequestType loginRep = SamlClient.createLoginRequestDocument(AbstractSamlTest.SAML_CLIENT_ID_SALES_POST + ".dot/ted", getConsumerRoot() + "/sales-post/saml", null);
Document doc = SAML2Request.convert(loginRep);
SAMLDocumentHolder samlResponse = new SamlClientBuilder().authnRequest(getConsumerSamlEndpoint(bc.consumerRealmName()), doc, Binding.POST).build().login().idp(bc.getIDPAlias()).build().processSamlResponse(// AuthnRequest to producer IdP
Binding.POST).targetAttributeSamlRequest().build().login().user(bc.getUserLogin(), bc.getUserPassword()).build().processSamlResponse(// Response from producer IdP
Binding.POST).build().updateProfile().firstName("a").lastName("b").email(bc.getUserEmail()).username(bc.getUserLogin()).build().followOneRedirect().getSamlResponse(// Response from consumer IdP
Binding.POST);
Assert.assertThat(samlResponse, Matchers.notNullValue());
Assert.assertThat(samlResponse.getSamlObject(), isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
}
Also used :
SAMLDocumentHolder(org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder)
AuthnRequestType(org.keycloak.dom.saml.v2.protocol.AuthnRequestType)
SamlClientBuilder(org.keycloak.testsuite.util.SamlClientBuilder)
Document(org.w3c.dom.Document)
AbstractSamlTest(org.keycloak.testsuite.saml.AbstractSamlTest)
Test(org.junit.Test)
Example 10 with AuthnRequestType
use of org.keycloak.dom.saml.v2.protocol.AuthnRequestType in project keycloak by keycloak.
the class KcSamlBrokerTest method loginInResponseToMismatch.
// KEYCLOAK-17935
@Test
public void loginInResponseToMismatch() throws Exception {
AuthnRequestType loginRep = SamlClient.createLoginRequestDocument(AbstractSamlTest.SAML_CLIENT_ID_SALES_POST + ".dot/ted", getConsumerRoot() + "/sales-post/saml", null);
Document doc = SAML2Request.convert(loginRep);
new SamlClientBuilder().authnRequest(getConsumerSamlEndpoint(bc.consumerRealmName()), doc, Binding.POST).build().login().idp(bc.getIDPAlias()).build().processSamlResponse(// AuthnRequest to producer IdP
Binding.POST).targetAttributeSamlRequest().build().login().user(bc.getUserLogin(), bc.getUserPassword()).build().processSamlResponse(// Response from producer IdP
Binding.POST).transformDocument(this::tamperInResponseTo).build().execute(// Response from consumer IdP
hr -> assertThat(hr, statusCodeIsHC(Response.Status.BAD_REQUEST)));
}
Also used :
AuthnRequestType(org.keycloak.dom.saml.v2.protocol.AuthnRequestType)
SamlClientBuilder(org.keycloak.testsuite.util.SamlClientBuilder)
Document(org.w3c.dom.Document)
AbstractSamlTest(org.keycloak.testsuite.saml.AbstractSamlTest)
Test(org.junit.Test)
Aggregations
AuthnRequestType (org.keycloak.dom.saml.v2.protocol.AuthnRequestType)56
Test (org.junit.Test)41
Document (org.w3c.dom.Document)36
SamlClientBuilder (org.keycloak.testsuite.util.SamlClientBuilder)30
AbstractSamlTest (org.keycloak.testsuite.saml.AbstractSamlTest)21
Element (org.w3c.dom.Element)16
Closeable (java.io.Closeable)13
SAMLDocumentHolder (org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder)13
IdentityProviderAttributeUpdater (org.keycloak.testsuite.updaters.IdentityProviderAttributeUpdater)13
ResponseType (org.keycloak.dom.saml.v2.protocol.ResponseType)10
ConfigurationException (org.keycloak.saml.common.exceptions.ConfigurationException)8
HttpUriRequest (org.apache.http.client.methods.HttpUriRequest)7
StatusResponseType (org.keycloak.dom.saml.v2.protocol.StatusResponseType)7
ProcessingException (org.keycloak.saml.common.exceptions.ProcessingException)7
CloseableHttpResponse (org.apache.http.client.methods.CloseableHttpResponse)6
CloseableHttpClient (org.apache.http.impl.client.CloseableHttpClient)6
Matchers.containsString (org.hamcrest.Matchers.containsString)5
NameIDType (org.keycloak.dom.saml.v2.assertion.NameIDType)5
SAML2Request (org.keycloak.saml.processing.api.saml.v2.request.SAML2Request)4
URI (java.net.URI)3
