Search in sources :

Example 31 with AuthnRequestType

use of org.keycloak.dom.saml.v2.protocol.AuthnRequestType in project keycloak by keycloak.

the class BrokerTest method testRedirectQueryParametersPreserved.

@Test
public void testRedirectQueryParametersPreserved() throws IOException {
    final RealmResource realm = adminClient.realm(REALM_NAME);
    try (IdentityProviderCreator idp = new IdentityProviderCreator(realm, addIdentityProvider("https://saml.idp/?service=name&serviceType=prod"))) {
        SAMLDocumentHolder samlResponse = new SamlClientBuilder().authnRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, POST).build().login().idp(SAML_BROKER_ALIAS).build().getSamlResponse(REDIRECT);
        assertThat(samlResponse.getSamlObject(), Matchers.instanceOf(AuthnRequestType.class));
        AuthnRequestType ar = (AuthnRequestType) samlResponse.getSamlObject();
        assertThat(ar.getDestination(), Matchers.equalTo(URI.create("https://saml.idp/?service=name&serviceType=prod")));
        Header[] headers = new SamlClientBuilder().authnRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, POST).build().login().idp(SAML_BROKER_ALIAS).build().doNotFollowRedirects().executeAndTransform(resp -> resp.getHeaders(HttpHeaders.LOCATION));
        assertThat(headers.length, Matchers.is(1));
        assertThat(headers[0].getValue(), Matchers.containsString("https://saml.idp/?service=name&serviceType=prod"));
        assertThat(headers[0].getValue(), Matchers.containsString("SAMLRequest"));
    }
}
Also used : SAMLDocumentHolder(org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder) Header(org.apache.http.Header) AuthnRequestType(org.keycloak.dom.saml.v2.protocol.AuthnRequestType) RealmResource(org.keycloak.admin.client.resource.RealmResource) SamlClientBuilder(org.keycloak.testsuite.util.SamlClientBuilder) IdentityProviderCreator(org.keycloak.testsuite.updaters.IdentityProviderCreator) Test(org.junit.Test)

Example 32 with AuthnRequestType

use of org.keycloak.dom.saml.v2.protocol.AuthnRequestType in project keycloak by keycloak.

the class SAMLAuthNRequestParserTest method testSaml20AttributeQueryWithExtension.

@Test(timeout = 2000)
public void testSaml20AttributeQueryWithExtension() throws Exception {
    try (InputStream is = SAMLAuthNRequestParserTest.class.getResourceAsStream("saml20-authnrequest-with-extension.xml")) {
        Object parsedObject = parser.parse(is);
        assertThat(parsedObject, instanceOf(AuthnRequestType.class));
        AuthnRequestType req = (AuthnRequestType) parsedObject;
        assertThat(req.getSignature(), nullValue());
        assertThat(req.getConsent(), nullValue());
        assertThat(req.getIssuer(), not(nullValue()));
        assertThat(req.getIssuer().getValue(), is("https://sp/"));
        assertThat(req.getNameIDPolicy().getFormat().toString(), is("urn:oasis:names:tc:SAML:2.0:nameid-format:transient"));
        assertThat(req.getExtensions(), not(nullValue()));
        assertThat(req.getExtensions().getAny().size(), is(2));
        assertThat(req.getExtensions().getAny().get(0), instanceOf(Element.class));
        assertThat(req.getExtensions().getAny().get(1), instanceOf(Element.class));
        Element el = (Element) req.getExtensions().getAny().get(0);
        assertThat(el.getLocalName(), is("KeyInfo"));
        assertThat(el.getNamespaceURI(), is("urn:keycloak:ext:key:1.0"));
        assertThat(el.getAttribute("MessageSigningKeyId"), is("FJ86GcF3jTbNLOco4NvZkUCIUmfYCqoqtOQeMfbhNlE"));
    }
}
Also used : AuthnRequestType(org.keycloak.dom.saml.v2.protocol.AuthnRequestType) InputStream(java.io.InputStream) Element(org.w3c.dom.Element) Test(org.junit.Test)

Example 33 with AuthnRequestType

use of org.keycloak.dom.saml.v2.protocol.AuthnRequestType in project keycloak by keycloak.

the class SAMLIdentityProvider method performLogin.

@Override
public Response performLogin(AuthenticationRequest request) {
    try {
        UriInfo uriInfo = request.getUriInfo();
        RealmModel realm = request.getRealm();
        String issuerURL = getEntityId(uriInfo, realm);
        String destinationUrl = getConfig().getSingleSignOnServiceUrl();
        String nameIDPolicyFormat = getConfig().getNameIDPolicyFormat();
        if (nameIDPolicyFormat == null) {
            nameIDPolicyFormat = JBossSAMLURIConstants.NAMEID_FORMAT_PERSISTENT.get();
        }
        String protocolBinding = JBossSAMLURIConstants.SAML_HTTP_REDIRECT_BINDING.get();
        String assertionConsumerServiceUrl = request.getRedirectUri();
        if (getConfig().isPostBindingResponse()) {
            protocolBinding = JBossSAMLURIConstants.SAML_HTTP_POST_BINDING.get();
        }
        SAML2RequestedAuthnContextBuilder requestedAuthnContext = new SAML2RequestedAuthnContextBuilder().setComparison(getConfig().getAuthnContextComparisonType());
        for (String authnContextClassRef : getAuthnContextClassRefUris()) requestedAuthnContext.addAuthnContextClassRef(authnContextClassRef);
        for (String authnContextDeclRef : getAuthnContextDeclRefUris()) requestedAuthnContext.addAuthnContextDeclRef(authnContextDeclRef);
        Integer attributeConsumingServiceIndex = getConfig().getAttributeConsumingServiceIndex();
        String loginHint = getConfig().isLoginHint() ? request.getAuthenticationSession().getClientNote(OIDCLoginProtocol.LOGIN_HINT_PARAM) : null;
        Boolean allowCreate = null;
        if (getConfig().getConfig().get(SAMLIdentityProviderConfig.ALLOW_CREATE) == null || getConfig().isAllowCreate())
            allowCreate = Boolean.TRUE;
        SAML2AuthnRequestBuilder authnRequestBuilder = new SAML2AuthnRequestBuilder().assertionConsumerUrl(assertionConsumerServiceUrl).destination(destinationUrl).issuer(issuerURL).forceAuthn(getConfig().isForceAuthn()).protocolBinding(protocolBinding).nameIdPolicy(SAML2NameIDPolicyBuilder.format(nameIDPolicyFormat).setAllowCreate(allowCreate)).attributeConsumingServiceIndex(attributeConsumingServiceIndex).requestedAuthnContext(requestedAuthnContext).subject(loginHint);
        JaxrsSAML2BindingBuilder binding = new JaxrsSAML2BindingBuilder(session).relayState(request.getState().getEncoded());
        boolean postBinding = getConfig().isPostBindingAuthnRequest();
        if (getConfig().isWantAuthnRequestsSigned()) {
            KeyManager.ActiveRsaKey keys = session.keys().getActiveRsaKey(realm);
            String keyName = getConfig().getXmlSigKeyInfoKeyNameTransformer().getKeyName(keys.getKid(), keys.getCertificate());
            binding.signWith(keyName, keys.getPrivateKey(), keys.getPublicKey(), keys.getCertificate()).signatureAlgorithm(getSignatureAlgorithm()).signDocument();
            if (!postBinding && getConfig().isAddExtensionsElementWithKeyInfo()) {
                // Only include extension if REDIRECT binding and signing whole SAML protocol message
                authnRequestBuilder.addExtension(new KeycloakKeySamlExtensionGenerator(keyName));
            }
        }
        AuthnRequestType authnRequest = authnRequestBuilder.createAuthnRequest();
        for (Iterator<SamlAuthenticationPreprocessor> it = SamlSessionUtils.getSamlAuthenticationPreprocessorIterator(session); it.hasNext(); ) {
            authnRequest = it.next().beforeSendingLoginRequest(authnRequest, request.getAuthenticationSession());
        }
        if (authnRequest.getDestination() != null) {
            destinationUrl = authnRequest.getDestination().toString();
        }
        // Save the current RequestID in the Auth Session as we need to verify it against the ID returned from the IdP
        request.getAuthenticationSession().setClientNote(SamlProtocol.SAML_REQUEST_ID_BROKER, authnRequest.getID());
        if (postBinding) {
            return binding.postBinding(authnRequestBuilder.toDocument()).request(destinationUrl);
        } else {
            return binding.redirectBinding(authnRequestBuilder.toDocument()).request(destinationUrl);
        }
    } catch (Exception e) {
        throw new IdentityBrokerException("Could not create authentication request.", e);
    }
}
Also used : SAML2RequestedAuthnContextBuilder(org.keycloak.saml.SAML2RequestedAuthnContextBuilder) JaxrsSAML2BindingBuilder(org.keycloak.protocol.saml.JaxrsSAML2BindingBuilder) KeycloakKeySamlExtensionGenerator(org.keycloak.saml.processing.core.util.KeycloakKeySamlExtensionGenerator) ConfigurationException(org.keycloak.saml.common.exceptions.ConfigurationException) IdentityBrokerException(org.keycloak.broker.provider.IdentityBrokerException) ParserConfigurationException(javax.xml.parsers.ParserConfigurationException) RealmModel(org.keycloak.models.RealmModel) AuthnRequestType(org.keycloak.dom.saml.v2.protocol.AuthnRequestType) IdentityBrokerException(org.keycloak.broker.provider.IdentityBrokerException) SamlAuthenticationPreprocessor(org.keycloak.protocol.saml.preprocessor.SamlAuthenticationPreprocessor) SAML2AuthnRequestBuilder(org.keycloak.saml.SAML2AuthnRequestBuilder) KeyManager(org.keycloak.models.KeyManager) UriInfo(javax.ws.rs.core.UriInfo)

Example 34 with AuthnRequestType

use of org.keycloak.dom.saml.v2.protocol.AuthnRequestType in project keycloak by keycloak.

the class SamlSPFacade method getSamlAuthnRequest.

/*
    * https://idp.ssocircle.com/sso/toolbox/samlEncode.jsp
    *
    * returns (https instead of http in case ssl is required)
    * 
    * <samlp:AuthnRequest 
    *     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
    *     xmlns="urn:oasis:names:tc:SAML:2.0:assertion" 
    *     AssertionConsumerServiceURL="http://localhost:8280/employee/" 
    *     Destination="http://localhost:8180/auth/realms/demo/protocol/saml" 
    *     ForceAuthn="false" 
    *     ID="ID_4d8e5ce2-7206-472b-a897-2d837090c005" 
    *     IsPassive="false" 
    *     IssueInstant="2015-03-06T22:22:17.854Z" 
    *     ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
    *     Version="2.0"> 
    *         <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">saml-employee</saml:Issuer> 
    *         <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/> 
    * </samlp:AuthnRequest> 
    */
private URI getSamlAuthnRequest(HttpServletRequest req) {
    try {
        BaseSAML2BindingBuilder binding = new BaseSAML2BindingBuilder();
        SAML2Request samlReq = new SAML2Request();
        String appServerUrl = ServletTestUtils.getUrlBase() + "/employee/";
        String authServerUrl = ServletTestUtils.getAuthServerUrlBase() + "/auth/realms/demo/protocol/saml";
        AuthnRequestType loginReq;
        loginReq = samlReq.createAuthnRequestType(UUID.randomUUID().toString(), appServerUrl, authServerUrl, "http://localhost:8280/employee/");
        loginReq.getNameIDPolicy().setFormat(JBossSAMLURIConstants.NAMEID_FORMAT_UNSPECIFIED.getUri());
        return binding.redirectBinding(SAML2Request.convert(loginReq)).requestURI(authServerUrl);
    } catch (IOException | ConfigurationException | ParsingException | ProcessingException ex) {
        throw new RuntimeException(ex);
    }
}
Also used : AuthnRequestType(org.keycloak.dom.saml.v2.protocol.AuthnRequestType) ConfigurationException(org.keycloak.saml.common.exceptions.ConfigurationException) ParsingException(org.keycloak.saml.common.exceptions.ParsingException) BaseSAML2BindingBuilder(org.keycloak.saml.BaseSAML2BindingBuilder) IOException(java.io.IOException) SAML2Request(org.keycloak.saml.processing.api.saml.v2.request.SAML2Request) ProcessingException(org.keycloak.saml.common.exceptions.ProcessingException)

Example 35 with AuthnRequestType

use of org.keycloak.dom.saml.v2.protocol.AuthnRequestType in project keycloak by keycloak.

the class KcSamlBrokerAllowedClockSkewTest method loginClientExpiredResponseFromIdP.

@Test
public void loginClientExpiredResponseFromIdP() throws Exception {
    AuthnRequestType loginRep = SamlClient.createLoginRequestDocument(AbstractSamlTest.SAML_CLIENT_ID_SALES_POST, getConsumerRoot() + "/sales-post/saml", null);
    Document doc = SAML2Request.convert(loginRep);
    new SamlClientBuilder().authnRequest(getConsumerSamlEndpoint(bc.consumerRealmName()), doc, SamlClient.Binding.POST).build().login().idp(bc.getIDPAlias()).build().processSamlResponse(// AuthnRequest to producer IdP
    SamlClient.Binding.POST).targetAttributeSamlRequest().build().login().user(bc.getUserLogin(), bc.getUserPassword()).build().addStep(// offset to the past to invalidate the request
    () -> KcSamlBrokerAllowedClockSkewTest.this.setTimeOffset(-30)).processSamlResponse(// Response from producer IdP should fail
    SamlClient.Binding.POST).build().execute(hr -> assertThat(hr, statusCodeIsHC(Response.Status.BAD_REQUEST)));
}
Also used : AuthnRequestType(org.keycloak.dom.saml.v2.protocol.AuthnRequestType) SamlClientBuilder(org.keycloak.testsuite.util.SamlClientBuilder) Document(org.w3c.dom.Document) AbstractSamlTest(org.keycloak.testsuite.saml.AbstractSamlTest) Test(org.junit.Test)

Aggregations

AuthnRequestType (org.keycloak.dom.saml.v2.protocol.AuthnRequestType)56 Test (org.junit.Test)41 Document (org.w3c.dom.Document)36 SamlClientBuilder (org.keycloak.testsuite.util.SamlClientBuilder)30 AbstractSamlTest (org.keycloak.testsuite.saml.AbstractSamlTest)21 Element (org.w3c.dom.Element)16 Closeable (java.io.Closeable)13 SAMLDocumentHolder (org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder)13 IdentityProviderAttributeUpdater (org.keycloak.testsuite.updaters.IdentityProviderAttributeUpdater)13 ResponseType (org.keycloak.dom.saml.v2.protocol.ResponseType)10 ConfigurationException (org.keycloak.saml.common.exceptions.ConfigurationException)8 HttpUriRequest (org.apache.http.client.methods.HttpUriRequest)7 StatusResponseType (org.keycloak.dom.saml.v2.protocol.StatusResponseType)7 ProcessingException (org.keycloak.saml.common.exceptions.ProcessingException)7 CloseableHttpResponse (org.apache.http.client.methods.CloseableHttpResponse)6 CloseableHttpClient (org.apache.http.impl.client.CloseableHttpClient)6 Matchers.containsString (org.hamcrest.Matchers.containsString)5 NameIDType (org.keycloak.dom.saml.v2.assertion.NameIDType)5 SAML2Request (org.keycloak.saml.processing.api.saml.v2.request.SAML2Request)4 URI (java.net.URI)3