use of org.keycloak.dom.saml.v2.protocol.AuthnRequestType in project keycloak by keycloak.
the class BrokerTest method testRedirectQueryParametersPreserved.
@Test
public void testRedirectQueryParametersPreserved() throws IOException {
final RealmResource realm = adminClient.realm(REALM_NAME);
try (IdentityProviderCreator idp = new IdentityProviderCreator(realm, addIdentityProvider("https://saml.idp/?service=name&serviceType=prod"))) {
SAMLDocumentHolder samlResponse = new SamlClientBuilder().authnRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, POST).build().login().idp(SAML_BROKER_ALIAS).build().getSamlResponse(REDIRECT);
assertThat(samlResponse.getSamlObject(), Matchers.instanceOf(AuthnRequestType.class));
AuthnRequestType ar = (AuthnRequestType) samlResponse.getSamlObject();
assertThat(ar.getDestination(), Matchers.equalTo(URI.create("https://saml.idp/?service=name&serviceType=prod")));
Header[] headers = new SamlClientBuilder().authnRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, POST).build().login().idp(SAML_BROKER_ALIAS).build().doNotFollowRedirects().executeAndTransform(resp -> resp.getHeaders(HttpHeaders.LOCATION));
assertThat(headers.length, Matchers.is(1));
assertThat(headers[0].getValue(), Matchers.containsString("https://saml.idp/?service=name&serviceType=prod"));
assertThat(headers[0].getValue(), Matchers.containsString("SAMLRequest"));
}
}
use of org.keycloak.dom.saml.v2.protocol.AuthnRequestType in project keycloak by keycloak.
the class SAMLAuthNRequestParserTest method testSaml20AttributeQueryWithExtension.
@Test(timeout = 2000)
public void testSaml20AttributeQueryWithExtension() throws Exception {
try (InputStream is = SAMLAuthNRequestParserTest.class.getResourceAsStream("saml20-authnrequest-with-extension.xml")) {
Object parsedObject = parser.parse(is);
assertThat(parsedObject, instanceOf(AuthnRequestType.class));
AuthnRequestType req = (AuthnRequestType) parsedObject;
assertThat(req.getSignature(), nullValue());
assertThat(req.getConsent(), nullValue());
assertThat(req.getIssuer(), not(nullValue()));
assertThat(req.getIssuer().getValue(), is("https://sp/"));
assertThat(req.getNameIDPolicy().getFormat().toString(), is("urn:oasis:names:tc:SAML:2.0:nameid-format:transient"));
assertThat(req.getExtensions(), not(nullValue()));
assertThat(req.getExtensions().getAny().size(), is(2));
assertThat(req.getExtensions().getAny().get(0), instanceOf(Element.class));
assertThat(req.getExtensions().getAny().get(1), instanceOf(Element.class));
Element el = (Element) req.getExtensions().getAny().get(0);
assertThat(el.getLocalName(), is("KeyInfo"));
assertThat(el.getNamespaceURI(), is("urn:keycloak:ext:key:1.0"));
assertThat(el.getAttribute("MessageSigningKeyId"), is("FJ86GcF3jTbNLOco4NvZkUCIUmfYCqoqtOQeMfbhNlE"));
}
}
use of org.keycloak.dom.saml.v2.protocol.AuthnRequestType in project keycloak by keycloak.
the class SAMLIdentityProvider method performLogin.
@Override
public Response performLogin(AuthenticationRequest request) {
try {
UriInfo uriInfo = request.getUriInfo();
RealmModel realm = request.getRealm();
String issuerURL = getEntityId(uriInfo, realm);
String destinationUrl = getConfig().getSingleSignOnServiceUrl();
String nameIDPolicyFormat = getConfig().getNameIDPolicyFormat();
if (nameIDPolicyFormat == null) {
nameIDPolicyFormat = JBossSAMLURIConstants.NAMEID_FORMAT_PERSISTENT.get();
}
String protocolBinding = JBossSAMLURIConstants.SAML_HTTP_REDIRECT_BINDING.get();
String assertionConsumerServiceUrl = request.getRedirectUri();
if (getConfig().isPostBindingResponse()) {
protocolBinding = JBossSAMLURIConstants.SAML_HTTP_POST_BINDING.get();
}
SAML2RequestedAuthnContextBuilder requestedAuthnContext = new SAML2RequestedAuthnContextBuilder().setComparison(getConfig().getAuthnContextComparisonType());
for (String authnContextClassRef : getAuthnContextClassRefUris()) requestedAuthnContext.addAuthnContextClassRef(authnContextClassRef);
for (String authnContextDeclRef : getAuthnContextDeclRefUris()) requestedAuthnContext.addAuthnContextDeclRef(authnContextDeclRef);
Integer attributeConsumingServiceIndex = getConfig().getAttributeConsumingServiceIndex();
String loginHint = getConfig().isLoginHint() ? request.getAuthenticationSession().getClientNote(OIDCLoginProtocol.LOGIN_HINT_PARAM) : null;
Boolean allowCreate = null;
if (getConfig().getConfig().get(SAMLIdentityProviderConfig.ALLOW_CREATE) == null || getConfig().isAllowCreate())
allowCreate = Boolean.TRUE;
SAML2AuthnRequestBuilder authnRequestBuilder = new SAML2AuthnRequestBuilder().assertionConsumerUrl(assertionConsumerServiceUrl).destination(destinationUrl).issuer(issuerURL).forceAuthn(getConfig().isForceAuthn()).protocolBinding(protocolBinding).nameIdPolicy(SAML2NameIDPolicyBuilder.format(nameIDPolicyFormat).setAllowCreate(allowCreate)).attributeConsumingServiceIndex(attributeConsumingServiceIndex).requestedAuthnContext(requestedAuthnContext).subject(loginHint);
JaxrsSAML2BindingBuilder binding = new JaxrsSAML2BindingBuilder(session).relayState(request.getState().getEncoded());
boolean postBinding = getConfig().isPostBindingAuthnRequest();
if (getConfig().isWantAuthnRequestsSigned()) {
KeyManager.ActiveRsaKey keys = session.keys().getActiveRsaKey(realm);
String keyName = getConfig().getXmlSigKeyInfoKeyNameTransformer().getKeyName(keys.getKid(), keys.getCertificate());
binding.signWith(keyName, keys.getPrivateKey(), keys.getPublicKey(), keys.getCertificate()).signatureAlgorithm(getSignatureAlgorithm()).signDocument();
if (!postBinding && getConfig().isAddExtensionsElementWithKeyInfo()) {
// Only include extension if REDIRECT binding and signing whole SAML protocol message
authnRequestBuilder.addExtension(new KeycloakKeySamlExtensionGenerator(keyName));
}
}
AuthnRequestType authnRequest = authnRequestBuilder.createAuthnRequest();
for (Iterator<SamlAuthenticationPreprocessor> it = SamlSessionUtils.getSamlAuthenticationPreprocessorIterator(session); it.hasNext(); ) {
authnRequest = it.next().beforeSendingLoginRequest(authnRequest, request.getAuthenticationSession());
}
if (authnRequest.getDestination() != null) {
destinationUrl = authnRequest.getDestination().toString();
}
// Save the current RequestID in the Auth Session as we need to verify it against the ID returned from the IdP
request.getAuthenticationSession().setClientNote(SamlProtocol.SAML_REQUEST_ID_BROKER, authnRequest.getID());
if (postBinding) {
return binding.postBinding(authnRequestBuilder.toDocument()).request(destinationUrl);
} else {
return binding.redirectBinding(authnRequestBuilder.toDocument()).request(destinationUrl);
}
} catch (Exception e) {
throw new IdentityBrokerException("Could not create authentication request.", e);
}
}
use of org.keycloak.dom.saml.v2.protocol.AuthnRequestType in project keycloak by keycloak.
the class SamlSPFacade method getSamlAuthnRequest.
/*
* https://idp.ssocircle.com/sso/toolbox/samlEncode.jsp
*
* returns (https instead of http in case ssl is required)
*
* <samlp:AuthnRequest
* xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
* xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
* AssertionConsumerServiceURL="http://localhost:8280/employee/"
* Destination="http://localhost:8180/auth/realms/demo/protocol/saml"
* ForceAuthn="false"
* ID="ID_4d8e5ce2-7206-472b-a897-2d837090c005"
* IsPassive="false"
* IssueInstant="2015-03-06T22:22:17.854Z"
* ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
* Version="2.0">
* <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">saml-employee</saml:Issuer>
* <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
* </samlp:AuthnRequest>
*/
private URI getSamlAuthnRequest(HttpServletRequest req) {
try {
BaseSAML2BindingBuilder binding = new BaseSAML2BindingBuilder();
SAML2Request samlReq = new SAML2Request();
String appServerUrl = ServletTestUtils.getUrlBase() + "/employee/";
String authServerUrl = ServletTestUtils.getAuthServerUrlBase() + "/auth/realms/demo/protocol/saml";
AuthnRequestType loginReq;
loginReq = samlReq.createAuthnRequestType(UUID.randomUUID().toString(), appServerUrl, authServerUrl, "http://localhost:8280/employee/");
loginReq.getNameIDPolicy().setFormat(JBossSAMLURIConstants.NAMEID_FORMAT_UNSPECIFIED.getUri());
return binding.redirectBinding(SAML2Request.convert(loginReq)).requestURI(authServerUrl);
} catch (IOException | ConfigurationException | ParsingException | ProcessingException ex) {
throw new RuntimeException(ex);
}
}
use of org.keycloak.dom.saml.v2.protocol.AuthnRequestType in project keycloak by keycloak.
the class KcSamlBrokerAllowedClockSkewTest method loginClientExpiredResponseFromIdP.
@Test
public void loginClientExpiredResponseFromIdP() throws Exception {
AuthnRequestType loginRep = SamlClient.createLoginRequestDocument(AbstractSamlTest.SAML_CLIENT_ID_SALES_POST, getConsumerRoot() + "/sales-post/saml", null);
Document doc = SAML2Request.convert(loginRep);
new SamlClientBuilder().authnRequest(getConsumerSamlEndpoint(bc.consumerRealmName()), doc, SamlClient.Binding.POST).build().login().idp(bc.getIDPAlias()).build().processSamlResponse(// AuthnRequest to producer IdP
SamlClient.Binding.POST).targetAttributeSamlRequest().build().login().user(bc.getUserLogin(), bc.getUserPassword()).build().addStep(// offset to the past to invalidate the request
() -> KcSamlBrokerAllowedClockSkewTest.this.setTimeOffset(-30)).processSamlResponse(// Response from producer IdP should fail
SamlClient.Binding.POST).build().execute(hr -> assertThat(hr, statusCodeIsHC(Response.Status.BAD_REQUEST)));
}
Aggregations