Example 11 with LogoutRequestType
use of org.keycloak.dom.saml.v2.protocol.LogoutRequestType in project keycloak by keycloak.
the class LogoutTest method testLogoutPropagatesToSamlIdentityProviderNameIdPreserved.
@Test
public void testLogoutPropagatesToSamlIdentityProviderNameIdPreserved() throws IOException {
final RealmResource realm = adminClient.realm(REALM_NAME);
try (Closeable sales = ClientAttributeUpdater.forClient(adminClient, REALM_NAME, SAML_CLIENT_ID_SALES_POST).setFrontchannelLogout(true).removeAttribute(SamlProtocol.SAML_SINGLE_LOGOUT_SERVICE_URL_POST_ATTRIBUTE).setAttribute(SamlProtocol.SAML_SINGLE_LOGOUT_SERVICE_URL_REDIRECT_ATTRIBUTE, "http://url").update();
Closeable idp = new IdentityProviderCreator(realm, addIdentityProvider())) {
SAMLDocumentHolder samlResponse = logIntoUnsignedSalesAppViaIdp().logoutRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST, REDIRECT).nameId(nameIdRef::get).sessionIndex(sessionIndexRef::get).build().getSamlResponse(REDIRECT);
assertThat(samlResponse.getSamlObject(), isSamlLogoutRequest(BROKER_LOGOUT_SERVICE_URL));
LogoutRequestType lr = (LogoutRequestType) samlResponse.getSamlObject();
NameIDType logoutRequestNameID = lr.getNameID();
assertThat(logoutRequestNameID.getFormat(), is(JBossSAMLURIConstants.NAMEID_FORMAT_EMAIL.getUri()));
assertThat(logoutRequestNameID.getValue(), is("a@b.c"));
assertThat(logoutRequestNameID.getNameQualifier(), is(NAME_QUALIFIER));
assertThat(logoutRequestNameID.getSPProvidedID(), is(SP_PROVIDED_ID));
assertThat(logoutRequestNameID.getSPNameQualifier(), is(SP_NAME_QUALIFIER));
}
}
Also used :
SAMLDocumentHolder(org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder)
RealmResource(org.keycloak.admin.client.resource.RealmResource)
Closeable(java.io.Closeable)
IdentityProviderCreator(org.keycloak.testsuite.updaters.IdentityProviderCreator)
LogoutRequestType(org.keycloak.dom.saml.v2.protocol.LogoutRequestType)
NameIDType(org.keycloak.dom.saml.v2.assertion.NameIDType)
Test(org.junit.Test)
Example 12 with LogoutRequestType
use of org.keycloak.dom.saml.v2.protocol.LogoutRequestType in project keycloak by keycloak.
the class AbstractSamlAuthenticationHandler method handleSamlRequest.
protected AuthOutcome handleSamlRequest(String samlRequest, String relayState) {
SAMLDocumentHolder holder = null;
boolean postBinding = false;
String requestUri = facade.getRequest().getURI();
if (facade.getRequest().getMethod().equalsIgnoreCase("GET")) {
// strip out query params
int index = requestUri.indexOf('?');
if (index > -1) {
requestUri = requestUri.substring(0, index);
}
holder = SAMLRequestParser.parseRequestRedirectBinding(samlRequest);
} else {
postBinding = true;
holder = SAMLRequestParser.parseRequestPostBinding(samlRequest);
}
if (holder == null) {
log.error("Error parsing SAML document");
return failedTerminal();
}
RequestAbstractType requestAbstractType = (RequestAbstractType) holder.getSamlObject();
if (requestAbstractType.getDestination() == null && containsUnencryptedSignature(holder, postBinding)) {
log.error("Destination field required.");
return failed(CHALLENGE_EXTRACTION_FAILURE);
}
if (!destinationValidator.validate(requestUri, requestAbstractType.getDestination())) {
log.error("Expected destination '" + requestUri + "' got '" + requestAbstractType.getDestination() + "'");
return failedTerminal();
}
if (requestAbstractType instanceof LogoutRequestType) {
if (deployment.getIDP().getSingleLogoutService().validateRequestSignature()) {
try {
validateSamlSignature(holder, postBinding, GeneralConstants.SAML_REQUEST_KEY);
} catch (VerificationException e) {
log.error("Failed to verify saml request signature", e);
return failedTerminal();
}
}
LogoutRequestType logout = (LogoutRequestType) requestAbstractType;
return logoutRequest(logout, relayState);
} else {
log.error("unknown SAML request type");
return failedTerminal();
}
}
Also used :
SAMLDocumentHolder(org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder)
RequestAbstractType(org.keycloak.dom.saml.v2.protocol.RequestAbstractType)
LogoutRequestType(org.keycloak.dom.saml.v2.protocol.LogoutRequestType)
VerificationException(org.keycloak.common.VerificationException)
Example 13 with LogoutRequestType
use of org.keycloak.dom.saml.v2.protocol.LogoutRequestType in project keycloak by keycloak.
the class SAMLSloRequestParserTest method testSaml20SloResponseWithExtension.
@Test(timeout = 2000)
public void testSaml20SloResponseWithExtension() throws Exception {
try (InputStream is = SAMLSloRequestParserTest.class.getResourceAsStream("KEYCLOAK-4552-saml20-aslo-response-via-extension.xml")) {
Object parsedObject = parser.parse(is);
assertThat(parsedObject, instanceOf(LogoutRequestType.class));
LogoutRequestType resp = (LogoutRequestType) parsedObject;
assertThat(resp.getSignature(), nullValue());
assertThat(resp.getConsent(), nullValue());
assertThat(resp.getIssuer(), not(nullValue()));
assertThat(resp.getIssuer().getValue(), is("https://sp/"));
NameIDType nameId = resp.getNameID();
assertThat(nameId.getValue(), is("G-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"));
assertThat(resp.getExtensions(), not(nullValue()));
assertThat(resp.getExtensions().getAny().size(), is(1));
assertThat(resp.getExtensions().getAny().get(0), instanceOf(Element.class));
Element el = (Element) resp.getExtensions().getAny().get(0);
assertThat(el.getLocalName(), is("Asynchronous"));
assertThat(el.getNamespaceURI(), is("urn:oasis:names:tc:SAML:2.0:protocol:ext:async-slo"));
}
}
Also used :
InputStream(java.io.InputStream)
Element(org.w3c.dom.Element)
LogoutRequestType(org.keycloak.dom.saml.v2.protocol.LogoutRequestType)
NameIDType(org.keycloak.dom.saml.v2.assertion.NameIDType)
Test(org.junit.Test)
Example 14 with LogoutRequestType
use of org.keycloak.dom.saml.v2.protocol.LogoutRequestType in project keycloak by keycloak.
the class SAMLIdentityProvider method buildLogoutRequest.
protected LogoutRequestType buildLogoutRequest(UserSessionModel userSession, UriInfo uriInfo, RealmModel realm, String singleLogoutServiceUrl, NodeGenerator... extensions) throws ConfigurationException {
SAML2LogoutRequestBuilder logoutBuilder = new SAML2LogoutRequestBuilder().assertionExpiration(realm.getAccessCodeLifespan()).issuer(getEntityId(uriInfo, realm)).sessionIndex(userSession.getNote(SAMLEndpoint.SAML_FEDERATED_SESSION_INDEX)).nameId(NameIDType.deserializeFromString(userSession.getNote(SAMLEndpoint.SAML_FEDERATED_SUBJECT_NAMEID))).destination(singleLogoutServiceUrl);
LogoutRequestType logoutRequest = logoutBuilder.createLogoutRequest();
for (NodeGenerator extension : extensions) {
logoutBuilder.addExtension(extension);
}
for (Iterator<SamlAuthenticationPreprocessor> it = SamlSessionUtils.getSamlAuthenticationPreprocessorIterator(session); it.hasNext(); ) {
logoutRequest = it.next().beforeSendingLogoutRequest(logoutRequest, userSession, null);
}
return logoutRequest;
}
Also used :
LogoutRequestType(org.keycloak.dom.saml.v2.protocol.LogoutRequestType)
SamlAuthenticationPreprocessor(org.keycloak.protocol.saml.preprocessor.SamlAuthenticationPreprocessor)
SAML2LogoutRequestBuilder(org.keycloak.saml.SAML2LogoutRequestBuilder)
NodeGenerator(org.keycloak.saml.SamlProtocolExtensionsAwareBuilder.NodeGenerator)
Example 15 with LogoutRequestType
use of org.keycloak.dom.saml.v2.protocol.LogoutRequestType in project keycloak by keycloak.
the class SAML2Request method createLogoutRequest.
/**
* Create a Logout Request
*
* @param issuer
*
* @return
*
* @throws ConfigurationException
*/
public static LogoutRequestType createLogoutRequest(NameIDType issuer) throws ConfigurationException {
LogoutRequestType lrt = new LogoutRequestType(IDGenerator.create("ID_"), XMLTimeUtil.getIssueInstant());
lrt.setIssuer(issuer);
return lrt;
}
Also used :
LogoutRequestType(org.keycloak.dom.saml.v2.protocol.LogoutRequestType)
Aggregations
LogoutRequestType (org.keycloak.dom.saml.v2.protocol.LogoutRequestType)18
Test (org.junit.Test)7
SAMLDocumentHolder (org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder)7
NameIDType (org.keycloak.dom.saml.v2.assertion.NameIDType)6
StatusResponseType (org.keycloak.dom.saml.v2.protocol.StatusResponseType)5
ProcessingException (org.keycloak.saml.common.exceptions.ProcessingException)4
SamlClientBuilder (org.keycloak.testsuite.util.SamlClientBuilder)4
Element (org.w3c.dom.Element)4
IOException (java.io.IOException)3
AuthnRequestType (org.keycloak.dom.saml.v2.protocol.AuthnRequestType)3
ResponseType (org.keycloak.dom.saml.v2.protocol.ResponseType)3
NodeGenerator (org.keycloak.saml.SamlProtocolExtensionsAwareBuilder.NodeGenerator)3
ConfigurationException (org.keycloak.saml.common.exceptions.ConfigurationException)3
ParsingException (org.keycloak.saml.common.exceptions.ParsingException)3
POST (org.keycloak.testsuite.util.SamlClient.Binding.POST)3
ByteArrayOutputStream (java.io.ByteArrayOutputStream)2
URI (java.net.URI)2
QName (javax.xml.namespace.QName)2
ParserConfigurationException (javax.xml.parsers.ParserConfigurationException)2
DOMSource (javax.xml.transform.dom.DOMSource)2
