Search in sources :

Example 11 with LogoutRequestType

use of org.keycloak.dom.saml.v2.protocol.LogoutRequestType in project keycloak by keycloak.

the class LogoutTest method testLogoutPropagatesToSamlIdentityProviderNameIdPreserved.

@Test
public void testLogoutPropagatesToSamlIdentityProviderNameIdPreserved() throws IOException {
    final RealmResource realm = adminClient.realm(REALM_NAME);
    try (Closeable sales = ClientAttributeUpdater.forClient(adminClient, REALM_NAME, SAML_CLIENT_ID_SALES_POST).setFrontchannelLogout(true).removeAttribute(SamlProtocol.SAML_SINGLE_LOGOUT_SERVICE_URL_POST_ATTRIBUTE).setAttribute(SamlProtocol.SAML_SINGLE_LOGOUT_SERVICE_URL_REDIRECT_ATTRIBUTE, "http://url").update();
        Closeable idp = new IdentityProviderCreator(realm, addIdentityProvider())) {
        SAMLDocumentHolder samlResponse = logIntoUnsignedSalesAppViaIdp().logoutRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST, REDIRECT).nameId(nameIdRef::get).sessionIndex(sessionIndexRef::get).build().getSamlResponse(REDIRECT);
        assertThat(samlResponse.getSamlObject(), isSamlLogoutRequest(BROKER_LOGOUT_SERVICE_URL));
        LogoutRequestType lr = (LogoutRequestType) samlResponse.getSamlObject();
        NameIDType logoutRequestNameID = lr.getNameID();
        assertThat(logoutRequestNameID.getFormat(), is(JBossSAMLURIConstants.NAMEID_FORMAT_EMAIL.getUri()));
        assertThat(logoutRequestNameID.getValue(), is("a@b.c"));
        assertThat(logoutRequestNameID.getNameQualifier(), is(NAME_QUALIFIER));
        assertThat(logoutRequestNameID.getSPProvidedID(), is(SP_PROVIDED_ID));
        assertThat(logoutRequestNameID.getSPNameQualifier(), is(SP_NAME_QUALIFIER));
    }
}
Also used : SAMLDocumentHolder(org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder) RealmResource(org.keycloak.admin.client.resource.RealmResource) Closeable(java.io.Closeable) IdentityProviderCreator(org.keycloak.testsuite.updaters.IdentityProviderCreator) LogoutRequestType(org.keycloak.dom.saml.v2.protocol.LogoutRequestType) NameIDType(org.keycloak.dom.saml.v2.assertion.NameIDType) Test(org.junit.Test)

Example 12 with LogoutRequestType

use of org.keycloak.dom.saml.v2.protocol.LogoutRequestType in project keycloak by keycloak.

the class AbstractSamlAuthenticationHandler method handleSamlRequest.

protected AuthOutcome handleSamlRequest(String samlRequest, String relayState) {
    SAMLDocumentHolder holder = null;
    boolean postBinding = false;
    String requestUri = facade.getRequest().getURI();
    if (facade.getRequest().getMethod().equalsIgnoreCase("GET")) {
        // strip out query params
        int index = requestUri.indexOf('?');
        if (index > -1) {
            requestUri = requestUri.substring(0, index);
        }
        holder = SAMLRequestParser.parseRequestRedirectBinding(samlRequest);
    } else {
        postBinding = true;
        holder = SAMLRequestParser.parseRequestPostBinding(samlRequest);
    }
    if (holder == null) {
        log.error("Error parsing SAML document");
        return failedTerminal();
    }
    RequestAbstractType requestAbstractType = (RequestAbstractType) holder.getSamlObject();
    if (requestAbstractType.getDestination() == null && containsUnencryptedSignature(holder, postBinding)) {
        log.error("Destination field required.");
        return failed(CHALLENGE_EXTRACTION_FAILURE);
    }
    if (!destinationValidator.validate(requestUri, requestAbstractType.getDestination())) {
        log.error("Expected destination '" + requestUri + "' got '" + requestAbstractType.getDestination() + "'");
        return failedTerminal();
    }
    if (requestAbstractType instanceof LogoutRequestType) {
        if (deployment.getIDP().getSingleLogoutService().validateRequestSignature()) {
            try {
                validateSamlSignature(holder, postBinding, GeneralConstants.SAML_REQUEST_KEY);
            } catch (VerificationException e) {
                log.error("Failed to verify saml request signature", e);
                return failedTerminal();
            }
        }
        LogoutRequestType logout = (LogoutRequestType) requestAbstractType;
        return logoutRequest(logout, relayState);
    } else {
        log.error("unknown SAML request type");
        return failedTerminal();
    }
}
Also used : SAMLDocumentHolder(org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder) RequestAbstractType(org.keycloak.dom.saml.v2.protocol.RequestAbstractType) LogoutRequestType(org.keycloak.dom.saml.v2.protocol.LogoutRequestType) VerificationException(org.keycloak.common.VerificationException)

Example 13 with LogoutRequestType

use of org.keycloak.dom.saml.v2.protocol.LogoutRequestType in project keycloak by keycloak.

the class SAMLSloRequestParserTest method testSaml20SloResponseWithExtension.

@Test(timeout = 2000)
public void testSaml20SloResponseWithExtension() throws Exception {
    try (InputStream is = SAMLSloRequestParserTest.class.getResourceAsStream("KEYCLOAK-4552-saml20-aslo-response-via-extension.xml")) {
        Object parsedObject = parser.parse(is);
        assertThat(parsedObject, instanceOf(LogoutRequestType.class));
        LogoutRequestType resp = (LogoutRequestType) parsedObject;
        assertThat(resp.getSignature(), nullValue());
        assertThat(resp.getConsent(), nullValue());
        assertThat(resp.getIssuer(), not(nullValue()));
        assertThat(resp.getIssuer().getValue(), is("https://sp/"));
        NameIDType nameId = resp.getNameID();
        assertThat(nameId.getValue(), is("G-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"));
        assertThat(resp.getExtensions(), not(nullValue()));
        assertThat(resp.getExtensions().getAny().size(), is(1));
        assertThat(resp.getExtensions().getAny().get(0), instanceOf(Element.class));
        Element el = (Element) resp.getExtensions().getAny().get(0);
        assertThat(el.getLocalName(), is("Asynchronous"));
        assertThat(el.getNamespaceURI(), is("urn:oasis:names:tc:SAML:2.0:protocol:ext:async-slo"));
    }
}
Also used : InputStream(java.io.InputStream) Element(org.w3c.dom.Element) LogoutRequestType(org.keycloak.dom.saml.v2.protocol.LogoutRequestType) NameIDType(org.keycloak.dom.saml.v2.assertion.NameIDType) Test(org.junit.Test)

Example 14 with LogoutRequestType

use of org.keycloak.dom.saml.v2.protocol.LogoutRequestType in project keycloak by keycloak.

the class SAMLIdentityProvider method buildLogoutRequest.

protected LogoutRequestType buildLogoutRequest(UserSessionModel userSession, UriInfo uriInfo, RealmModel realm, String singleLogoutServiceUrl, NodeGenerator... extensions) throws ConfigurationException {
    SAML2LogoutRequestBuilder logoutBuilder = new SAML2LogoutRequestBuilder().assertionExpiration(realm.getAccessCodeLifespan()).issuer(getEntityId(uriInfo, realm)).sessionIndex(userSession.getNote(SAMLEndpoint.SAML_FEDERATED_SESSION_INDEX)).nameId(NameIDType.deserializeFromString(userSession.getNote(SAMLEndpoint.SAML_FEDERATED_SUBJECT_NAMEID))).destination(singleLogoutServiceUrl);
    LogoutRequestType logoutRequest = logoutBuilder.createLogoutRequest();
    for (NodeGenerator extension : extensions) {
        logoutBuilder.addExtension(extension);
    }
    for (Iterator<SamlAuthenticationPreprocessor> it = SamlSessionUtils.getSamlAuthenticationPreprocessorIterator(session); it.hasNext(); ) {
        logoutRequest = it.next().beforeSendingLogoutRequest(logoutRequest, userSession, null);
    }
    return logoutRequest;
}
Also used : LogoutRequestType(org.keycloak.dom.saml.v2.protocol.LogoutRequestType) SamlAuthenticationPreprocessor(org.keycloak.protocol.saml.preprocessor.SamlAuthenticationPreprocessor) SAML2LogoutRequestBuilder(org.keycloak.saml.SAML2LogoutRequestBuilder) NodeGenerator(org.keycloak.saml.SamlProtocolExtensionsAwareBuilder.NodeGenerator)

Example 15 with LogoutRequestType

use of org.keycloak.dom.saml.v2.protocol.LogoutRequestType in project keycloak by keycloak.

the class SAML2Request method createLogoutRequest.

/**
 * Create a Logout Request
 *
 * @param issuer
 *
 * @return
 *
 * @throws ConfigurationException
 */
public static LogoutRequestType createLogoutRequest(NameIDType issuer) throws ConfigurationException {
    LogoutRequestType lrt = new LogoutRequestType(IDGenerator.create("ID_"), XMLTimeUtil.getIssueInstant());
    lrt.setIssuer(issuer);
    return lrt;
}
Also used : LogoutRequestType(org.keycloak.dom.saml.v2.protocol.LogoutRequestType)

Aggregations

LogoutRequestType (org.keycloak.dom.saml.v2.protocol.LogoutRequestType)18 Test (org.junit.Test)7 SAMLDocumentHolder (org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder)7 NameIDType (org.keycloak.dom.saml.v2.assertion.NameIDType)6 StatusResponseType (org.keycloak.dom.saml.v2.protocol.StatusResponseType)5 ProcessingException (org.keycloak.saml.common.exceptions.ProcessingException)4 SamlClientBuilder (org.keycloak.testsuite.util.SamlClientBuilder)4 Element (org.w3c.dom.Element)4 IOException (java.io.IOException)3 AuthnRequestType (org.keycloak.dom.saml.v2.protocol.AuthnRequestType)3 ResponseType (org.keycloak.dom.saml.v2.protocol.ResponseType)3 NodeGenerator (org.keycloak.saml.SamlProtocolExtensionsAwareBuilder.NodeGenerator)3 ConfigurationException (org.keycloak.saml.common.exceptions.ConfigurationException)3 ParsingException (org.keycloak.saml.common.exceptions.ParsingException)3 POST (org.keycloak.testsuite.util.SamlClient.Binding.POST)3 ByteArrayOutputStream (java.io.ByteArrayOutputStream)2 URI (java.net.URI)2 QName (javax.xml.namespace.QName)2 ParserConfigurationException (javax.xml.parsers.ParserConfigurationException)2 DOMSource (javax.xml.transform.dom.DOMSource)2