Examples with ResponseType org.keycloak.dom.saml.v2.protocol.ResponseType used on opensource projects

Search in sources :

Example 46 with ResponseType

use of org.keycloak.dom.saml.v2.protocol.ResponseType in project keycloak by keycloak.

the class SAMLEndpoint method validateInResponseToAttribute.

private boolean validateInResponseToAttribute(ResponseType responseType, String expectedRequestId) {
    // If we are not expecting a request ID, don't bother
    if (expectedRequestId == null || expectedRequestId.isEmpty())
        return true;
    // We are expecting a request ID so we are in SP-initiated login, attribute InResponseTo must be present
    if (responseType.getInResponseTo() == null) {
        logger.error("Response Validation Error: InResponseTo attribute was expected but not present in received response");
        return false;
    }
    // Attribute is present, proceed with validation
    // 1) Attribute Response > InResponseTo must not be empty
    String responseInResponseToValue = responseType.getInResponseTo();
    if (responseInResponseToValue.isEmpty()) {
        logger.error("Response Validation Error: InResponseTo attribute was expected but it is empty in received response");
        return false;
    }
    // 2) Attribute Response > InResponseTo must match request ID
    if (!responseInResponseToValue.equals(expectedRequestId)) {
        logger.error("Response Validation Error: received InResponseTo attribute does not match the expected request ID");
        return false;
    }
    // If present, Assertion > Subject > Confirmation > SubjectConfirmationData > InResponseTo must also be validated
    if (responseType.getAssertions().isEmpty())
        return true;
    SubjectType subjectElement = responseType.getAssertions().get(0).getAssertion().getSubject();
    if (subjectElement != null) {
        if (subjectElement.getConfirmation() != null && !subjectElement.getConfirmation().isEmpty()) {
            SubjectConfirmationType subjectConfirmationElement = subjectElement.getConfirmation().get(0);
            if (subjectConfirmationElement != null) {
                SubjectConfirmationDataType subjectConfirmationDataElement = subjectConfirmationElement.getSubjectConfirmationData();
                if (subjectConfirmationDataElement != null) {
                    if (subjectConfirmationDataElement.getInResponseTo() != null) {
                        // 3) Assertion > Subject > Confirmation > SubjectConfirmationData > InResponseTo is empty
                        String subjectConfirmationDataInResponseToValue = subjectConfirmationDataElement.getInResponseTo();
                        if (subjectConfirmationDataInResponseToValue.isEmpty()) {
                            logger.error("Response Validation Error: SubjectConfirmationData InResponseTo attribute was expected but it is empty in received response");
                            return false;
                        }
                        // 4) Assertion > Subject > Confirmation > SubjectConfirmationData > InResponseTo does not match request ID
                        if (!subjectConfirmationDataInResponseToValue.equals(expectedRequestId)) {
                            logger.error("Response Validation Error: received SubjectConfirmationData InResponseTo attribute does not match the expected request ID");
                            return false;
                        }
                    }
                }
            }
        }
    }
    return true;
}
Also used : SubjectType(org.keycloak.dom.saml.v2.assertion.SubjectType) SubjectConfirmationDataType(org.keycloak.dom.saml.v2.assertion.SubjectConfirmationDataType) SubjectConfirmationType(org.keycloak.dom.saml.v2.assertion.SubjectConfirmationType)

Example 47 with ResponseType

use of org.keycloak.dom.saml.v2.protocol.ResponseType in project keycloak by keycloak.

the class KcSamlBrokerFrontendUrlTest method testFrontendUrlInDestinationExpected.

@Test
public void testFrontendUrlInDestinationExpected() throws URISyntaxException {
    SAMLDocumentHolder samlResponse = clientBuilderTrustingAllCertificates().idpInitiatedLogin(new URI(proxy.getUrl() + "/realms/" + bc.consumerRealmName() + "/protocol/saml"), "sales-post").build().login().idp(IDP_SAML_ALIAS).build().processSamlResponse(// AuthnRequest to producer IdP
    SamlClient.Binding.POST).targetAttributeSamlRequest().build().login().user(USER_LOGIN, USER_PASSWORD).build().processSamlResponse(SamlClient.Binding.POST).transformObject(saml2Object -> {
        assertThat(saml2Object, Matchers.isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
        ResponseType response = (ResponseType) saml2Object;
        assertThat(response.getDestination(), startsWith(proxy.getUrl()));
        return saml2Object;
    }).build().updateProfile().username(USER_LOGIN).email(USER_EMAIL).firstName("Firstname").lastName("Lastname").build().followOneRedirect().getSamlResponse(SamlClient.Binding.POST);
    assertThat(samlResponse.getSamlObject(), Matchers.isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
}
Also used : ReverseProxy(org.keycloak.testsuite.util.ReverseProxy) USER_PASSWORD(org.keycloak.testsuite.broker.BrokerTestConstants.USER_PASSWORD) IDP_SAML_ALIAS(org.keycloak.testsuite.broker.BrokerTestConstants.IDP_SAML_ALIAS) URISyntaxException(java.net.URISyntaxException) AssertEvents(org.keycloak.testsuite.AssertEvents) HashMap(java.util.HashMap) CoreMatchers.startsWith(org.hamcrest.CoreMatchers.startsWith) ResponseType(org.keycloak.dom.saml.v2.protocol.ResponseType) KeyStoreException(java.security.KeyStoreException) USER_EMAIL(org.keycloak.testsuite.broker.BrokerTestConstants.USER_EMAIL) ArrayList(java.util.ArrayList) BrokerTestTools.getConsumerRoot(org.keycloak.testsuite.broker.BrokerTestTools.getConsumerRoot) Map(java.util.Map) SamlClient(org.keycloak.testsuite.util.SamlClient) NoopHostnameVerifier(org.apache.http.conn.ssl.NoopHostnameVerifier) URI(java.net.URI) MatcherAssert.assertThat(org.hamcrest.MatcherAssert.assertThat) SAMLDocumentHolder(org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder) Errors(org.keycloak.events.Errors) CoreMatchers.containsString(org.hamcrest.CoreMatchers.containsString) Matchers(org.keycloak.testsuite.util.Matchers) JBossSAMLURIConstants(org.keycloak.saml.common.constants.JBossSAMLURIConstants) Test(org.junit.Test) EventType(org.keycloak.events.EventType) KeyManagementException(java.security.KeyManagementException) SSLContextBuilder(org.apache.http.ssl.SSLContextBuilder) RealmRepresentation(org.keycloak.representations.idm.RealmRepresentation) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) URLEncoder(java.net.URLEncoder) List(java.util.List) Rule(org.junit.Rule) USER_LOGIN(org.keycloak.testsuite.broker.BrokerTestConstants.USER_LOGIN) Ignore(org.junit.Ignore) Response(javax.ws.rs.core.Response) REALM_CONS_NAME(org.keycloak.testsuite.broker.BrokerTestConstants.REALM_CONS_NAME) BrokerTestTools.waitForPage(org.keycloak.testsuite.broker.BrokerTestTools.waitForPage) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) HttpClientBuilder(org.apache.http.impl.client.HttpClientBuilder) UnsupportedEncodingException(java.io.UnsupportedEncodingException) TrustAllStrategy(org.apache.http.conn.ssl.TrustAllStrategy) SamlClientBuilder(org.keycloak.testsuite.util.SamlClientBuilder) SAMLDocumentHolder(org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder) URI(java.net.URI) ResponseType(org.keycloak.dom.saml.v2.protocol.ResponseType) Test(org.junit.Test)

Example 48 with ResponseType

use of org.keycloak.dom.saml.v2.protocol.ResponseType in project keycloak by keycloak.

the class SAML2Response method createResponseType.

/**
 * Create a ResponseType
 *
 * <b>NOTE:</b>: The PicketLink STS is used to issue/update the assertion
 *
 * If you want to control over the assertion being issued, then use
 * {@link #createResponseType(String, SPInfoHolder, IDPInfoHolder, IssuerInfoHolder, AssertionType)}
 *
 * @param ID id of the response
 * @param sp holder with the information about the Service Provider
 * @param idp holder with the information on the Identity Provider
 * @param issuerInfo holder with information on the issuer
 *
 * @return
 *
 * @throws ConfigurationException
 * @throws ProcessingException
 */
public ResponseType createResponseType(String ID, SPInfoHolder sp, IDPInfoHolder idp, IssuerInfoHolder issuerInfo) throws ProcessingException {
    String responseDestinationURI = sp.getResponseDestinationURI();
    XMLGregorianCalendar issueInstant = XMLTimeUtil.getIssueInstant();
    // Create assertion -> subject
    SubjectType subjectType = new SubjectType();
    // subject -> nameid
    NameIDType nameIDType = new NameIDType();
    nameIDType.setFormat(idp.getNameIDFormat() == null ? null : URI.create(idp.getNameIDFormat()));
    nameIDType.setValue(idp.getNameIDFormatValue());
    SubjectType.STSubType subType = new SubjectType.STSubType();
    subType.addBaseID(nameIDType);
    subjectType.setSubType(subType);
    SubjectConfirmationType subjectConfirmation = new SubjectConfirmationType();
    subjectConfirmation.setMethod(idp.getSubjectConfirmationMethod());
    SubjectConfirmationDataType subjectConfirmationData = new SubjectConfirmationDataType();
    subjectConfirmationData.setInResponseTo(sp.getRequestID());
    subjectConfirmationData.setRecipient(responseDestinationURI);
    // subjectConfirmationData.setNotBefore(issueInstant);
    subjectConfirmationData.setNotOnOrAfter(issueInstant);
    subjectConfirmation.setSubjectConfirmationData(subjectConfirmationData);
    subjectType.addConfirmation(subjectConfirmation);
    AssertionType assertionType;
    NameIDType issuerID = issuerInfo.getIssuer();
    issueInstant = XMLTimeUtil.getIssueInstant();
    ConditionsType conditions = null;
    List<StatementAbstractType> statements = new LinkedList<>();
    // generate an id for the new assertion.
    String assertionID = IDGenerator.create("ID_");
    assertionType = SAMLAssertionFactory.createAssertion(assertionID, issuerID, issueInstant, conditions, subjectType, statements);
    try {
        AssertionUtil.createTimedConditions(assertionType, ASSERTION_VALIDITY, CLOCK_SKEW);
    } catch (ConfigurationException e) {
        throw logger.processingError(e);
    } catch (IssueInstantMissingException e) {
        throw logger.processingError(e);
    }
    ResponseType responseType = createResponseType(ID, issuerInfo, assertionType);
    // InResponseTo ID
    responseType.setInResponseTo(sp.getRequestID());
    // Destination
    responseType.setDestination(responseDestinationURI);
    return responseType;
}
Also used : EncryptedAssertionType(org.keycloak.dom.saml.v2.assertion.EncryptedAssertionType) AssertionType(org.keycloak.dom.saml.v2.assertion.AssertionType) LinkedList(java.util.LinkedList) IssueInstantMissingException(org.keycloak.saml.common.exceptions.fed.IssueInstantMissingException) ResponseType(org.keycloak.dom.saml.v2.protocol.ResponseType) StatusResponseType(org.keycloak.dom.saml.v2.protocol.StatusResponseType) XMLGregorianCalendar(javax.xml.datatype.XMLGregorianCalendar) SubjectType(org.keycloak.dom.saml.v2.assertion.SubjectType) SubjectConfirmationDataType(org.keycloak.dom.saml.v2.assertion.SubjectConfirmationDataType) SubjectConfirmationType(org.keycloak.dom.saml.v2.assertion.SubjectConfirmationType) ConfigurationException(org.keycloak.saml.common.exceptions.ConfigurationException) ConditionsType(org.keycloak.dom.saml.v2.assertion.ConditionsType) NameIDType(org.keycloak.dom.saml.v2.assertion.NameIDType) StatementAbstractType(org.keycloak.dom.saml.v2.assertion.StatementAbstractType)

Example 49 with ResponseType

use of org.keycloak.dom.saml.v2.protocol.ResponseType in project keycloak by keycloak.

the class SAML2Response method getSAML2ObjectFromStream.

/**
 * Read a {@code SAML2Object} from an input stream
 *
 * @param is
 *
 * @return
 *
 * @throws ParsingException
 * @throws ConfigurationException
 * @throws ProcessingException
 */
public SAML2Object getSAML2ObjectFromStream(InputStream is) throws ParsingException, ConfigurationException, ProcessingException {
    if (is == null)
        throw logger.nullArgumentError("InputStream");
    Document samlResponseDocument = DocumentUtil.getDocument(is);
    if (logger.isTraceEnabled()) {
        logger.trace("SAML Response Document: " + DocumentUtil.asString(samlResponseDocument));
    }
    SAMLParser samlParser = SAMLParser.getInstance();
    JAXPValidationUtil.checkSchemaValidation(samlResponseDocument);
    SAML2Object responseType = (SAML2Object) samlParser.parse(samlResponseDocument);
    samlDocumentHolder = new SAMLDocumentHolder(responseType, samlResponseDocument);
    return responseType;
}
Also used : SAML2Object(org.keycloak.dom.saml.v2.SAML2Object) SAMLDocumentHolder(org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder) SAMLParser(org.keycloak.saml.processing.core.parsers.saml.SAMLParser) Document(org.w3c.dom.Document)

Example 50 with ResponseType

use of org.keycloak.dom.saml.v2.protocol.ResponseType in project keycloak by keycloak.

the class SAML2LoginResponseBuilder method buildModel.

public ResponseType buildModel() throws ConfigurationException, ProcessingException {
    ResponseType responseType = null;
    SAML2Response saml2Response = new SAML2Response();
    // Create a response type
    String id = IDGenerator.create("ID_");
    IssuerInfoHolder issuerHolder = new IssuerInfoHolder(issuer);
    issuerHolder.setStatusCode(JBossSAMLURIConstants.STATUS_SUCCESS.get());
    IDPInfoHolder idp = new IDPInfoHolder();
    idp.setNameIDFormatValue(nameId);
    idp.setNameIDFormat(nameIdFormat);
    SPInfoHolder sp = new SPInfoHolder();
    sp.setResponseDestinationURI(destination);
    sp.setRequestID(requestID);
    sp.setIssuer(requestIssuer);
    responseType = saml2Response.createResponseType(id, sp, idp, issuerHolder);
    AssertionType assertion = responseType.getAssertions().get(0).getAssertion();
    // Add request issuer as the audience restriction
    AudienceRestrictionType audience = new AudienceRestrictionType();
    audience.addAudience(URI.create(requestIssuer));
    assertion.getConditions().addCondition(audience);
    // Update Conditions NotOnOrAfter
    if (assertionExpiration > 0) {
        ConditionsType conditions = assertion.getConditions();
        conditions.setNotOnOrAfter(XMLTimeUtil.add(conditions.getNotBefore(), assertionExpiration * 1000L));
    }
    // Update SubjectConfirmationData NotOnOrAfter
    if (subjectExpiration > 0) {
        SubjectConfirmationDataType subjectConfirmationData = assertion.getSubject().getConfirmation().get(0).getSubjectConfirmationData();
        subjectConfirmationData.setNotOnOrAfter(XMLTimeUtil.add(assertion.getConditions().getNotBefore(), subjectExpiration * 1000L));
    }
    // Create an AuthnStatementType
    if (!disableAuthnStatement) {
        String authContextRef = JBossSAMLURIConstants.AC_UNSPECIFIED.get();
        if (isNotNull(authMethod))
            authContextRef = authMethod;
        AuthnStatementType authnStatement = StatementUtil.createAuthnStatement(XMLTimeUtil.getIssueInstant(), authContextRef);
        if (sessionExpiration > 0)
            authnStatement.setSessionNotOnOrAfter(XMLTimeUtil.add(authnStatement.getAuthnInstant(), sessionExpiration * 1000L));
        if (sessionIndex != null)
            authnStatement.setSessionIndex(sessionIndex);
        else
            authnStatement.setSessionIndex(assertion.getID());
        assertion.addStatement(authnStatement);
    }
    if (includeOneTimeUseCondition) {
        assertion.getConditions().addCondition(new OneTimeUseType());
    }
    if (!this.extensions.isEmpty()) {
        ExtensionsType extensionsType = new ExtensionsType();
        for (NodeGenerator extension : this.extensions) {
            extensionsType.addExtension(extension);
        }
        responseType.setExtensions(extensionsType);
    }
    return responseType;
}
Also used : AudienceRestrictionType(org.keycloak.dom.saml.v2.assertion.AudienceRestrictionType) AssertionType(org.keycloak.dom.saml.v2.assertion.AssertionType) ResponseType(org.keycloak.dom.saml.v2.protocol.ResponseType) AuthnStatementType(org.keycloak.dom.saml.v2.assertion.AuthnStatementType) OneTimeUseType(org.keycloak.dom.saml.v2.assertion.OneTimeUseType) SubjectConfirmationDataType(org.keycloak.dom.saml.v2.assertion.SubjectConfirmationDataType) SPInfoHolder(org.keycloak.saml.processing.core.saml.v2.holders.SPInfoHolder) ExtensionsType(org.keycloak.dom.saml.v2.protocol.ExtensionsType) IssuerInfoHolder(org.keycloak.saml.processing.core.saml.v2.holders.IssuerInfoHolder) SAML2Response(org.keycloak.saml.processing.api.saml.v2.response.SAML2Response) ConditionsType(org.keycloak.dom.saml.v2.assertion.ConditionsType) IDPInfoHolder(org.keycloak.saml.processing.core.saml.v2.holders.IDPInfoHolder)

Aggregations

ResponseType (org.keycloak.dom.saml.v2.protocol.ResponseType)75 Test (org.junit.Test)50 SamlClientBuilder (org.keycloak.testsuite.util.SamlClientBuilder)38 SAMLDocumentHolder (org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder)34 StatusResponseType (org.keycloak.dom.saml.v2.protocol.StatusResponseType)33 AssertionType (org.keycloak.dom.saml.v2.assertion.AssertionType)26 NameIDType (org.keycloak.dom.saml.v2.assertion.NameIDType)25 JBossSAMLURIConstants (org.keycloak.saml.common.constants.JBossSAMLURIConstants)16 Document (org.w3c.dom.Document)15 URI (java.net.URI)13 List (java.util.List)12 Matchers.containsString (org.hamcrest.Matchers.containsString)12 Assert.assertThat (org.junit.Assert.assertThat)12 AttributeStatementType (org.keycloak.dom.saml.v2.assertion.AttributeStatementType)12 AttributeType (org.keycloak.dom.saml.v2.assertion.AttributeType)12 StatementAbstractType (org.keycloak.dom.saml.v2.assertion.StatementAbstractType)12 ProcessingException (org.keycloak.saml.common.exceptions.ProcessingException)12 IOException (java.io.IOException)11 Response (javax.ws.rs.core.Response)11 Matchers (org.keycloak.testsuite.util.Matchers)11
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial