Search in sources :

Example 1 with JaxrsSAML2BindingBuilder

use of org.keycloak.protocol.saml.JaxrsSAML2BindingBuilder in project keycloak by keycloak.

the class SAMLIdentityProvider method keycloakInitiatedBrowserLogout.

@Override
public Response keycloakInitiatedBrowserLogout(KeycloakSession session, UserSessionModel userSession, UriInfo uriInfo, RealmModel realm) {
    String singleLogoutServiceUrl = getConfig().getSingleLogoutServiceUrl();
    if (singleLogoutServiceUrl == null || singleLogoutServiceUrl.trim().equals(""))
        return null;
    if (getConfig().isBackchannelSupported()) {
        backchannelLogout(session, userSession, uriInfo, realm);
        return null;
    } else {
        try {
            LogoutRequestType logoutRequest = buildLogoutRequest(userSession, uriInfo, realm, singleLogoutServiceUrl);
            if (logoutRequest.getDestination() != null) {
                singleLogoutServiceUrl = logoutRequest.getDestination().toString();
            }
            JaxrsSAML2BindingBuilder binding = buildLogoutBinding(session, userSession, realm);
            if (getConfig().isPostBindingLogout()) {
                return binding.postBinding(SAML2Request.convert(logoutRequest)).request(singleLogoutServiceUrl);
            } else {
                return binding.redirectBinding(SAML2Request.convert(logoutRequest)).request(singleLogoutServiceUrl);
            }
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }
}
Also used : JaxrsSAML2BindingBuilder(org.keycloak.protocol.saml.JaxrsSAML2BindingBuilder) LogoutRequestType(org.keycloak.dom.saml.v2.protocol.LogoutRequestType) ConfigurationException(org.keycloak.saml.common.exceptions.ConfigurationException) IdentityBrokerException(org.keycloak.broker.provider.IdentityBrokerException) ParserConfigurationException(javax.xml.parsers.ParserConfigurationException)

Example 2 with JaxrsSAML2BindingBuilder

use of org.keycloak.protocol.saml.JaxrsSAML2BindingBuilder in project keycloak by keycloak.

the class SAMLIdentityProvider method backchannelLogout.

@Override
public void backchannelLogout(KeycloakSession session, UserSessionModel userSession, UriInfo uriInfo, RealmModel realm) {
    String singleLogoutServiceUrl = getConfig().getSingleLogoutServiceUrl();
    if (singleLogoutServiceUrl == null || singleLogoutServiceUrl.trim().equals("") || !getConfig().isBackchannelSupported())
        return;
    JaxrsSAML2BindingBuilder binding = buildLogoutBinding(session, userSession, realm);
    try {
        LogoutRequestType logoutRequest = buildLogoutRequest(userSession, uriInfo, realm, singleLogoutServiceUrl);
        if (logoutRequest.getDestination() != null) {
            singleLogoutServiceUrl = logoutRequest.getDestination().toString();
        }
        int status = SimpleHttp.doPost(singleLogoutServiceUrl, session).param(GeneralConstants.SAML_REQUEST_KEY, binding.postBinding(SAML2Request.convert(logoutRequest)).encoded()).param(GeneralConstants.RELAY_STATE, userSession.getId()).asStatus();
        boolean success = status >= 200 && status < 400;
        if (!success) {
            logger.warn("Failed saml backchannel broker logout to: " + singleLogoutServiceUrl);
        }
    } catch (Exception e) {
        logger.warn("Failed saml backchannel broker logout to: " + singleLogoutServiceUrl, e);
    }
}
Also used : JaxrsSAML2BindingBuilder(org.keycloak.protocol.saml.JaxrsSAML2BindingBuilder) LogoutRequestType(org.keycloak.dom.saml.v2.protocol.LogoutRequestType) ConfigurationException(org.keycloak.saml.common.exceptions.ConfigurationException) IdentityBrokerException(org.keycloak.broker.provider.IdentityBrokerException) ParserConfigurationException(javax.xml.parsers.ParserConfigurationException)

Example 3 with JaxrsSAML2BindingBuilder

use of org.keycloak.protocol.saml.JaxrsSAML2BindingBuilder in project keycloak by keycloak.

the class SAMLIdentityProvider method buildLogoutBinding.

private JaxrsSAML2BindingBuilder buildLogoutBinding(KeycloakSession session, UserSessionModel userSession, RealmModel realm) {
    JaxrsSAML2BindingBuilder binding = new JaxrsSAML2BindingBuilder(session).relayState(userSession.getId());
    if (getConfig().isWantAuthnRequestsSigned()) {
        KeyManager.ActiveRsaKey keys = session.keys().getActiveRsaKey(realm);
        String keyName = getConfig().getXmlSigKeyInfoKeyNameTransformer().getKeyName(keys.getKid(), keys.getCertificate());
        binding.signWith(keyName, keys.getPrivateKey(), keys.getPublicKey(), keys.getCertificate()).signatureAlgorithm(getSignatureAlgorithm()).signDocument();
    }
    return binding;
}
Also used : JaxrsSAML2BindingBuilder(org.keycloak.protocol.saml.JaxrsSAML2BindingBuilder) KeyManager(org.keycloak.models.KeyManager)

Example 4 with JaxrsSAML2BindingBuilder

use of org.keycloak.protocol.saml.JaxrsSAML2BindingBuilder in project keycloak by keycloak.

the class SAMLIdentityProvider method performLogin.

@Override
public Response performLogin(AuthenticationRequest request) {
    try {
        UriInfo uriInfo = request.getUriInfo();
        RealmModel realm = request.getRealm();
        String issuerURL = getEntityId(uriInfo, realm);
        String destinationUrl = getConfig().getSingleSignOnServiceUrl();
        String nameIDPolicyFormat = getConfig().getNameIDPolicyFormat();
        if (nameIDPolicyFormat == null) {
            nameIDPolicyFormat = JBossSAMLURIConstants.NAMEID_FORMAT_PERSISTENT.get();
        }
        String protocolBinding = JBossSAMLURIConstants.SAML_HTTP_REDIRECT_BINDING.get();
        String assertionConsumerServiceUrl = request.getRedirectUri();
        if (getConfig().isPostBindingResponse()) {
            protocolBinding = JBossSAMLURIConstants.SAML_HTTP_POST_BINDING.get();
        }
        SAML2RequestedAuthnContextBuilder requestedAuthnContext = new SAML2RequestedAuthnContextBuilder().setComparison(getConfig().getAuthnContextComparisonType());
        for (String authnContextClassRef : getAuthnContextClassRefUris()) requestedAuthnContext.addAuthnContextClassRef(authnContextClassRef);
        for (String authnContextDeclRef : getAuthnContextDeclRefUris()) requestedAuthnContext.addAuthnContextDeclRef(authnContextDeclRef);
        Integer attributeConsumingServiceIndex = getConfig().getAttributeConsumingServiceIndex();
        String loginHint = getConfig().isLoginHint() ? request.getAuthenticationSession().getClientNote(OIDCLoginProtocol.LOGIN_HINT_PARAM) : null;
        Boolean allowCreate = null;
        if (getConfig().getConfig().get(SAMLIdentityProviderConfig.ALLOW_CREATE) == null || getConfig().isAllowCreate())
            allowCreate = Boolean.TRUE;
        SAML2AuthnRequestBuilder authnRequestBuilder = new SAML2AuthnRequestBuilder().assertionConsumerUrl(assertionConsumerServiceUrl).destination(destinationUrl).issuer(issuerURL).forceAuthn(getConfig().isForceAuthn()).protocolBinding(protocolBinding).nameIdPolicy(SAML2NameIDPolicyBuilder.format(nameIDPolicyFormat).setAllowCreate(allowCreate)).attributeConsumingServiceIndex(attributeConsumingServiceIndex).requestedAuthnContext(requestedAuthnContext).subject(loginHint);
        JaxrsSAML2BindingBuilder binding = new JaxrsSAML2BindingBuilder(session).relayState(request.getState().getEncoded());
        boolean postBinding = getConfig().isPostBindingAuthnRequest();
        if (getConfig().isWantAuthnRequestsSigned()) {
            KeyManager.ActiveRsaKey keys = session.keys().getActiveRsaKey(realm);
            String keyName = getConfig().getXmlSigKeyInfoKeyNameTransformer().getKeyName(keys.getKid(), keys.getCertificate());
            binding.signWith(keyName, keys.getPrivateKey(), keys.getPublicKey(), keys.getCertificate()).signatureAlgorithm(getSignatureAlgorithm()).signDocument();
            if (!postBinding && getConfig().isAddExtensionsElementWithKeyInfo()) {
                // Only include extension if REDIRECT binding and signing whole SAML protocol message
                authnRequestBuilder.addExtension(new KeycloakKeySamlExtensionGenerator(keyName));
            }
        }
        AuthnRequestType authnRequest = authnRequestBuilder.createAuthnRequest();
        for (Iterator<SamlAuthenticationPreprocessor> it = SamlSessionUtils.getSamlAuthenticationPreprocessorIterator(session); it.hasNext(); ) {
            authnRequest = it.next().beforeSendingLoginRequest(authnRequest, request.getAuthenticationSession());
        }
        if (authnRequest.getDestination() != null) {
            destinationUrl = authnRequest.getDestination().toString();
        }
        // Save the current RequestID in the Auth Session as we need to verify it against the ID returned from the IdP
        request.getAuthenticationSession().setClientNote(SamlProtocol.SAML_REQUEST_ID_BROKER, authnRequest.getID());
        if (postBinding) {
            return binding.postBinding(authnRequestBuilder.toDocument()).request(destinationUrl);
        } else {
            return binding.redirectBinding(authnRequestBuilder.toDocument()).request(destinationUrl);
        }
    } catch (Exception e) {
        throw new IdentityBrokerException("Could not create authentication request.", e);
    }
}
Also used : SAML2RequestedAuthnContextBuilder(org.keycloak.saml.SAML2RequestedAuthnContextBuilder) JaxrsSAML2BindingBuilder(org.keycloak.protocol.saml.JaxrsSAML2BindingBuilder) KeycloakKeySamlExtensionGenerator(org.keycloak.saml.processing.core.util.KeycloakKeySamlExtensionGenerator) ConfigurationException(org.keycloak.saml.common.exceptions.ConfigurationException) IdentityBrokerException(org.keycloak.broker.provider.IdentityBrokerException) ParserConfigurationException(javax.xml.parsers.ParserConfigurationException) RealmModel(org.keycloak.models.RealmModel) AuthnRequestType(org.keycloak.dom.saml.v2.protocol.AuthnRequestType) IdentityBrokerException(org.keycloak.broker.provider.IdentityBrokerException) SamlAuthenticationPreprocessor(org.keycloak.protocol.saml.preprocessor.SamlAuthenticationPreprocessor) SAML2AuthnRequestBuilder(org.keycloak.saml.SAML2AuthnRequestBuilder) KeyManager(org.keycloak.models.KeyManager) UriInfo(javax.ws.rs.core.UriInfo)

Aggregations

JaxrsSAML2BindingBuilder (org.keycloak.protocol.saml.JaxrsSAML2BindingBuilder)4 ParserConfigurationException (javax.xml.parsers.ParserConfigurationException)3 IdentityBrokerException (org.keycloak.broker.provider.IdentityBrokerException)3 ConfigurationException (org.keycloak.saml.common.exceptions.ConfigurationException)3 LogoutRequestType (org.keycloak.dom.saml.v2.protocol.LogoutRequestType)2 KeyManager (org.keycloak.models.KeyManager)2 UriInfo (javax.ws.rs.core.UriInfo)1 AuthnRequestType (org.keycloak.dom.saml.v2.protocol.AuthnRequestType)1 RealmModel (org.keycloak.models.RealmModel)1 SamlAuthenticationPreprocessor (org.keycloak.protocol.saml.preprocessor.SamlAuthenticationPreprocessor)1 SAML2AuthnRequestBuilder (org.keycloak.saml.SAML2AuthnRequestBuilder)1 SAML2RequestedAuthnContextBuilder (org.keycloak.saml.SAML2RequestedAuthnContextBuilder)1 KeycloakKeySamlExtensionGenerator (org.keycloak.saml.processing.core.util.KeycloakKeySamlExtensionGenerator)1