Examples with BaseSAML2BindingBuilder org.keycloak.saml.BaseSAML2BindingBuilder used on opensource projects

Example 6 with BaseSAML2BindingBuilder

use of org.keycloak.saml.BaseSAML2BindingBuilder in project keycloak by keycloak.

the class AbstractInitiateLogin method createSaml2Binding.

public static BaseSAML2BindingBuilder createSaml2Binding(SamlDeployment deployment) {
    BaseSAML2BindingBuilder binding = new BaseSAML2BindingBuilder();
    if (deployment.getIDP().getSingleSignOnService().signRequest()) {
        binding.signatureAlgorithm(deployment.getSignatureAlgorithm());
        KeyPair keypair = deployment.getSigningKeyPair();
        if (keypair == null) {
            throw new RuntimeException("Signing keys not configured");
        }
        if (deployment.getSignatureCanonicalizationMethod() != null) {
            binding.canonicalizationMethod(deployment.getSignatureCanonicalizationMethod());
        }
        binding.signWith(null, keypair);
        // TODO: As part of KEYCLOAK-3810, add KeyID to the SAML document
        // <related DocumentBuilder>.addExtension(new KeycloakKeySamlExtensionGenerator(<key ID>));
        binding.signDocument();
    }
    return binding;
}

Example 7 with BaseSAML2BindingBuilder

use of org.keycloak.saml.BaseSAML2BindingBuilder in project keycloak by keycloak.

the class WebBrowserSsoAuthenticationHandler method logoutRequest.

@Override
protected AuthOutcome logoutRequest(LogoutRequestType request, String relayState) {
    if (request.getSessionIndex() == null || request.getSessionIndex().isEmpty()) {
        sessionStore.logoutByPrincipal(request.getNameID().getValue());
    } else {
        sessionStore.logoutBySsoId(request.getSessionIndex());
    }
    String issuerURL = deployment.getEntityID();
    SAML2LogoutResponseBuilder builder = new SAML2LogoutResponseBuilder();
    builder.logoutRequestID(request.getID());
    builder.destination(deployment.getIDP().getSingleLogoutService().getResponseBindingUrl());
    builder.issuer(issuerURL);
    BaseSAML2BindingBuilder binding = new BaseSAML2BindingBuilder().relayState(relayState);
    if (deployment.getIDP().getSingleLogoutService().signResponse()) {
        if (deployment.getSignatureCanonicalizationMethod() != null)
            binding.canonicalizationMethod(deployment.getSignatureCanonicalizationMethod());
        binding.signatureAlgorithm(deployment.getSignatureAlgorithm()).signWith(null, deployment.getSigningKeyPair()).signDocument();
    // TODO: As part of KEYCLOAK-3810, add KeyID to the SAML document
    // <related DocumentBuilder>.addExtension(new KeycloakKeySamlExtensionGenerator(<key ID>));
    }
    try {
        SamlUtil.sendSaml(false, facade, deployment.getIDP().getSingleLogoutService().getResponseBindingUrl(), binding, builder.buildDocument(), deployment.getIDP().getSingleLogoutService().getResponseBinding());
    } catch (Exception e) {
        log.error("Could not send logout response SAML request", e);
        return AuthOutcome.FAILED;
    }
    return AuthOutcome.NOT_ATTEMPTED;
}

Example 8 with BaseSAML2BindingBuilder

use of org.keycloak.saml.BaseSAML2BindingBuilder in project keycloak by keycloak.

the class SamlSPFacade method getSamlAuthnRequest.

/*
    * https://idp.ssocircle.com/sso/toolbox/samlEncode.jsp
    *
    * returns (https instead of http in case ssl is required)
    * 
    * <samlp:AuthnRequest 
    *     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
    *     xmlns="urn:oasis:names:tc:SAML:2.0:assertion" 
    *     AssertionConsumerServiceURL="http://localhost:8280/employee/" 
    *     Destination="http://localhost:8180/auth/realms/demo/protocol/saml" 
    *     ForceAuthn="false" 
    *     ID="ID_4d8e5ce2-7206-472b-a897-2d837090c005" 
    *     IsPassive="false" 
    *     IssueInstant="2015-03-06T22:22:17.854Z" 
    *     ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
    *     Version="2.0"> 
    *         <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">saml-employee</saml:Issuer> 
    *         <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/> 
    * </samlp:AuthnRequest> 
    */
private URI getSamlAuthnRequest(HttpServletRequest req) {
    try {
        BaseSAML2BindingBuilder binding = new BaseSAML2BindingBuilder();
        SAML2Request samlReq = new SAML2Request();
        String appServerUrl = ServletTestUtils.getUrlBase() + "/employee/";
        String authServerUrl = ServletTestUtils.getAuthServerUrlBase() + "/auth/realms/demo/protocol/saml";
        AuthnRequestType loginReq;
        loginReq = samlReq.createAuthnRequestType(UUID.randomUUID().toString(), appServerUrl, authServerUrl, "http://localhost:8280/employee/");
        loginReq.getNameIDPolicy().setFormat(JBossSAMLURIConstants.NAMEID_FORMAT_UNSPECIFIED.getUri());
        return binding.redirectBinding(SAML2Request.convert(loginReq)).requestURI(authServerUrl);
    } catch (IOException | ConfigurationException | ParsingException | ProcessingException ex) {
        throw new RuntimeException(ex);
    }
}

Example 9 with BaseSAML2BindingBuilder

use of org.keycloak.saml.BaseSAML2BindingBuilder in project keycloak by keycloak.

the class HandleArtifactStepBuilder method perform.

/**
 * Main method. Can read a response with an artifact (redirect or post) and return a POSTed SOAP message containing
 * the ArtifactResolve message. The behaviour changes depending on what builder methods were called.
 *
 * @param client The current http client
 * @param currentURI the current uri
 * @param currentResponse the current response from the IdP
 * @param context the current http context
 * @return a POSTed SOAP message containing the ArtifactResolve message
 * @throws Exception
 */
@Override
public HttpUriRequest perform(CloseableHttpClient client, URI currentURI, CloseableHttpResponse currentResponse, HttpClientContext context) throws Exception {
    if (replayPost && replayPostMessage != null) {
        return replayPostMessage;
    }
    ArtifactResolveType artifactResolve = new ArtifactResolveType(id, XMLTimeUtil.getIssueInstant());
    NameIDType nameIDType = new NameIDType();
    nameIDType.setValue(issuer);
    artifactResolve.setIssuer(nameIDType);
    String artifact = getArtifactFromResponse(currentResponse);
    if (storeArtifact != null)
        storeArtifact.set(artifact);
    artifactResolve.setArtifact(artifact);
    ByteArrayOutputStream bos = new ByteArrayOutputStream();
    XMLStreamWriter xmlStreamWriter = StaxUtil.getXMLStreamWriter(bos);
    new SAMLRequestWriter(xmlStreamWriter).write(artifactResolve);
    Document doc = DocumentUtil.getDocument(new ByteArrayInputStream(bos.toByteArray()));
    BaseSAML2BindingBuilder binding = new BaseSAML2BindingBuilder();
    if (signingPrivateKeyPem != null && signingPublicKeyPem != null) {
        PrivateKey privateKey = org.keycloak.testsuite.util.KeyUtils.privateKeyFromString(signingPrivateKeyPem);
        PublicKey publicKey = org.keycloak.testsuite.util.KeyUtils.publicKeyFromString(signingPublicKeyPem);
        binding.signatureAlgorithm(SignatureAlgorithm.RSA_SHA256).signWith(KeyUtils.createKeyId(privateKey), privateKey, publicKey).signDocument(doc);
    }
    String documentAsString = DocumentUtil.getDocumentAsString(doc);
    String transformed = getTransformer().transform(documentAsString);
    if (transformed == null)
        return null;
    if (beforeStepChecker != null && beforeStepChecker instanceof SessionStateChecker) {
        SessionStateChecker sessionStateChecker = (SessionStateChecker) beforeStepChecker;
        sessionStateChecker.setUserSessionProvider(session -> session.getProvider(SamlArtifactSessionMappingStoreProvider.class).get(artifact).getUserSessionId());
        sessionStateChecker.setClientSessionProvider(session -> session.getProvider(SamlArtifactSessionMappingStoreProvider.class).get(artifact).getClientSessionId());
    }
    HttpPost post = Soap.createMessage().addToBody(DocumentUtil.getDocument(transformed)).buildHttpPost(authServerSamlUrl);
    replayPostMessage = post;
    return post;
}