Example 1 with SAML2AuthnRequestBuilder
use of org.keycloak.saml.SAML2AuthnRequestBuilder in project keycloak by keycloak.
the class AbstractInitiateLogin method buildSaml2AuthnRequestBuilder.
public static SAML2AuthnRequestBuilder buildSaml2AuthnRequestBuilder(SamlDeployment deployment) {
String issuerURL = deployment.getEntityID();
String nameIDPolicyFormat = deployment.getNameIDPolicyFormat();
if (nameIDPolicyFormat == null) {
nameIDPolicyFormat = JBossSAMLURIConstants.NAMEID_FORMAT_PERSISTENT.get();
}
SingleSignOnService sso = deployment.getIDP().getSingleSignOnService();
SAML2AuthnRequestBuilder authnRequestBuilder = new SAML2AuthnRequestBuilder().destination(sso.getRequestBindingUrl()).issuer(issuerURL).forceAuthn(deployment.isForceAuthentication()).isPassive(deployment.isIsPassive()).nameIdPolicy(SAML2NameIDPolicyBuilder.format(nameIDPolicyFormat).setAllowCreate(Boolean.TRUE));
if (sso.getResponseBinding() != null) {
String protocolBinding = JBossSAMLURIConstants.SAML_HTTP_REDIRECT_BINDING.get();
if (sso.getResponseBinding() == SamlDeployment.Binding.POST) {
protocolBinding = JBossSAMLURIConstants.SAML_HTTP_POST_BINDING.get();
}
authnRequestBuilder.protocolBinding(protocolBinding);
}
if (sso.getAssertionConsumerServiceUrl() != null) {
authnRequestBuilder.assertionConsumerUrl(sso.getAssertionConsumerServiceUrl());
}
return authnRequestBuilder;
}
Also used :
SingleSignOnService(org.keycloak.adapters.saml.SamlDeployment.IDP.SingleSignOnService)
SAML2AuthnRequestBuilder(org.keycloak.saml.SAML2AuthnRequestBuilder)
Example 2 with SAML2AuthnRequestBuilder
use of org.keycloak.saml.SAML2AuthnRequestBuilder in project keycloak by keycloak.
the class AbstractInitiateLogin method challenge.
@Override
public boolean challenge(HttpFacade httpFacade) {
try {
SAML2AuthnRequestBuilder authnRequestBuilder = buildSaml2AuthnRequestBuilder(deployment);
BaseSAML2BindingBuilder binding = createSaml2Binding(deployment);
sessionStore.saveRequest();
sendAuthnRequest(httpFacade, authnRequestBuilder, binding);
sessionStore.setCurrentAction(SamlSessionStore.CurrentAction.LOGGING_IN);
} catch (Exception e) {
throw new RuntimeException("Could not create authentication request.", e);
}
return true;
}
Also used :
BaseSAML2BindingBuilder(org.keycloak.saml.BaseSAML2BindingBuilder)
SAML2AuthnRequestBuilder(org.keycloak.saml.SAML2AuthnRequestBuilder)
ProcessingException(org.keycloak.saml.common.exceptions.ProcessingException)
IOException(java.io.IOException)
ConfigurationException(org.keycloak.saml.common.exceptions.ConfigurationException)
Example 3 with SAML2AuthnRequestBuilder
use of org.keycloak.saml.SAML2AuthnRequestBuilder in project keycloak by keycloak.
the class AbstractSamlAuthenticationHandler method createChallenge.
protected AbstractInitiateLogin createChallenge() {
return new AbstractInitiateLogin(deployment, sessionStore) {
@Override
protected void sendAuthnRequest(HttpFacade httpFacade, SAML2AuthnRequestBuilder authnRequestBuilder, BaseSAML2BindingBuilder binding) throws ProcessingException, ConfigurationException, IOException {
if (isAutodetectedBearerOnly(httpFacade.getRequest())) {
httpFacade.getResponse().setStatus(401);
httpFacade.getResponse().end();
} else {
Document document = authnRequestBuilder.toDocument();
SamlDeployment.Binding samlBinding = deployment.getIDP().getSingleSignOnService().getRequestBinding();
SamlUtil.sendSaml(true, httpFacade, deployment.getIDP().getSingleSignOnService().getRequestBindingUrl(), binding, document, samlBinding);
}
}
};
}
Also used :
AbstractInitiateLogin(org.keycloak.adapters.saml.AbstractInitiateLogin)
HttpFacade(org.keycloak.adapters.spi.HttpFacade)
BaseSAML2BindingBuilder(org.keycloak.saml.BaseSAML2BindingBuilder)
SamlDeployment(org.keycloak.adapters.saml.SamlDeployment)
Document(org.w3c.dom.Document)
SAML2AuthnRequestBuilder(org.keycloak.saml.SAML2AuthnRequestBuilder)
Example 4 with SAML2AuthnRequestBuilder
use of org.keycloak.saml.SAML2AuthnRequestBuilder in project keycloak by keycloak.
the class EcpAuthenticationHandler method createChallenge.
@Override
protected AbstractInitiateLogin createChallenge() {
return new AbstractInitiateLogin(deployment, sessionStore) {
@Override
protected void sendAuthnRequest(HttpFacade httpFacade, SAML2AuthnRequestBuilder authnRequestBuilder, BaseSAML2BindingBuilder binding) {
try {
MessageFactory messageFactory = MessageFactory.newInstance();
SOAPMessage message = messageFactory.createMessage();
SOAPEnvelope envelope = message.getSOAPPart().getEnvelope();
envelope.addNamespaceDeclaration(NS_PREFIX_SAML_ASSERTION, JBossSAMLURIConstants.ASSERTION_NSURI.get());
envelope.addNamespaceDeclaration(NS_PREFIX_SAML_PROTOCOL, JBossSAMLURIConstants.PROTOCOL_NSURI.get());
envelope.addNamespaceDeclaration(NS_PREFIX_PAOS_BINDING, JBossSAMLURIConstants.PAOS_BINDING.get());
envelope.addNamespaceDeclaration(NS_PREFIX_PROFILE_ECP, JBossSAMLURIConstants.ECP_PROFILE.get());
createPaosRequestHeader(envelope);
createEcpRequestHeader(envelope);
SOAPBody body = envelope.getBody();
body.addDocument(binding.postBinding(authnRequestBuilder.toDocument()).getDocument());
message.writeTo(httpFacade.getResponse().getOutputStream());
} catch (Exception e) {
throw new RuntimeException("Could not create AuthnRequest.", e);
}
}
private void createEcpRequestHeader(SOAPEnvelope envelope) throws SOAPException {
SOAPHeader headers = envelope.getHeader();
SOAPHeaderElement ecpRequestHeader = headers.addHeaderElement(envelope.createQName(JBossSAMLConstants.REQUEST.get(), NS_PREFIX_PROFILE_ECP));
ecpRequestHeader.setMustUnderstand(true);
ecpRequestHeader.setActor("http://schemas.xmlsoap.org/soap/actor/next");
ecpRequestHeader.addAttribute(envelope.createName("ProviderName"), deployment.getEntityID());
ecpRequestHeader.addAttribute(envelope.createName("IsPassive"), "0");
ecpRequestHeader.addChildElement(envelope.createQName("Issuer", "saml")).setValue(deployment.getEntityID());
ecpRequestHeader.addChildElement(envelope.createQName("IDPList", "samlp")).addChildElement(envelope.createQName("IDPEntry", "samlp")).addAttribute(envelope.createName("ProviderID"), deployment.getIDP().getEntityID()).addAttribute(envelope.createName("Name"), deployment.getIDP().getEntityID()).addAttribute(envelope.createName("Loc"), deployment.getIDP().getSingleSignOnService().getRequestBindingUrl());
}
private void createPaosRequestHeader(SOAPEnvelope envelope) throws SOAPException {
SOAPHeader headers = envelope.getHeader();
SOAPHeaderElement paosRequestHeader = headers.addHeaderElement(envelope.createQName(JBossSAMLConstants.REQUEST.get(), NS_PREFIX_PAOS_BINDING));
paosRequestHeader.setMustUnderstand(true);
paosRequestHeader.setActor("http://schemas.xmlsoap.org/soap/actor/next");
paosRequestHeader.addAttribute(envelope.createName("service"), JBossSAMLURIConstants.ECP_PROFILE.get());
paosRequestHeader.addAttribute(envelope.createName("responseConsumerURL"), getResponseConsumerUrl());
}
private String getResponseConsumerUrl() {
return (deployment.getIDP() == null || deployment.getIDP().getSingleSignOnService() == null || deployment.getIDP().getSingleSignOnService().getAssertionConsumerServiceUrl() == null) ? null : deployment.getIDP().getSingleSignOnService().getAssertionConsumerServiceUrl().toString();
}
};
}
Also used :
SOAPHeaderElement(javax.xml.soap.SOAPHeaderElement)
SOAPBody(javax.xml.soap.SOAPBody)
MessageFactory(javax.xml.soap.MessageFactory)
AbstractInitiateLogin(org.keycloak.adapters.saml.AbstractInitiateLogin)
HttpFacade(org.keycloak.adapters.spi.HttpFacade)
BaseSAML2BindingBuilder(org.keycloak.saml.BaseSAML2BindingBuilder)
SOAPEnvelope(javax.xml.soap.SOAPEnvelope)
SAML2AuthnRequestBuilder(org.keycloak.saml.SAML2AuthnRequestBuilder)
SOAPMessage(javax.xml.soap.SOAPMessage)
SOAPException(javax.xml.soap.SOAPException)
SOAPHeader(javax.xml.soap.SOAPHeader)
Example 5 with SAML2AuthnRequestBuilder
use of org.keycloak.saml.SAML2AuthnRequestBuilder in project keycloak by keycloak.
the class SAMLIdentityProvider method performLogin.
@Override
public Response performLogin(AuthenticationRequest request) {
try {
UriInfo uriInfo = request.getUriInfo();
RealmModel realm = request.getRealm();
String issuerURL = getEntityId(uriInfo, realm);
String destinationUrl = getConfig().getSingleSignOnServiceUrl();
String nameIDPolicyFormat = getConfig().getNameIDPolicyFormat();
if (nameIDPolicyFormat == null) {
nameIDPolicyFormat = JBossSAMLURIConstants.NAMEID_FORMAT_PERSISTENT.get();
}
String protocolBinding = JBossSAMLURIConstants.SAML_HTTP_REDIRECT_BINDING.get();
String assertionConsumerServiceUrl = request.getRedirectUri();
if (getConfig().isPostBindingResponse()) {
protocolBinding = JBossSAMLURIConstants.SAML_HTTP_POST_BINDING.get();
}
SAML2RequestedAuthnContextBuilder requestedAuthnContext = new SAML2RequestedAuthnContextBuilder().setComparison(getConfig().getAuthnContextComparisonType());
for (String authnContextClassRef : getAuthnContextClassRefUris()) requestedAuthnContext.addAuthnContextClassRef(authnContextClassRef);
for (String authnContextDeclRef : getAuthnContextDeclRefUris()) requestedAuthnContext.addAuthnContextDeclRef(authnContextDeclRef);
Integer attributeConsumingServiceIndex = getConfig().getAttributeConsumingServiceIndex();
String loginHint = getConfig().isLoginHint() ? request.getAuthenticationSession().getClientNote(OIDCLoginProtocol.LOGIN_HINT_PARAM) : null;
Boolean allowCreate = null;
if (getConfig().getConfig().get(SAMLIdentityProviderConfig.ALLOW_CREATE) == null || getConfig().isAllowCreate())
allowCreate = Boolean.TRUE;
SAML2AuthnRequestBuilder authnRequestBuilder = new SAML2AuthnRequestBuilder().assertionConsumerUrl(assertionConsumerServiceUrl).destination(destinationUrl).issuer(issuerURL).forceAuthn(getConfig().isForceAuthn()).protocolBinding(protocolBinding).nameIdPolicy(SAML2NameIDPolicyBuilder.format(nameIDPolicyFormat).setAllowCreate(allowCreate)).attributeConsumingServiceIndex(attributeConsumingServiceIndex).requestedAuthnContext(requestedAuthnContext).subject(loginHint);
JaxrsSAML2BindingBuilder binding = new JaxrsSAML2BindingBuilder(session).relayState(request.getState().getEncoded());
boolean postBinding = getConfig().isPostBindingAuthnRequest();
if (getConfig().isWantAuthnRequestsSigned()) {
KeyManager.ActiveRsaKey keys = session.keys().getActiveRsaKey(realm);
String keyName = getConfig().getXmlSigKeyInfoKeyNameTransformer().getKeyName(keys.getKid(), keys.getCertificate());
binding.signWith(keyName, keys.getPrivateKey(), keys.getPublicKey(), keys.getCertificate()).signatureAlgorithm(getSignatureAlgorithm()).signDocument();
if (!postBinding && getConfig().isAddExtensionsElementWithKeyInfo()) {
// Only include extension if REDIRECT binding and signing whole SAML protocol message
authnRequestBuilder.addExtension(new KeycloakKeySamlExtensionGenerator(keyName));
}
}
AuthnRequestType authnRequest = authnRequestBuilder.createAuthnRequest();
for (Iterator<SamlAuthenticationPreprocessor> it = SamlSessionUtils.getSamlAuthenticationPreprocessorIterator(session); it.hasNext(); ) {
authnRequest = it.next().beforeSendingLoginRequest(authnRequest, request.getAuthenticationSession());
}
if (authnRequest.getDestination() != null) {
destinationUrl = authnRequest.getDestination().toString();
}
// Save the current RequestID in the Auth Session as we need to verify it against the ID returned from the IdP
request.getAuthenticationSession().setClientNote(SamlProtocol.SAML_REQUEST_ID_BROKER, authnRequest.getID());
if (postBinding) {
return binding.postBinding(authnRequestBuilder.toDocument()).request(destinationUrl);
} else {
return binding.redirectBinding(authnRequestBuilder.toDocument()).request(destinationUrl);
}
} catch (Exception e) {
throw new IdentityBrokerException("Could not create authentication request.", e);
}
}
Also used :
SAML2RequestedAuthnContextBuilder(org.keycloak.saml.SAML2RequestedAuthnContextBuilder)
JaxrsSAML2BindingBuilder(org.keycloak.protocol.saml.JaxrsSAML2BindingBuilder)
KeycloakKeySamlExtensionGenerator(org.keycloak.saml.processing.core.util.KeycloakKeySamlExtensionGenerator)
ConfigurationException(org.keycloak.saml.common.exceptions.ConfigurationException)
IdentityBrokerException(org.keycloak.broker.provider.IdentityBrokerException)
ParserConfigurationException(javax.xml.parsers.ParserConfigurationException)
RealmModel(org.keycloak.models.RealmModel)
AuthnRequestType(org.keycloak.dom.saml.v2.protocol.AuthnRequestType)
IdentityBrokerException(org.keycloak.broker.provider.IdentityBrokerException)
SamlAuthenticationPreprocessor(org.keycloak.protocol.saml.preprocessor.SamlAuthenticationPreprocessor)
SAML2AuthnRequestBuilder(org.keycloak.saml.SAML2AuthnRequestBuilder)
KeyManager(org.keycloak.models.KeyManager)
UriInfo(javax.ws.rs.core.UriInfo)
Aggregations
SAML2AuthnRequestBuilder (org.keycloak.saml.SAML2AuthnRequestBuilder)5
BaseSAML2BindingBuilder (org.keycloak.saml.BaseSAML2BindingBuilder)3
AbstractInitiateLogin (org.keycloak.adapters.saml.AbstractInitiateLogin)2
HttpFacade (org.keycloak.adapters.spi.HttpFacade)2
ConfigurationException (org.keycloak.saml.common.exceptions.ConfigurationException)2
IOException (java.io.IOException)1
UriInfo (javax.ws.rs.core.UriInfo)1
ParserConfigurationException (javax.xml.parsers.ParserConfigurationException)1
MessageFactory (javax.xml.soap.MessageFactory)1
SOAPBody (javax.xml.soap.SOAPBody)1
SOAPEnvelope (javax.xml.soap.SOAPEnvelope)1
SOAPException (javax.xml.soap.SOAPException)1
SOAPHeader (javax.xml.soap.SOAPHeader)1
SOAPHeaderElement (javax.xml.soap.SOAPHeaderElement)1
SOAPMessage (javax.xml.soap.SOAPMessage)1
SamlDeployment (org.keycloak.adapters.saml.SamlDeployment)1
SingleSignOnService (org.keycloak.adapters.saml.SamlDeployment.IDP.SingleSignOnService)1
IdentityBrokerException (org.keycloak.broker.provider.IdentityBrokerException)1
AuthnRequestType (org.keycloak.dom.saml.v2.protocol.AuthnRequestType)1
KeyManager (org.keycloak.models.KeyManager)1
