Search in sources :

Example 1 with SAML2AuthnRequestBuilder

use of org.keycloak.saml.SAML2AuthnRequestBuilder in project keycloak by keycloak.

the class AbstractInitiateLogin method buildSaml2AuthnRequestBuilder.

public static SAML2AuthnRequestBuilder buildSaml2AuthnRequestBuilder(SamlDeployment deployment) {
    String issuerURL = deployment.getEntityID();
    String nameIDPolicyFormat = deployment.getNameIDPolicyFormat();
    if (nameIDPolicyFormat == null) {
        nameIDPolicyFormat = JBossSAMLURIConstants.NAMEID_FORMAT_PERSISTENT.get();
    }
    SingleSignOnService sso = deployment.getIDP().getSingleSignOnService();
    SAML2AuthnRequestBuilder authnRequestBuilder = new SAML2AuthnRequestBuilder().destination(sso.getRequestBindingUrl()).issuer(issuerURL).forceAuthn(deployment.isForceAuthentication()).isPassive(deployment.isIsPassive()).nameIdPolicy(SAML2NameIDPolicyBuilder.format(nameIDPolicyFormat).setAllowCreate(Boolean.TRUE));
    if (sso.getResponseBinding() != null) {
        String protocolBinding = JBossSAMLURIConstants.SAML_HTTP_REDIRECT_BINDING.get();
        if (sso.getResponseBinding() == SamlDeployment.Binding.POST) {
            protocolBinding = JBossSAMLURIConstants.SAML_HTTP_POST_BINDING.get();
        }
        authnRequestBuilder.protocolBinding(protocolBinding);
    }
    if (sso.getAssertionConsumerServiceUrl() != null) {
        authnRequestBuilder.assertionConsumerUrl(sso.getAssertionConsumerServiceUrl());
    }
    return authnRequestBuilder;
}
Also used : SingleSignOnService(org.keycloak.adapters.saml.SamlDeployment.IDP.SingleSignOnService) SAML2AuthnRequestBuilder(org.keycloak.saml.SAML2AuthnRequestBuilder)

Example 2 with SAML2AuthnRequestBuilder

use of org.keycloak.saml.SAML2AuthnRequestBuilder in project keycloak by keycloak.

the class AbstractInitiateLogin method challenge.

@Override
public boolean challenge(HttpFacade httpFacade) {
    try {
        SAML2AuthnRequestBuilder authnRequestBuilder = buildSaml2AuthnRequestBuilder(deployment);
        BaseSAML2BindingBuilder binding = createSaml2Binding(deployment);
        sessionStore.saveRequest();
        sendAuthnRequest(httpFacade, authnRequestBuilder, binding);
        sessionStore.setCurrentAction(SamlSessionStore.CurrentAction.LOGGING_IN);
    } catch (Exception e) {
        throw new RuntimeException("Could not create authentication request.", e);
    }
    return true;
}
Also used : BaseSAML2BindingBuilder(org.keycloak.saml.BaseSAML2BindingBuilder) SAML2AuthnRequestBuilder(org.keycloak.saml.SAML2AuthnRequestBuilder) ProcessingException(org.keycloak.saml.common.exceptions.ProcessingException) IOException(java.io.IOException) ConfigurationException(org.keycloak.saml.common.exceptions.ConfigurationException)

Example 3 with SAML2AuthnRequestBuilder

use of org.keycloak.saml.SAML2AuthnRequestBuilder in project keycloak by keycloak.

the class AbstractSamlAuthenticationHandler method createChallenge.

protected AbstractInitiateLogin createChallenge() {
    return new AbstractInitiateLogin(deployment, sessionStore) {

        @Override
        protected void sendAuthnRequest(HttpFacade httpFacade, SAML2AuthnRequestBuilder authnRequestBuilder, BaseSAML2BindingBuilder binding) throws ProcessingException, ConfigurationException, IOException {
            if (isAutodetectedBearerOnly(httpFacade.getRequest())) {
                httpFacade.getResponse().setStatus(401);
                httpFacade.getResponse().end();
            } else {
                Document document = authnRequestBuilder.toDocument();
                SamlDeployment.Binding samlBinding = deployment.getIDP().getSingleSignOnService().getRequestBinding();
                SamlUtil.sendSaml(true, httpFacade, deployment.getIDP().getSingleSignOnService().getRequestBindingUrl(), binding, document, samlBinding);
            }
        }
    };
}
Also used : AbstractInitiateLogin(org.keycloak.adapters.saml.AbstractInitiateLogin) HttpFacade(org.keycloak.adapters.spi.HttpFacade) BaseSAML2BindingBuilder(org.keycloak.saml.BaseSAML2BindingBuilder) SamlDeployment(org.keycloak.adapters.saml.SamlDeployment) Document(org.w3c.dom.Document) SAML2AuthnRequestBuilder(org.keycloak.saml.SAML2AuthnRequestBuilder)

Example 4 with SAML2AuthnRequestBuilder

use of org.keycloak.saml.SAML2AuthnRequestBuilder in project keycloak by keycloak.

the class EcpAuthenticationHandler method createChallenge.

@Override
protected AbstractInitiateLogin createChallenge() {
    return new AbstractInitiateLogin(deployment, sessionStore) {

        @Override
        protected void sendAuthnRequest(HttpFacade httpFacade, SAML2AuthnRequestBuilder authnRequestBuilder, BaseSAML2BindingBuilder binding) {
            try {
                MessageFactory messageFactory = MessageFactory.newInstance();
                SOAPMessage message = messageFactory.createMessage();
                SOAPEnvelope envelope = message.getSOAPPart().getEnvelope();
                envelope.addNamespaceDeclaration(NS_PREFIX_SAML_ASSERTION, JBossSAMLURIConstants.ASSERTION_NSURI.get());
                envelope.addNamespaceDeclaration(NS_PREFIX_SAML_PROTOCOL, JBossSAMLURIConstants.PROTOCOL_NSURI.get());
                envelope.addNamespaceDeclaration(NS_PREFIX_PAOS_BINDING, JBossSAMLURIConstants.PAOS_BINDING.get());
                envelope.addNamespaceDeclaration(NS_PREFIX_PROFILE_ECP, JBossSAMLURIConstants.ECP_PROFILE.get());
                createPaosRequestHeader(envelope);
                createEcpRequestHeader(envelope);
                SOAPBody body = envelope.getBody();
                body.addDocument(binding.postBinding(authnRequestBuilder.toDocument()).getDocument());
                message.writeTo(httpFacade.getResponse().getOutputStream());
            } catch (Exception e) {
                throw new RuntimeException("Could not create AuthnRequest.", e);
            }
        }

        private void createEcpRequestHeader(SOAPEnvelope envelope) throws SOAPException {
            SOAPHeader headers = envelope.getHeader();
            SOAPHeaderElement ecpRequestHeader = headers.addHeaderElement(envelope.createQName(JBossSAMLConstants.REQUEST.get(), NS_PREFIX_PROFILE_ECP));
            ecpRequestHeader.setMustUnderstand(true);
            ecpRequestHeader.setActor("http://schemas.xmlsoap.org/soap/actor/next");
            ecpRequestHeader.addAttribute(envelope.createName("ProviderName"), deployment.getEntityID());
            ecpRequestHeader.addAttribute(envelope.createName("IsPassive"), "0");
            ecpRequestHeader.addChildElement(envelope.createQName("Issuer", "saml")).setValue(deployment.getEntityID());
            ecpRequestHeader.addChildElement(envelope.createQName("IDPList", "samlp")).addChildElement(envelope.createQName("IDPEntry", "samlp")).addAttribute(envelope.createName("ProviderID"), deployment.getIDP().getEntityID()).addAttribute(envelope.createName("Name"), deployment.getIDP().getEntityID()).addAttribute(envelope.createName("Loc"), deployment.getIDP().getSingleSignOnService().getRequestBindingUrl());
        }

        private void createPaosRequestHeader(SOAPEnvelope envelope) throws SOAPException {
            SOAPHeader headers = envelope.getHeader();
            SOAPHeaderElement paosRequestHeader = headers.addHeaderElement(envelope.createQName(JBossSAMLConstants.REQUEST.get(), NS_PREFIX_PAOS_BINDING));
            paosRequestHeader.setMustUnderstand(true);
            paosRequestHeader.setActor("http://schemas.xmlsoap.org/soap/actor/next");
            paosRequestHeader.addAttribute(envelope.createName("service"), JBossSAMLURIConstants.ECP_PROFILE.get());
            paosRequestHeader.addAttribute(envelope.createName("responseConsumerURL"), getResponseConsumerUrl());
        }

        private String getResponseConsumerUrl() {
            return (deployment.getIDP() == null || deployment.getIDP().getSingleSignOnService() == null || deployment.getIDP().getSingleSignOnService().getAssertionConsumerServiceUrl() == null) ? null : deployment.getIDP().getSingleSignOnService().getAssertionConsumerServiceUrl().toString();
        }
    };
}
Also used : SOAPHeaderElement(javax.xml.soap.SOAPHeaderElement) SOAPBody(javax.xml.soap.SOAPBody) MessageFactory(javax.xml.soap.MessageFactory) AbstractInitiateLogin(org.keycloak.adapters.saml.AbstractInitiateLogin) HttpFacade(org.keycloak.adapters.spi.HttpFacade) BaseSAML2BindingBuilder(org.keycloak.saml.BaseSAML2BindingBuilder) SOAPEnvelope(javax.xml.soap.SOAPEnvelope) SAML2AuthnRequestBuilder(org.keycloak.saml.SAML2AuthnRequestBuilder) SOAPMessage(javax.xml.soap.SOAPMessage) SOAPException(javax.xml.soap.SOAPException) SOAPHeader(javax.xml.soap.SOAPHeader)

Example 5 with SAML2AuthnRequestBuilder

use of org.keycloak.saml.SAML2AuthnRequestBuilder in project keycloak by keycloak.

the class SAMLIdentityProvider method performLogin.

@Override
public Response performLogin(AuthenticationRequest request) {
    try {
        UriInfo uriInfo = request.getUriInfo();
        RealmModel realm = request.getRealm();
        String issuerURL = getEntityId(uriInfo, realm);
        String destinationUrl = getConfig().getSingleSignOnServiceUrl();
        String nameIDPolicyFormat = getConfig().getNameIDPolicyFormat();
        if (nameIDPolicyFormat == null) {
            nameIDPolicyFormat = JBossSAMLURIConstants.NAMEID_FORMAT_PERSISTENT.get();
        }
        String protocolBinding = JBossSAMLURIConstants.SAML_HTTP_REDIRECT_BINDING.get();
        String assertionConsumerServiceUrl = request.getRedirectUri();
        if (getConfig().isPostBindingResponse()) {
            protocolBinding = JBossSAMLURIConstants.SAML_HTTP_POST_BINDING.get();
        }
        SAML2RequestedAuthnContextBuilder requestedAuthnContext = new SAML2RequestedAuthnContextBuilder().setComparison(getConfig().getAuthnContextComparisonType());
        for (String authnContextClassRef : getAuthnContextClassRefUris()) requestedAuthnContext.addAuthnContextClassRef(authnContextClassRef);
        for (String authnContextDeclRef : getAuthnContextDeclRefUris()) requestedAuthnContext.addAuthnContextDeclRef(authnContextDeclRef);
        Integer attributeConsumingServiceIndex = getConfig().getAttributeConsumingServiceIndex();
        String loginHint = getConfig().isLoginHint() ? request.getAuthenticationSession().getClientNote(OIDCLoginProtocol.LOGIN_HINT_PARAM) : null;
        Boolean allowCreate = null;
        if (getConfig().getConfig().get(SAMLIdentityProviderConfig.ALLOW_CREATE) == null || getConfig().isAllowCreate())
            allowCreate = Boolean.TRUE;
        SAML2AuthnRequestBuilder authnRequestBuilder = new SAML2AuthnRequestBuilder().assertionConsumerUrl(assertionConsumerServiceUrl).destination(destinationUrl).issuer(issuerURL).forceAuthn(getConfig().isForceAuthn()).protocolBinding(protocolBinding).nameIdPolicy(SAML2NameIDPolicyBuilder.format(nameIDPolicyFormat).setAllowCreate(allowCreate)).attributeConsumingServiceIndex(attributeConsumingServiceIndex).requestedAuthnContext(requestedAuthnContext).subject(loginHint);
        JaxrsSAML2BindingBuilder binding = new JaxrsSAML2BindingBuilder(session).relayState(request.getState().getEncoded());
        boolean postBinding = getConfig().isPostBindingAuthnRequest();
        if (getConfig().isWantAuthnRequestsSigned()) {
            KeyManager.ActiveRsaKey keys = session.keys().getActiveRsaKey(realm);
            String keyName = getConfig().getXmlSigKeyInfoKeyNameTransformer().getKeyName(keys.getKid(), keys.getCertificate());
            binding.signWith(keyName, keys.getPrivateKey(), keys.getPublicKey(), keys.getCertificate()).signatureAlgorithm(getSignatureAlgorithm()).signDocument();
            if (!postBinding && getConfig().isAddExtensionsElementWithKeyInfo()) {
                // Only include extension if REDIRECT binding and signing whole SAML protocol message
                authnRequestBuilder.addExtension(new KeycloakKeySamlExtensionGenerator(keyName));
            }
        }
        AuthnRequestType authnRequest = authnRequestBuilder.createAuthnRequest();
        for (Iterator<SamlAuthenticationPreprocessor> it = SamlSessionUtils.getSamlAuthenticationPreprocessorIterator(session); it.hasNext(); ) {
            authnRequest = it.next().beforeSendingLoginRequest(authnRequest, request.getAuthenticationSession());
        }
        if (authnRequest.getDestination() != null) {
            destinationUrl = authnRequest.getDestination().toString();
        }
        // Save the current RequestID in the Auth Session as we need to verify it against the ID returned from the IdP
        request.getAuthenticationSession().setClientNote(SamlProtocol.SAML_REQUEST_ID_BROKER, authnRequest.getID());
        if (postBinding) {
            return binding.postBinding(authnRequestBuilder.toDocument()).request(destinationUrl);
        } else {
            return binding.redirectBinding(authnRequestBuilder.toDocument()).request(destinationUrl);
        }
    } catch (Exception e) {
        throw new IdentityBrokerException("Could not create authentication request.", e);
    }
}
Also used : SAML2RequestedAuthnContextBuilder(org.keycloak.saml.SAML2RequestedAuthnContextBuilder) JaxrsSAML2BindingBuilder(org.keycloak.protocol.saml.JaxrsSAML2BindingBuilder) KeycloakKeySamlExtensionGenerator(org.keycloak.saml.processing.core.util.KeycloakKeySamlExtensionGenerator) ConfigurationException(org.keycloak.saml.common.exceptions.ConfigurationException) IdentityBrokerException(org.keycloak.broker.provider.IdentityBrokerException) ParserConfigurationException(javax.xml.parsers.ParserConfigurationException) RealmModel(org.keycloak.models.RealmModel) AuthnRequestType(org.keycloak.dom.saml.v2.protocol.AuthnRequestType) IdentityBrokerException(org.keycloak.broker.provider.IdentityBrokerException) SamlAuthenticationPreprocessor(org.keycloak.protocol.saml.preprocessor.SamlAuthenticationPreprocessor) SAML2AuthnRequestBuilder(org.keycloak.saml.SAML2AuthnRequestBuilder) KeyManager(org.keycloak.models.KeyManager) UriInfo(javax.ws.rs.core.UriInfo)

Aggregations

SAML2AuthnRequestBuilder (org.keycloak.saml.SAML2AuthnRequestBuilder)5 BaseSAML2BindingBuilder (org.keycloak.saml.BaseSAML2BindingBuilder)3 AbstractInitiateLogin (org.keycloak.adapters.saml.AbstractInitiateLogin)2 HttpFacade (org.keycloak.adapters.spi.HttpFacade)2 ConfigurationException (org.keycloak.saml.common.exceptions.ConfigurationException)2 IOException (java.io.IOException)1 UriInfo (javax.ws.rs.core.UriInfo)1 ParserConfigurationException (javax.xml.parsers.ParserConfigurationException)1 MessageFactory (javax.xml.soap.MessageFactory)1 SOAPBody (javax.xml.soap.SOAPBody)1 SOAPEnvelope (javax.xml.soap.SOAPEnvelope)1 SOAPException (javax.xml.soap.SOAPException)1 SOAPHeader (javax.xml.soap.SOAPHeader)1 SOAPHeaderElement (javax.xml.soap.SOAPHeaderElement)1 SOAPMessage (javax.xml.soap.SOAPMessage)1 SamlDeployment (org.keycloak.adapters.saml.SamlDeployment)1 SingleSignOnService (org.keycloak.adapters.saml.SamlDeployment.IDP.SingleSignOnService)1 IdentityBrokerException (org.keycloak.broker.provider.IdentityBrokerException)1 AuthnRequestType (org.keycloak.dom.saml.v2.protocol.AuthnRequestType)1 KeyManager (org.keycloak.models.KeyManager)1