Example 1 with SAML2LoginResponseBuilder
use of org.keycloak.saml.SAML2LoginResponseBuilder in project keycloak by keycloak.
the class SamlProtocolUtilsTest method testBuildArtifactResponse.
@Test
public void testBuildArtifactResponse() throws ConfigurationException, ProcessingException, ParsingException {
ResponseType response = new SAML2LoginResponseBuilder().requestID(IDGenerator.create("ID_")).destination("http://localhost:8180/auth/realms/demo/broker/saml-broker/endpoint").issuer("http://saml.idp/saml").assertionExpiration(1000000).subjectExpiration(1000000).requestIssuer("http://localhost:8180/auth/realms/demo").nameIdentifier(JBossSAMLURIConstants.NAMEID_FORMAT_EMAIL.get(), "a@b.c").authMethod(JBossSAMLURIConstants.AC_UNSPECIFIED.get()).sessionIndex("idp:" + UUID.randomUUID()).buildModel();
ByteArrayOutputStream bos = new ByteArrayOutputStream();
SAMLResponseWriter writer = new SAMLResponseWriter(StaxUtil.getXMLStreamWriter(bos));
writer.write(response);
Document responseDoc = DocumentUtil.getDocument(new ByteArrayInputStream(bos.toByteArray()));
ArtifactResponseType artifactResponseType = SamlProtocolUtils.buildArtifactResponse(responseDoc);
Document doc = SamlProtocolUtils.convert(artifactResponseType);
String artifactResponse = DocumentUtil.asString(doc);
assertThat(artifactResponse, containsString("samlp:ArtifactResponse"));
assertThat(artifactResponse, containsString("samlp:Response"));
assertThat(artifactResponse, containsString("saml:Assertion"));
assertThat(artifactResponse.indexOf("samlp:ArtifactResponse"), lessThan(artifactResponse.indexOf("samlp:Response")));
assertThat(artifactResponse.indexOf("samlp:Response"), lessThan(artifactResponse.indexOf("saml:Assertion")));
assertThat(artifactResponse.split("\\Q<saml:Issuer>http://saml.idp/saml</saml:Issuer>\\E").length, is(4));
assertThat(artifactResponse.split("\\Q<samlp:StatusCode Value=\"urn:oasis:names:tc:SAML:2.0:status:Success\"/>\\E").length, is(3));
}
Also used :
SAMLResponseWriter(org.keycloak.saml.processing.core.saml.v2.writers.SAMLResponseWriter)
ByteArrayInputStream(java.io.ByteArrayInputStream)
ArtifactResponseType(org.keycloak.dom.saml.v2.protocol.ArtifactResponseType)
ByteArrayOutputStream(java.io.ByteArrayOutputStream)
Matchers.containsString(org.hamcrest.Matchers.containsString)
SAML2LoginResponseBuilder(org.keycloak.saml.SAML2LoginResponseBuilder)
Document(org.w3c.dom.Document)
ArtifactResponseType(org.keycloak.dom.saml.v2.protocol.ArtifactResponseType)
ResponseType(org.keycloak.dom.saml.v2.protocol.ResponseType)
Test(org.junit.Test)
Example 2 with SAML2LoginResponseBuilder
use of org.keycloak.saml.SAML2LoginResponseBuilder in project keycloak by keycloak.
the class SamlProtocol method authenticated.
@Override
public Response authenticated(AuthenticationSessionModel authSession, UserSessionModel userSession, ClientSessionContext clientSessionCtx) {
AuthenticatedClientSessionModel clientSession = clientSessionCtx.getClientSession();
ClientModel client = clientSession.getClient();
SamlClient samlClient = new SamlClient(client);
String requestID = authSession.getClientNote(SAML_REQUEST_ID);
String relayState = authSession.getClientNote(GeneralConstants.RELAY_STATE);
String redirectUri = authSession.getRedirectUri();
String responseIssuer = getResponseIssuer(realm);
String nameIdFormat = getNameIdFormat(samlClient, authSession);
int assertionLifespan = samlClient.getAssertionLifespan();
SAML2LoginResponseBuilder builder = new SAML2LoginResponseBuilder();
builder.requestID(requestID).destination(redirectUri).issuer(responseIssuer).assertionExpiration(assertionLifespan <= 0 ? realm.getAccessCodeLifespan() : assertionLifespan).subjectExpiration(assertionLifespan <= 0 ? realm.getAccessTokenLifespan() : assertionLifespan).sessionExpiration(realm.getSsoSessionMaxLifespan()).requestIssuer(clientSession.getClient().getClientId()).authMethod(JBossSAMLURIConstants.AC_UNSPECIFIED.get());
String sessionIndex = SamlSessionUtils.getSessionIndex(clientSession);
builder.sessionIndex(sessionIndex);
if (!samlClient.includeAuthnStatement()) {
builder.disableAuthnStatement(true);
}
builder.includeOneTimeUseCondition(samlClient.includeOneTimeUseCondition());
List<ProtocolMapperProcessor<SAMLAttributeStatementMapper>> attributeStatementMappers = new LinkedList<>();
List<ProtocolMapperProcessor<SAMLLoginResponseMapper>> loginResponseMappers = new LinkedList<>();
AtomicReference<ProtocolMapperProcessor<SAMLRoleListMapper>> roleListMapper = new AtomicReference<>(null);
List<ProtocolMapperProcessor<SAMLNameIdMapper>> samlNameIdMappers = new LinkedList<>();
ProtocolMapperUtils.getSortedProtocolMappers(session, clientSessionCtx).forEach(entry -> {
ProtocolMapperModel mapping = entry.getKey();
ProtocolMapper mapper = entry.getValue();
if (mapper instanceof SAMLAttributeStatementMapper) {
attributeStatementMappers.add(new ProtocolMapperProcessor<>((SAMLAttributeStatementMapper) mapper, mapping));
}
if (mapper instanceof SAMLLoginResponseMapper) {
loginResponseMappers.add(new ProtocolMapperProcessor<>((SAMLLoginResponseMapper) mapper, mapping));
}
if (mapper instanceof SAMLRoleListMapper) {
roleListMapper.set(new ProtocolMapperProcessor<>((SAMLRoleListMapper) mapper, mapping));
}
if (mapper instanceof SAMLNameIdMapper) {
samlNameIdMappers.add(new ProtocolMapperProcessor<>((SAMLNameIdMapper) mapper, mapping));
}
});
Document samlDocument = null;
ResponseType samlModel = null;
KeyManager keyManager = session.keys();
KeyManager.ActiveRsaKey keys = keyManager.getActiveRsaKey(realm);
boolean postBinding = isPostBinding(authSession);
String keyName = samlClient.getXmlSigKeyInfoKeyNameTransformer().getKeyName(keys.getKid(), keys.getCertificate());
String nameId = getSAMLNameId(samlNameIdMappers, nameIdFormat, session, userSession, clientSession);
if (nameId == null) {
return samlErrorMessage(null, samlClient, isPostBinding(authSession), redirectUri, JBossSAMLURIConstants.STATUS_INVALID_NAMEIDPOLICY, relayState);
}
builder.nameIdentifier(nameIdFormat, nameId);
// save NAME_ID and format in clientSession as they may be persistent or
// transient or email and not username
// we'll need to send this back on a logout
clientSession.setNote(SAML_NAME_ID, nameId);
clientSession.setNote(SAML_NAME_ID_FORMAT, nameIdFormat);
try {
if ((!postBinding) && samlClient.requiresRealmSignature() && samlClient.addExtensionsElementWithKeyInfo()) {
builder.addExtension(new KeycloakKeySamlExtensionGenerator(keyName));
}
samlModel = builder.buildModel();
final AttributeStatementType attributeStatement = populateAttributeStatements(attributeStatementMappers, session, userSession, clientSession);
populateRoles(roleListMapper.get(), session, userSession, clientSessionCtx, attributeStatement);
// SAML Spec 2.7.3 AttributeStatement must contain one or more Attribute or EncryptedAttribute
if (attributeStatement.getAttributes().size() > 0) {
AssertionType assertion = samlModel.getAssertions().get(0).getAssertion();
assertion.addStatement(attributeStatement);
}
samlModel = transformLoginResponse(loginResponseMappers, samlModel, session, userSession, clientSessionCtx);
} catch (Exception e) {
logger.error("failed", e);
return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.FAILED_TO_PROCESS_RESPONSE);
}
JaxrsSAML2BindingBuilder bindingBuilder = new JaxrsSAML2BindingBuilder(session);
bindingBuilder.relayState(relayState);
if ("true".equals(clientSession.getNote(JBossSAMLURIConstants.SAML_HTTP_ARTIFACT_BINDING.get()))) {
try {
return buildArtifactAuthenticatedResponse(clientSession, redirectUri, samlModel, bindingBuilder);
} catch (Exception e) {
logger.error("failed", e);
return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.FAILED_TO_PROCESS_RESPONSE);
}
}
if (samlClient.requiresRealmSignature() || samlClient.requiresAssertionSignature()) {
String canonicalization = samlClient.getCanonicalizationMethod();
if (canonicalization != null) {
bindingBuilder.canonicalizationMethod(canonicalization);
}
bindingBuilder.signatureAlgorithm(samlClient.getSignatureAlgorithm()).signWith(keyName, keys.getPrivateKey(), keys.getPublicKey(), keys.getCertificate());
if (samlClient.requiresRealmSignature())
bindingBuilder.signDocument();
if (samlClient.requiresAssertionSignature())
bindingBuilder.signAssertions();
}
if (samlClient.requiresEncryption()) {
PublicKey publicKey = null;
try {
publicKey = SamlProtocolUtils.getEncryptionKey(client);
} catch (Exception e) {
logger.error("failed", e);
return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.FAILED_TO_PROCESS_RESPONSE);
}
bindingBuilder.encrypt(publicKey);
}
try {
samlDocument = builder.buildDocument(samlModel);
return buildAuthenticatedResponse(clientSession, redirectUri, samlDocument, bindingBuilder);
} catch (Exception e) {
logger.error("failed", e);
return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.FAILED_TO_PROCESS_RESPONSE);
}
}
Also used :
ProtocolMapper(org.keycloak.protocol.ProtocolMapper)
SAMLNameIdMapper(org.keycloak.protocol.saml.mappers.SAMLNameIdMapper)
Document(org.w3c.dom.Document)
KeycloakKeySamlExtensionGenerator(org.keycloak.saml.processing.core.util.KeycloakKeySamlExtensionGenerator)
SAMLAttributeStatementMapper(org.keycloak.protocol.saml.mappers.SAMLAttributeStatementMapper)
SAMLLoginResponseMapper(org.keycloak.protocol.saml.mappers.SAMLLoginResponseMapper)
SAML2LoginResponseBuilder(org.keycloak.saml.SAML2LoginResponseBuilder)
KeyManager(org.keycloak.models.KeyManager)
SAMLRoleListMapper(org.keycloak.protocol.saml.mappers.SAMLRoleListMapper)
PublicKey(java.security.PublicKey)
AttributeStatementType(org.keycloak.dom.saml.v2.assertion.AttributeStatementType)
AuthenticatedClientSessionModel(org.keycloak.models.AuthenticatedClientSessionModel)
AtomicReference(java.util.concurrent.atomic.AtomicReference)
AssertionType(org.keycloak.dom.saml.v2.assertion.AssertionType)
LinkedList(java.util.LinkedList)
ParsingException(org.keycloak.saml.common.exceptions.ParsingException)
ProcessingException(org.keycloak.saml.common.exceptions.ProcessingException)
ConfigurationException(org.keycloak.saml.common.exceptions.ConfigurationException)
IOException(java.io.IOException)
ProtocolMapperModel(org.keycloak.models.ProtocolMapperModel)
ArtifactResponseType(org.keycloak.dom.saml.v2.protocol.ArtifactResponseType)
ResponseType(org.keycloak.dom.saml.v2.protocol.ResponseType)
StatusResponseType(org.keycloak.dom.saml.v2.protocol.StatusResponseType)
ClientModel(org.keycloak.models.ClientModel)
Example 3 with SAML2LoginResponseBuilder
use of org.keycloak.saml.SAML2LoginResponseBuilder in project keycloak by keycloak.
the class BrokerTest method createAuthnResponse.
private SAML2Object createAuthnResponse(SAML2Object so) {
AuthnRequestType req = (AuthnRequestType) so;
try {
final ResponseType res = new SAML2LoginResponseBuilder().requestID(req.getID()).destination(req.getAssertionConsumerServiceURL().toString()).issuer("https://saml.idp/saml").assertionExpiration(1000000).subjectExpiration(1000000).requestIssuer(getAuthServerRealmBase(REALM_NAME).toString()).sessionIndex("idp:" + UUID.randomUUID()).buildModel();
AttributeStatementType attrStatement = new AttributeStatementType();
AttributeType attribute = new AttributeType("mail");
attribute.addAttributeValue("v@w.x");
attrStatement.addAttribute(new ASTChoiceType(attribute));
res.getAssertions().get(0).getAssertion().addStatement(attrStatement);
return res;
} catch (ConfigurationException | ProcessingException ex) {
throw new RuntimeException(ex);
}
}
Also used :
AuthnRequestType(org.keycloak.dom.saml.v2.protocol.AuthnRequestType)
ConfigurationException(org.keycloak.saml.common.exceptions.ConfigurationException)
AttributeType(org.keycloak.dom.saml.v2.assertion.AttributeType)
AttributeStatementType(org.keycloak.dom.saml.v2.assertion.AttributeStatementType)
ASTChoiceType(org.keycloak.dom.saml.v2.assertion.AttributeStatementType.ASTChoiceType)
SAML2LoginResponseBuilder(org.keycloak.saml.SAML2LoginResponseBuilder)
ResponseType(org.keycloak.dom.saml.v2.protocol.ResponseType)
ProcessingException(org.keycloak.saml.common.exceptions.ProcessingException)
Example 4 with SAML2LoginResponseBuilder
use of org.keycloak.saml.SAML2LoginResponseBuilder in project keycloak by keycloak.
the class LogoutTest method createAuthnResponse.
private SAML2Object createAuthnResponse(SAML2Object so) {
AuthnRequestType req = (AuthnRequestType) so;
try {
final ResponseType res = new SAML2LoginResponseBuilder().requestID(req.getID()).destination(req.getAssertionConsumerServiceURL().toString()).issuer(BROKER_SERVICE_ID).assertionExpiration(1000000).subjectExpiration(1000000).requestIssuer(getAuthServerRealmBase(REALM_NAME).toString()).nameIdentifier(JBossSAMLURIConstants.NAMEID_FORMAT_EMAIL.get(), "a@b.c").authMethod(JBossSAMLURIConstants.AC_UNSPECIFIED.get()).sessionIndex("idp:" + UUID.randomUUID()).buildModel();
NameIDType nameId = (NameIDType) res.getAssertions().get(0).getAssertion().getSubject().getSubType().getBaseID();
nameId.setNameQualifier(NAME_QUALIFIER);
nameId.setSPNameQualifier(SP_NAME_QUALIFIER);
nameId.setSPProvidedID(SP_PROVIDED_ID);
return res;
} catch (ConfigurationException | ProcessingException ex) {
throw new RuntimeException(ex);
}
}
Also used :
AuthnRequestType(org.keycloak.dom.saml.v2.protocol.AuthnRequestType)
ConfigurationException(org.keycloak.saml.common.exceptions.ConfigurationException)
SAML2LoginResponseBuilder(org.keycloak.saml.SAML2LoginResponseBuilder)
NameIDType(org.keycloak.dom.saml.v2.assertion.NameIDType)
ResponseType(org.keycloak.dom.saml.v2.protocol.ResponseType)
StatusResponseType(org.keycloak.dom.saml.v2.protocol.StatusResponseType)
ProcessingException(org.keycloak.saml.common.exceptions.ProcessingException)
Aggregations
ResponseType (org.keycloak.dom.saml.v2.protocol.ResponseType)4
SAML2LoginResponseBuilder (org.keycloak.saml.SAML2LoginResponseBuilder)4
ConfigurationException (org.keycloak.saml.common.exceptions.ConfigurationException)3
ProcessingException (org.keycloak.saml.common.exceptions.ProcessingException)3
AttributeStatementType (org.keycloak.dom.saml.v2.assertion.AttributeStatementType)2
ArtifactResponseType (org.keycloak.dom.saml.v2.protocol.ArtifactResponseType)2
AuthnRequestType (org.keycloak.dom.saml.v2.protocol.AuthnRequestType)2
StatusResponseType (org.keycloak.dom.saml.v2.protocol.StatusResponseType)2
Document (org.w3c.dom.Document)2
ByteArrayInputStream (java.io.ByteArrayInputStream)1
ByteArrayOutputStream (java.io.ByteArrayOutputStream)1
IOException (java.io.IOException)1
PublicKey (java.security.PublicKey)1
LinkedList (java.util.LinkedList)1
AtomicReference (java.util.concurrent.atomic.AtomicReference)1
Matchers.containsString (org.hamcrest.Matchers.containsString)1
Test (org.junit.Test)1
AssertionType (org.keycloak.dom.saml.v2.assertion.AssertionType)1
ASTChoiceType (org.keycloak.dom.saml.v2.assertion.AttributeStatementType.ASTChoiceType)1
AttributeType (org.keycloak.dom.saml.v2.assertion.AttributeType)1
