Examples with SAML2LogoutRequestBuilder org.keycloak.saml.SAML2LogoutRequestBuilder used on opensource projects

Example 1 with SAML2LogoutRequestBuilder

use of org.keycloak.saml.SAML2LogoutRequestBuilder in project keycloak by keycloak.

the class WebBrowserSsoAuthenticationHandler method globalLogout.

private AuthOutcome globalLogout() {
    SamlSession account = sessionStore.getAccount();
    if (account == null) {
        return AuthOutcome.NOT_ATTEMPTED;
    }
    SAML2LogoutRequestBuilder logoutBuilder = new SAML2LogoutRequestBuilder().assertionExpiration(30).issuer(deployment.getEntityID()).sessionIndex(account.getSessionIndex()).nameId(account.getPrincipal().getNameID()).destination(deployment.getIDP().getSingleLogoutService().getRequestBindingUrl());
    BaseSAML2BindingBuilder binding = new BaseSAML2BindingBuilder();
    if (deployment.getIDP().getSingleLogoutService().signRequest()) {
        if (deployment.getSignatureCanonicalizationMethod() != null)
            binding.canonicalizationMethod(deployment.getSignatureCanonicalizationMethod());
        binding.signatureAlgorithm(deployment.getSignatureAlgorithm());
        binding.signWith(null, deployment.getSigningKeyPair()).signDocument();
    // TODO: As part of KEYCLOAK-3810, add KeyID to the SAML document
    // <related DocumentBuilder>.addExtension(new KeycloakKeySamlExtensionGenerator(<key ID>));
    }
    binding.relayState("logout");
    try {
        SamlUtil.sendSaml(true, facade, deployment.getIDP().getSingleLogoutService().getRequestBindingUrl(), binding, logoutBuilder.buildDocument(), deployment.getIDP().getSingleLogoutService().getRequestBinding());
        sessionStore.setCurrentAction(SamlSessionStore.CurrentAction.LOGGING_OUT);
    } catch (Exception e) {
        log.error("Could not send global logout SAML request", e);
        return AuthOutcome.FAILED;
    }
    return AuthOutcome.NOT_ATTEMPTED;
}

Example 2 with SAML2LogoutRequestBuilder

use of org.keycloak.saml.SAML2LogoutRequestBuilder in project keycloak by keycloak.

the class CreateLogoutRequestStepBuilder method perform.

@Override
public HttpUriRequest perform(CloseableHttpClient client, URI currentURI, CloseableHttpResponse currentResponse, HttpClientContext context) throws Exception {
    SAML2LogoutRequestBuilder builder = new SAML2LogoutRequestBuilder().destination(authServerSamlUrl == null ? null : authServerSamlUrl.toString()).issuer(issuer).sessionIndex(sessionIndex()).nameId(nameId());
    String documentAsString = DocumentUtil.getDocumentAsString(builder.buildDocument());
    String transformed = getTransformer().transform(documentAsString);
    if (transformed == null) {
        return null;
    }
    return this.signingPrivateKeyPem == null ? requestBinding.createSamlUnsignedRequest(authServerSamlUrl, relayState(), DocumentUtil.getDocument(transformed)) : requestBinding.createSamlSignedRequest(authServerSamlUrl, relayState(), DocumentUtil.getDocument(transformed), signingPrivateKeyPem, signingPublicKeyPem, signingCertificate);
}

Example 3 with SAML2LogoutRequestBuilder

use of org.keycloak.saml.SAML2LogoutRequestBuilder in project keycloak by keycloak.

the class ArtifactBindingWithResolutionServiceTest method setArtifactResolutionServiceLogoutRequest.

private void setArtifactResolutionServiceLogoutRequest(ArtifactResolutionService ars) throws ParsingException, ConfigurationException, ProcessingException {
    SAML2LogoutRequestBuilder builder = new SAML2LogoutRequestBuilder().destination(getAuthServerSamlEndpoint(REALM_NAME).toString()).issuer(SAML_CLIENT_ID_SALES_POST).sessionIndex(sessionIndexRef.get());
    final NameIDType nameIdValue = nameIdRef.get();
    if (nameIdValue != null) {
        builder = builder.userPrincipal(nameIdValue.getValue(), nameIdValue.getFormat() == null ? null : nameIdValue.getFormat().toString());
    }
    ars.setResponseDocument(builder.buildDocument());
}

Example 4 with SAML2LogoutRequestBuilder

use of org.keycloak.saml.SAML2LogoutRequestBuilder in project keycloak by keycloak.

the class SamlReverseProxyTest method testLogoutRequestWithReverseProxy.

/**
 * KEYCLOAK-12944
 *
 * Tests sending a SAML {@code LogoutRequest} through a reverse proxy. In this scenario the SAML {@code LogoutRequest}
 * has a destination that matches the proxy server, but the request is forwarded to a keycloak server running in a
 * different address.
 *
 * Validation of the destination and any subsequent redirection only work if the proxy server is configured as the
 * {@code frontendUrl} of the realm.
 *
 * @throws Exception if an error occurs while running the test.
 */
@Test
public void testLogoutRequestWithReverseProxy() throws Exception {
    // send a logout request without defining the frontendUrl for the realm - should get a BAD_REQUEST response
    Document document = new SAML2LogoutRequestBuilder().destination(this.buildSamlProtocolUrl(proxy.getUrl()).toString()).issuer(SAML_CLIENT_ID_SALES_POST).buildDocument();
    testSendSamlRequest(document, Response.Status.BAD_REQUEST, containsString("Invalid Request"));
    // set the frontendUrl pointing to the reverse proxy
    RealmRepresentation rep = adminClient.realm(REALM_NAME).toRepresentation();
    try {
        if (rep.getAttributes() == null) {
            rep.setAttributes(new HashMap<>());
        }
        rep.getAttributes().put("frontendUrl", proxy.getUrl());
        adminClient.realm(REALM_NAME).update(rep);
        // resend the logout request - should succeed this time (we are actually not logging out anyone, just checking the request is properly validated
        testSendSamlRequest(document, Response.Status.OK, containsString("login"));
    } finally {
        // restore the state of the realm (unset the frontendUrl)
        rep.getAttributes().remove("frontendUrl");
        adminClient.realm(REALM_NAME).update(rep);
    }
}

Example 5 with SAML2LogoutRequestBuilder

use of org.keycloak.saml.SAML2LogoutRequestBuilder in project keycloak by keycloak.

the class SAMLIdentityProvider method buildLogoutRequest.

protected LogoutRequestType buildLogoutRequest(UserSessionModel userSession, UriInfo uriInfo, RealmModel realm, String singleLogoutServiceUrl, NodeGenerator... extensions) throws ConfigurationException {
    SAML2LogoutRequestBuilder logoutBuilder = new SAML2LogoutRequestBuilder().assertionExpiration(realm.getAccessCodeLifespan()).issuer(getEntityId(uriInfo, realm)).sessionIndex(userSession.getNote(SAMLEndpoint.SAML_FEDERATED_SESSION_INDEX)).nameId(NameIDType.deserializeFromString(userSession.getNote(SAMLEndpoint.SAML_FEDERATED_SUBJECT_NAMEID))).destination(singleLogoutServiceUrl);
    LogoutRequestType logoutRequest = logoutBuilder.createLogoutRequest();
    for (NodeGenerator extension : extensions) {
        logoutBuilder.addExtension(extension);
    }
    for (Iterator<SamlAuthenticationPreprocessor> it = SamlSessionUtils.getSamlAuthenticationPreprocessorIterator(session); it.hasNext(); ) {
        logoutRequest = it.next().beforeSendingLogoutRequest(logoutRequest, userSession, null);
    }
    return logoutRequest;
}