Examples with SAMLDocumentHolder org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder used on opensource projects

Example 81 with SAMLDocumentHolder

use of org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder in project keycloak by keycloak.

the class AbstractSamlAuthenticationHandler method handleSamlResponse.

protected AuthOutcome handleSamlResponse(String samlResponse, String relayState, OnSessionCreated onCreateSession) {
    SAMLDocumentHolder holder = null;
    boolean postBinding = false;
    String requestUri = facade.getRequest().getURI();
    if (facade.getRequest().getMethod().equalsIgnoreCase("GET")) {
        int index = requestUri.indexOf('?');
        if (index > -1) {
            requestUri = requestUri.substring(0, index);
        }
        holder = extractRedirectBindingResponse(samlResponse);
    } else {
        postBinding = true;
        holder = extractPostBindingResponse(samlResponse);
    }
    if (holder == null) {
        log.error("Error parsing SAML document");
        return failed(CHALLENGE_EXTRACTION_FAILURE);
    }
    final StatusResponseType statusResponse = (StatusResponseType) holder.getSamlObject();
    // validate destination
    if (statusResponse.getDestination() == null && containsUnencryptedSignature(holder, postBinding)) {
        log.error("Destination field required.");
        return failed(CHALLENGE_EXTRACTION_FAILURE);
    }
    if (!destinationValidator.validate(requestUri, statusResponse.getDestination())) {
        log.error("Request URI '" + requestUri + "' does not match SAML request destination '" + statusResponse.getDestination() + "'");
        return failedTerminal();
    }
    if (statusResponse instanceof ResponseType) {
        try {
            if (deployment.getIDP().getSingleSignOnService().validateResponseSignature()) {
                try {
                    validateSamlSignature(holder, postBinding, GeneralConstants.SAML_RESPONSE_KEY);
                } catch (VerificationException e) {
                    log.error("Failed to verify saml response signature", e);
                    return failed(CHALLENGE_INVALID_SIGNATURE);
                }
            }
            return handleLoginResponse(holder, postBinding, onCreateSession);
        } finally {
            sessionStore.setCurrentAction(SamlSessionStore.CurrentAction.NONE);
        }
    } else {
        if (sessionStore.isLoggingOut()) {
            try {
                if (deployment.getIDP().getSingleLogoutService().validateResponseSignature()) {
                    try {
                        validateSamlSignature(holder, postBinding, GeneralConstants.SAML_RESPONSE_KEY);
                    } catch (VerificationException e) {
                        log.error("Failed to verify saml response signature", e);
                        return failedTerminal();
                    }
                }
                return handleLogoutResponse(holder, statusResponse, relayState);
            } finally {
                sessionStore.setCurrentAction(SamlSessionStore.CurrentAction.NONE);
            }
        } else if (sessionStore.isLoggingIn()) {
            try {
                // KEYCLOAK-2107 - handle user not authenticated due passive mode. Return special outcome so different authentication mechanisms can behave accordingly.
                StatusType status = statusResponse.getStatus();
                if (checkStatusCodeValue(status.getStatusCode(), JBossSAMLURIConstants.STATUS_RESPONDER.get()) && checkStatusCodeValue(status.getStatusCode().getStatusCode(), JBossSAMLURIConstants.STATUS_NO_PASSIVE.get())) {
                    log.debug("Not authenticated due passive mode Status found in SAML response: " + status.toString());
                    return AuthOutcome.NOT_AUTHENTICATED;
                }
                return failed(createAuthChallenge403(statusResponse));
            } finally {
                sessionStore.setCurrentAction(SamlSessionStore.CurrentAction.NONE);
            }
        }
        log.warn("Keycloak Adapter obtained Response, that is not understood. This may be because the containers " + "cookies are not properly configured with SameSite settings. Refer to KEYCLOAK-14103 for more details.");
        return AuthOutcome.NOT_ATTEMPTED;
    }
}

Example 82 with SAMLDocumentHolder

use of org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder in project keycloak by keycloak.

the class SAML2Request method getAuthnRequestType.

/**
 * Get the AuthnRequestType from an input stream
 *
 * @param is Inputstream containing the AuthnRequest
 *
 * @return
 *
 * @throws ParsingException
 * @throws ProcessingException
 * @throws ConfigurationException
 * @throws IllegalArgumentException inputstream is null
 */
public AuthnRequestType getAuthnRequestType(InputStream is) throws ConfigurationException, ProcessingException, ParsingException {
    if (is == null)
        throw logger.nullArgumentError("InputStream");
    Document samlDocument = DocumentUtil.getDocument(is);
    SAMLParser samlParser = SAMLParser.getInstance();
    JAXPValidationUtil.checkSchemaValidation(samlDocument);
    AuthnRequestType requestType = (AuthnRequestType) samlParser.parse(samlDocument);
    samlDocumentHolder = new SAMLDocumentHolder(requestType, samlDocument);
    return requestType;
}

Example 83 with SAMLDocumentHolder

use of org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder in project keycloak by keycloak.

the class SAML2Request method getRequestType.

/**
 * Get a Request Type from Input Stream
 *
 * @param is
 *
 * @return
 *
 * @throws ProcessingException
 * @throws ConfigurationException
 * @throws
 * @throws IllegalArgumentException inputstream is null
 */
public RequestAbstractType getRequestType(InputStream is) throws ParsingException, ConfigurationException, ProcessingException {
    if (is == null)
        throw logger.nullArgumentError("InputStream");
    Document samlDocument = DocumentUtil.getDocument(is);
    SAMLParser samlParser = SAMLParser.getInstance();
    JAXPValidationUtil.checkSchemaValidation(samlDocument);
    RequestAbstractType requestType = (RequestAbstractType) samlParser.parse(samlDocument);
    samlDocumentHolder = new SAMLDocumentHolder(requestType, samlDocument);
    return requestType;
}

Example 84 with SAMLDocumentHolder

use of org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder in project keycloak by keycloak.

the class SAML2Response method getSAML2ObjectFromStream.

/**
 * Read a {@code SAML2Object} from an input stream
 *
 * @param is
 *
 * @return
 *
 * @throws ParsingException
 * @throws ConfigurationException
 * @throws ProcessingException
 */
public SAML2Object getSAML2ObjectFromStream(InputStream is) throws ParsingException, ConfigurationException, ProcessingException {
    if (is == null)
        throw logger.nullArgumentError("InputStream");
    Document samlResponseDocument = DocumentUtil.getDocument(is);
    if (logger.isTraceEnabled()) {
        logger.trace("SAML Response Document: " + DocumentUtil.asString(samlResponseDocument));
    }
    SAMLParser samlParser = SAMLParser.getInstance();
    JAXPValidationUtil.checkSchemaValidation(samlResponseDocument);
    SAML2Object responseType = (SAML2Object) samlParser.parse(samlResponseDocument);
    samlDocumentHolder = new SAMLDocumentHolder(responseType, samlResponseDocument);
    return responseType;
}