Examples with SAMLDocumentHolder org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder used on opensource projects

Example 36 with SAMLDocumentHolder

use of org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder in project keycloak by keycloak.

the class BrokerTest method testInResponseToSetCorrectly.

@Test
public void testInResponseToSetCorrectly() throws IOException {
    final RealmResource realm = adminClient.realm(REALM_NAME);
    try (IdentityProviderCreator idp = new IdentityProviderCreator(realm, addIdentityProvider("https://saml.idp/saml"))) {
        AtomicReference<String> serviceProvidersId = new AtomicReference<>();
        SAMLDocumentHolder samlResponse = new SamlClientBuilder().authnRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, POST).transformObject(ar -> {
            serviceProvidersId.set(ar.getID());
            return ar;
        }).build().login().idp(SAML_BROKER_ALIAS).build().processSamlResponse(REDIRECT).transformObject(this::createAuthnResponse).targetAttributeSamlResponse().targetUri(getSamlBrokerUrl(REALM_NAME)).build().followOneRedirect().updateProfile().username("userInResponseTo").email("f@g.h").firstName("a").lastName("b").build().followOneRedirect().getSamlResponse(POST);
        assertThat(samlResponse.getSamlObject(), isSamlStatusResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
        assertThat(((ResponseType) samlResponse.getSamlObject()).getInResponseTo(), is(serviceProvidersId.get()));
    } finally {
        clearUsers(realm);
    }
}

Example 37 with SAMLDocumentHolder

use of org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder in project keycloak by keycloak.

the class BrokerTest method testRedirectQueryParametersPreserved.

@Test
public void testRedirectQueryParametersPreserved() throws IOException {
    final RealmResource realm = adminClient.realm(REALM_NAME);
    try (IdentityProviderCreator idp = new IdentityProviderCreator(realm, addIdentityProvider("https://saml.idp/?service=name&serviceType=prod"))) {
        SAMLDocumentHolder samlResponse = new SamlClientBuilder().authnRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, POST).build().login().idp(SAML_BROKER_ALIAS).build().getSamlResponse(REDIRECT);
        assertThat(samlResponse.getSamlObject(), Matchers.instanceOf(AuthnRequestType.class));
        AuthnRequestType ar = (AuthnRequestType) samlResponse.getSamlObject();
        assertThat(ar.getDestination(), Matchers.equalTo(URI.create("https://saml.idp/?service=name&serviceType=prod")));
        Header[] headers = new SamlClientBuilder().authnRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, POST).build().login().idp(SAML_BROKER_ALIAS).build().doNotFollowRedirects().executeAndTransform(resp -> resp.getHeaders(HttpHeaders.LOCATION));
        assertThat(headers.length, Matchers.is(1));
        assertThat(headers[0].getValue(), Matchers.containsString("https://saml.idp/?service=name&serviceType=prod"));
        assertThat(headers[0].getValue(), Matchers.containsString("SAMLRequest"));
    }
}

Example 38 with SAMLDocumentHolder

use of org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder in project keycloak by keycloak.

the class LogoutTest method testLogoutWithPostBindingUnsetRedirectBindingSet.

@Test
public void testLogoutWithPostBindingUnsetRedirectBindingSet() {
    // https://issues.jboss.org/browse/KEYCLOAK-4779
    adminClient.realm(REALM_NAME).clients().get(sales2Rep.getId()).update(ClientBuilder.edit(sales2Rep).frontchannelLogout(true).attribute(SamlProtocol.SAML_SINGLE_LOGOUT_SERVICE_URL_POST_ATTRIBUTE, "").attribute(SamlProtocol.SAML_SINGLE_LOGOUT_SERVICE_URL_REDIRECT_ATTRIBUTE, "http://url-to-sales-2").build());
    SAMLDocumentHolder samlResponse = prepareLogIntoTwoApps().logoutRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST, POST).nameId(nameIdRef::get).sessionIndex(sessionIndexRef::get).build().processSamlResponse(REDIRECT).transformDocument(doc -> {
        // Expect logout request for sales-post2
        SAML2Object so = (SAML2Object) SAMLParser.getInstance().parse(new DOMSource(doc));
        assertThat(so, isSamlLogoutRequest("http://url-to-sales-2"));
        // Emulate successful logout response from sales-post2 logout
        return new SAML2LogoutResponseBuilder().destination(getAuthServerSamlEndpoint(REALM_NAME).toString()).issuer(SAML_CLIENT_ID_SALES_POST2).logoutRequestID(((LogoutRequestType) so).getID()).buildDocument();
    }).targetAttributeSamlResponse().targetUri(getAuthServerSamlEndpoint(REALM_NAME)).build().getSamlResponse(POST);
    // Expect final successful logout response from auth server signalling final successful logout
    assertThat(samlResponse.getSamlObject(), isSamlStatusResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
    assertThat(((StatusResponseType) samlResponse.getSamlObject()).getDestination(), is("http://url"));
    assertLogoutEvent(SAML_CLIENT_ID_SALES_POST2);
}

Example 39 with SAMLDocumentHolder

use of org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder in project keycloak by keycloak.

the class LogoutTest method testLogoutDifferentBrowser.

@Test
public void testLogoutDifferentBrowser() {
    // This is in fact the same as admin logging out a session from admin console.
    // This always succeeds as it is essentially the same as backend logout which
    // does not report errors to client but only to the server log
    adminClient.realm(REALM_NAME).clients().get(sales2Rep.getId()).update(ClientBuilder.edit(sales2Rep).frontchannelLogout(false).attribute(SamlProtocol.SAML_SINGLE_LOGOUT_SERVICE_URL_POST_ATTRIBUTE, "").removeAttribute(SamlProtocol.SAML_SINGLE_LOGOUT_SERVICE_URL_REDIRECT_ATTRIBUTE).build());
    SAMLDocumentHolder samlResponse = prepareLogIntoTwoApps().clearCookies().logoutRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST, POST).nameId(nameIdRef::get).sessionIndex(sessionIndexRef::get).build().getSamlResponse(POST);
    assertThat(samlResponse.getSamlObject(), isSamlStatusResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
}

Example 40 with SAMLDocumentHolder

use of org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder in project keycloak by keycloak.

the class LogoutTest method testLogoutPropagatesToSamlIdentityProviderNameIdPreserved.

@Test
public void testLogoutPropagatesToSamlIdentityProviderNameIdPreserved() throws IOException {
    final RealmResource realm = adminClient.realm(REALM_NAME);
    try (Closeable sales = ClientAttributeUpdater.forClient(adminClient, REALM_NAME, SAML_CLIENT_ID_SALES_POST).setFrontchannelLogout(true).removeAttribute(SamlProtocol.SAML_SINGLE_LOGOUT_SERVICE_URL_POST_ATTRIBUTE).setAttribute(SamlProtocol.SAML_SINGLE_LOGOUT_SERVICE_URL_REDIRECT_ATTRIBUTE, "http://url").update();
        Closeable idp = new IdentityProviderCreator(realm, addIdentityProvider())) {
        SAMLDocumentHolder samlResponse = logIntoUnsignedSalesAppViaIdp().logoutRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST, REDIRECT).nameId(nameIdRef::get).sessionIndex(sessionIndexRef::get).build().getSamlResponse(REDIRECT);
        assertThat(samlResponse.getSamlObject(), isSamlLogoutRequest(BROKER_LOGOUT_SERVICE_URL));
        LogoutRequestType lr = (LogoutRequestType) samlResponse.getSamlObject();
        NameIDType logoutRequestNameID = lr.getNameID();
        assertThat(logoutRequestNameID.getFormat(), is(JBossSAMLURIConstants.NAMEID_FORMAT_EMAIL.getUri()));
        assertThat(logoutRequestNameID.getValue(), is("a@b.c"));
        assertThat(logoutRequestNameID.getNameQualifier(), is(NAME_QUALIFIER));
        assertThat(logoutRequestNameID.getSPProvidedID(), is(SP_PROVIDED_ID));
        assertThat(logoutRequestNameID.getSPNameQualifier(), is(SP_NAME_QUALIFIER));
    }
}