@Override protected String changeSessionId(HttpSession session) { Request request = this.request; if (!deployment.turnOffChangeSessionIdOnLogin()) return request.changeSessionId(); else return session.getId(); } }
public static BaseSAML2BindingBuilder createSaml2Binding(SamlDeployment deployment) { BaseSAML2BindingBuilder binding = new BaseSAML2BindingBuilder(); if (deployment.getIDP().getSingleSignOnService().signRequest()) { binding.signatureAlgorithm(deployment.getSignatureAlgorithm()); KeyPair keypair = deployment.getSigningKeyPair(); if (keypair == null) { throw new RuntimeException("Signing keys not configured"); } if (deployment.getSignatureCanonicalizationMethod() != null) { binding.canonicalizationMethod(deployment.getSignatureCanonicalizationMethod()); } binding.signWith(null, keypair); // TODO: As part of KEYCLOAK-3810, add KeyID to the SAML document // <related DocumentBuilder>.addExtension(new KeycloakKeySamlExtensionGenerator(<key ID>)); binding.signDocument(); } return binding; }
protected void forwardToLogoutPage(Request request, HttpServletResponse response, SamlDeployment deployment) { final String location = deployment.getLogoutPage(); try { //make sure the login page is never cached response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); response.setHeader("Pragma", "no-cache"); response.setHeader("Expires", "0"); if (location == null) { log.warn("Logout page not set."); response.sendError(HttpServletResponse.SC_NOT_FOUND); } else if (PROTOCOL_PATTERN.matcher(location).find()) { response.sendRedirect(response.encodeRedirectURL(location)); } else { RequestDispatcher disp = request.getRequestDispatcher(location); disp.forward(request.getRequest(), response); } } catch (ServletException e) { throw new RuntimeException(e); } catch (IOException e) { throw new RuntimeException(e); } }
public static SAML2AuthnRequestBuilder buildSaml2AuthnRequestBuilder(SamlDeployment deployment) { String issuerURL = deployment.getEntityID(); String nameIDPolicyFormat = deployment.getNameIDPolicyFormat(); if (nameIDPolicyFormat == null) { nameIDPolicyFormat = JBossSAMLURIConstants.NAMEID_FORMAT_PERSISTENT.get(); } SingleSignOnService sso = deployment.getIDP().getSingleSignOnService(); SAML2AuthnRequestBuilder authnRequestBuilder = new SAML2AuthnRequestBuilder() .destination(sso.getRequestBindingUrl()) .issuer(issuerURL) .forceAuthn(deployment.isForceAuthentication()).isPassive(deployment.isIsPassive()) .nameIdPolicy(SAML2NameIDPolicyBuilder.format(nameIDPolicyFormat)); if (sso.getResponseBinding() != null) { String protocolBinding = JBossSAMLURIConstants.SAML_HTTP_REDIRECT_BINDING.get(); if (sso.getResponseBinding() == SamlDeployment.Binding.POST) { protocolBinding = JBossSAMLURIConstants.SAML_HTTP_POST_BINDING.get(); } authnRequestBuilder.protocolBinding(protocolBinding); } if (sso.getAssertionConsumerServiceUrl() != null) { authnRequestBuilder.assertionConsumerUrl(sso.getAssertionConsumerServiceUrl()); } return authnRequestBuilder; }
assertion = AssertionUtil.getAssertion(responseHolder, responseType, deployment.getDecryptionKey()); ConditionsValidator.Builder cvb = new ConditionsValidator.Builder(assertion.getID(), assertion.getConditions(), destinationValidator); try { cvb.addAllowedAudience(URI.create(deployment.getEntityID())); if (deployment.getIDP().getSingleSignOnService().validateAssertionSignature()) { try { if (!AssertionUtil.isSignatureValid(getAssertionFromResponse(responseHolder), deployment.getIDP().getSignatureValidationKeyLocator())) { log.error("Failed to verify saml assertion signature"); if (deployment.getPrincipalNamePolicy() == SamlDeployment.PrincipalNamePolicy.FROM_ATTRIBUTE) { if (deployment.getPrincipalAttributeName() != null) { String attribute = attributes.getFirst(deployment.getPrincipalAttributeName()); if (attribute != null) principalName = attribute; else { attribute = friendlyAttributes.getFirst(deployment.getPrincipalAttributeName()); if (attribute != null) principalName = attribute;
private void createEcpRequestHeader(SOAPEnvelope envelope) throws SOAPException { SOAPHeader headers = envelope.getHeader(); SOAPHeaderElement ecpRequestHeader = headers.addHeaderElement(envelope.createQName(JBossSAMLConstants.REQUEST.get(), NS_PREFIX_PROFILE_ECP)); ecpRequestHeader.setMustUnderstand(true); ecpRequestHeader.setActor("http://schemas.xmlsoap.org/soap/actor/next"); ecpRequestHeader.addAttribute(envelope.createName("ProviderName"), deployment.getEntityID()); ecpRequestHeader.addAttribute(envelope.createName("IsPassive"), "0"); ecpRequestHeader.addChildElement(envelope.createQName("Issuer", "saml")).setValue(deployment.getEntityID()); ecpRequestHeader.addChildElement(envelope.createQName("IDPList", "samlp")) .addChildElement(envelope.createQName("IDPEntry", "samlp")) .addAttribute(envelope.createName("ProviderID"), deployment.getIDP().getEntityID()) .addAttribute(envelope.createName("Name"), deployment.getIDP().getEntityID()) .addAttribute(envelope.createName("Loc"), deployment.getIDP().getSingleSignOnService().getRequestBindingUrl()); }
private String getResponseConsumerUrl() { return (deployment.getIDP() == null || deployment.getIDP().getSingleSignOnService() == null || deployment.getIDP().getSingleSignOnService().getAssertionConsumerServiceUrl() == null ) ? null : deployment.getIDP().getSingleSignOnService().getAssertionConsumerServiceUrl().toString(); } };
private Element getAssertionFromResponse(final SAMLDocumentHolder responseHolder) throws ConfigurationException, ProcessingException { Element encryptedAssertion = DocumentUtil.getElement(responseHolder.getSamlDocument(), new QName(JBossSAMLConstants.ENCRYPTED_ASSERTION.get())); if (encryptedAssertion != null) { // encrypted assertion. // We'll need to decrypt it first. Document encryptedAssertionDocument = DocumentUtil.createDocument(); encryptedAssertionDocument.appendChild(encryptedAssertionDocument.importNode(encryptedAssertion, true)); return XMLEncryptionUtil.decryptElementInDocument(encryptedAssertionDocument, deployment.getDecryptionKey()); } return DocumentUtil.getElement(responseHolder.getSamlDocument(), new QName(JBossSAMLConstants.ASSERTION.get())); }
private void validateSamlSignature(SAMLDocumentHolder holder, boolean postBinding, String paramKey) throws VerificationException { KeyLocator signatureValidationKey = deployment.getIDP().getSignatureValidationKeyLocator(); if (postBinding) { verifyPostBindingSignature(holder.getSamlDocument(), signatureValidationKey); } else { String keyId = getMessageSigningKeyId(holder.getSamlObject()); verifyRedirectBindingSignature(paramKey, signatureValidationKey, keyId); } }
@Override protected String changeSessionId(HttpSession session) { Request request = this.request; if (!deployment.turnOffChangeSessionIdOnLogin()) return request.changeSessionId(); else return session.getId(); } }
String issuerURL = deployment.getEntityID(); SAML2LogoutResponseBuilder builder = new SAML2LogoutResponseBuilder(); builder.logoutRequestID(request.getID()); builder.destination(deployment.getIDP().getSingleLogoutService().getResponseBindingUrl()); builder.issuer(issuerURL); BaseSAML2BindingBuilder binding = new BaseSAML2BindingBuilder().relayState(relayState); if (deployment.getIDP().getSingleLogoutService().signResponse()) { if (deployment.getSignatureCanonicalizationMethod() != null) binding.canonicalizationMethod(deployment.getSignatureCanonicalizationMethod()); binding.signatureAlgorithm(deployment.getSignatureAlgorithm()) .signWith(null, deployment.getSigningKeyPair()) .signDocument(); SamlUtil.sendSaml(false, facade, deployment.getIDP().getSingleLogoutService().getResponseBindingUrl(), binding, builder.buildDocument(), deployment.getIDP().getSingleLogoutService().getResponseBinding()); } catch (Exception e) { log.error("Could not send logout response SAML request", e);
@Override protected void sendAuthnRequest(HttpFacade httpFacade, SAML2AuthnRequestBuilder authnRequestBuilder, BaseSAML2BindingBuilder binding) throws ProcessingException, ConfigurationException, IOException { if (isAutodetectedBearerOnly(httpFacade.getRequest())) { httpFacade.getResponse().setStatus(401); httpFacade.getResponse().end(); } else { Document document = authnRequestBuilder.toDocument(); SamlDeployment.Binding samlBinding = deployment.getIDP().getSingleSignOnService().getRequestBinding(); SamlUtil.sendSaml(true, httpFacade, deployment.getIDP().getSingleSignOnService().getRequestBindingUrl(), binding, document, samlBinding); } } };
protected boolean executeAuthenticator(Request request, HttpServletResponse response, CatalinaHttpFacade facade, SamlDeployment deployment, SamlAuthenticator authenticator) { AuthOutcome outcome = authenticator.authenticate(); if (outcome == AuthOutcome.AUTHENTICATED) { log.trace("AUTHENTICATED"); if (facade.isEnded()) { return false; } return true; } if (outcome == AuthOutcome.LOGGED_OUT) { logoutInternal(request); if (deployment.getLogoutPage() != null) { forwardToLogoutPage(request, response, deployment); } log.trace("Logging OUT"); return false; } AuthChallenge challenge = authenticator.getChallenge(); if (challenge != null) { log.trace("challenge"); challenge.challenge(facade); } return false; }
@Override protected String changeSessionId(HttpSession session) { Request request = this.request; if (!deployment.turnOffChangeSessionIdOnLogin()) return request.changeSessionId(); else return session.getId(); } }
.issuer(deployment.getEntityID()) .sessionIndex(account.getSessionIndex()) .userPrincipal(account.getPrincipal().getSamlSubject(), account.getPrincipal().getNameIDFormat()) .destination(deployment.getIDP().getSingleLogoutService().getRequestBindingUrl()); BaseSAML2BindingBuilder binding = new BaseSAML2BindingBuilder(); if (deployment.getIDP().getSingleLogoutService().signRequest()) { if (deployment.getSignatureCanonicalizationMethod() != null) binding.canonicalizationMethod(deployment.getSignatureCanonicalizationMethod()); binding.signatureAlgorithm(deployment.getSignatureAlgorithm()); binding.signWith(null, deployment.getSigningKeyPair()) .signDocument(); SamlUtil.sendSaml(true, facade, deployment.getIDP().getSingleLogoutService().getRequestBindingUrl(), binding, logoutBuilder.buildDocument(), deployment.getIDP().getSingleLogoutService().getRequestBinding()); sessionStore.setCurrentAction(SamlSessionStore.CurrentAction.LOGGING_OUT); } catch (Exception e) {
if (deployment.getIDP().getSingleLogoutService().validateRequestSignature()) { try { validateSamlSignature(holder, postBinding, GeneralConstants.SAML_REQUEST_KEY);
@Override protected String changeSessionId(HttpSession session) { Request request = this.request; if (!deployment.turnOffChangeSessionIdOnLogin()) return request.changeSessionId(); else return session.getId(); } }
if (deployment.getIDP().getSingleSignOnService().validateResponseSignature()) { try { validateSamlSignature(holder, postBinding, GeneralConstants.SAML_RESPONSE_KEY); if (sessionStore.isLoggingOut()) { try { if (deployment.getIDP().getSingleLogoutService().validateResponseSignature()) { try { validateSamlSignature(holder, postBinding, GeneralConstants.SAML_RESPONSE_KEY);
@Override protected String changeSessionId(Session session) { Request request = this.request; if (!deployment.turnOffChangeSessionIdOnLogin()) return request.changeSessionId(); else return session.getId(); } }