if (deployment.getIDP().getSingleSignOnService().validateAssertionSignature()) { try { if (!AssertionUtil.isSignatureValid(getAssertionFromResponse(responseHolder), deployment.getIDP().getSignatureValidationKeyLocator())) { log.error("Failed to verify saml assertion signature");
if (deployment.getIDP().getSingleSignOnService().validateResponseSignature()) { try { validateSamlSignature(holder, postBinding, GeneralConstants.SAML_RESPONSE_KEY); if (sessionStore.isLoggingOut()) { try { if (deployment.getIDP().getSingleLogoutService().validateResponseSignature()) { try { validateSamlSignature(holder, postBinding, GeneralConstants.SAML_RESPONSE_KEY);
if (deployment.getIDP().getSingleLogoutService().validateRequestSignature()) { try { validateSamlSignature(holder, postBinding, GeneralConstants.SAML_REQUEST_KEY);
.sessionIndex(account.getSessionIndex()) .userPrincipal(account.getPrincipal().getSamlSubject(), account.getPrincipal().getNameIDFormat()) .destination(deployment.getIDP().getSingleLogoutService().getRequestBindingUrl()); BaseSAML2BindingBuilder binding = new BaseSAML2BindingBuilder(); if (deployment.getIDP().getSingleLogoutService().signRequest()) { if (deployment.getSignatureCanonicalizationMethod() != null) binding.canonicalizationMethod(deployment.getSignatureCanonicalizationMethod()); SamlUtil.sendSaml(true, facade, deployment.getIDP().getSingleLogoutService().getRequestBindingUrl(), binding, logoutBuilder.buildDocument(), deployment.getIDP().getSingleLogoutService().getRequestBinding()); sessionStore.setCurrentAction(SamlSessionStore.CurrentAction.LOGGING_OUT); } catch (Exception e) {
SAML2LogoutResponseBuilder builder = new SAML2LogoutResponseBuilder(); builder.logoutRequestID(request.getID()); builder.destination(deployment.getIDP().getSingleLogoutService().getResponseBindingUrl()); builder.issuer(issuerURL); BaseSAML2BindingBuilder binding = new BaseSAML2BindingBuilder().relayState(relayState); if (deployment.getIDP().getSingleLogoutService().signResponse()) { if (deployment.getSignatureCanonicalizationMethod() != null) binding.canonicalizationMethod(deployment.getSignatureCanonicalizationMethod()); SamlUtil.sendSaml(false, facade, deployment.getIDP().getSingleLogoutService().getResponseBindingUrl(), binding, builder.buildDocument(), deployment.getIDP().getSingleLogoutService().getResponseBinding()); } catch (Exception e) { log.error("Could not send logout response SAML request", e);
public static SAML2AuthnRequestBuilder buildSaml2AuthnRequestBuilder(SamlDeployment deployment) { String issuerURL = deployment.getEntityID(); String nameIDPolicyFormat = deployment.getNameIDPolicyFormat(); if (nameIDPolicyFormat == null) { nameIDPolicyFormat = JBossSAMLURIConstants.NAMEID_FORMAT_PERSISTENT.get(); } SingleSignOnService sso = deployment.getIDP().getSingleSignOnService(); SAML2AuthnRequestBuilder authnRequestBuilder = new SAML2AuthnRequestBuilder() .destination(sso.getRequestBindingUrl()) .issuer(issuerURL) .forceAuthn(deployment.isForceAuthentication()).isPassive(deployment.isIsPassive()) .nameIdPolicy(SAML2NameIDPolicyBuilder.format(nameIDPolicyFormat)); if (sso.getResponseBinding() != null) { String protocolBinding = JBossSAMLURIConstants.SAML_HTTP_REDIRECT_BINDING.get(); if (sso.getResponseBinding() == SamlDeployment.Binding.POST) { protocolBinding = JBossSAMLURIConstants.SAML_HTTP_POST_BINDING.get(); } authnRequestBuilder.protocolBinding(protocolBinding); } if (sso.getAssertionConsumerServiceUrl() != null) { authnRequestBuilder.assertionConsumerUrl(sso.getAssertionConsumerServiceUrl()); } return authnRequestBuilder; }
public static BaseSAML2BindingBuilder createSaml2Binding(SamlDeployment deployment) { BaseSAML2BindingBuilder binding = new BaseSAML2BindingBuilder(); if (deployment.getIDP().getSingleSignOnService().signRequest()) { binding.signatureAlgorithm(deployment.getSignatureAlgorithm()); KeyPair keypair = deployment.getSigningKeyPair(); if (keypair == null) { throw new RuntimeException("Signing keys not configured"); } if (deployment.getSignatureCanonicalizationMethod() != null) { binding.canonicalizationMethod(deployment.getSignatureCanonicalizationMethod()); } binding.signWith(null, keypair); // TODO: As part of KEYCLOAK-3810, add KeyID to the SAML document // <related DocumentBuilder>.addExtension(new KeycloakKeySamlExtensionGenerator(<key ID>)); binding.signDocument(); } return binding; }
private void createEcpRequestHeader(SOAPEnvelope envelope) throws SOAPException { SOAPHeader headers = envelope.getHeader(); SOAPHeaderElement ecpRequestHeader = headers.addHeaderElement(envelope.createQName(JBossSAMLConstants.REQUEST.get(), NS_PREFIX_PROFILE_ECP)); ecpRequestHeader.setMustUnderstand(true); ecpRequestHeader.setActor("http://schemas.xmlsoap.org/soap/actor/next"); ecpRequestHeader.addAttribute(envelope.createName("ProviderName"), deployment.getEntityID()); ecpRequestHeader.addAttribute(envelope.createName("IsPassive"), "0"); ecpRequestHeader.addChildElement(envelope.createQName("Issuer", "saml")).setValue(deployment.getEntityID()); ecpRequestHeader.addChildElement(envelope.createQName("IDPList", "samlp")) .addChildElement(envelope.createQName("IDPEntry", "samlp")) .addAttribute(envelope.createName("ProviderID"), deployment.getIDP().getEntityID()) .addAttribute(envelope.createName("Name"), deployment.getIDP().getEntityID()) .addAttribute(envelope.createName("Loc"), deployment.getIDP().getSingleSignOnService().getRequestBindingUrl()); }
@Override protected void sendAuthnRequest(HttpFacade httpFacade, SAML2AuthnRequestBuilder authnRequestBuilder, BaseSAML2BindingBuilder binding) throws ProcessingException, ConfigurationException, IOException { if (isAutodetectedBearerOnly(httpFacade.getRequest())) { httpFacade.getResponse().setStatus(401); httpFacade.getResponse().end(); } else { Document document = authnRequestBuilder.toDocument(); SamlDeployment.Binding samlBinding = deployment.getIDP().getSingleSignOnService().getRequestBinding(); SamlUtil.sendSaml(true, httpFacade, deployment.getIDP().getSingleSignOnService().getRequestBindingUrl(), binding, document, samlBinding); } } };
private void validateSamlSignature(SAMLDocumentHolder holder, boolean postBinding, String paramKey) throws VerificationException { KeyLocator signatureValidationKey = deployment.getIDP().getSignatureValidationKeyLocator(); if (postBinding) { verifyPostBindingSignature(holder.getSamlDocument(), signatureValidationKey); } else { String keyId = getMessageSigningKeyId(holder.getSamlObject()); verifyRedirectBindingSignature(paramKey, signatureValidationKey, keyId); } }
private String getResponseConsumerUrl() { return (deployment.getIDP() == null || deployment.getIDP().getSingleSignOnService() == null || deployment.getIDP().getSingleSignOnService().getAssertionConsumerServiceUrl() == null ) ? null : deployment.getIDP().getSingleSignOnService().getAssertionConsumerServiceUrl().toString(); } };