protected SamlSessionStore createSessionStore(Request request, HttpFacade facade, SamlDeployment resolvedDeployment) { SamlSessionStore store; store = new CatalinaSamlSessionStore(userSessionManagement, createPrincipalFactory(), mapper, idMapperUpdater, request, this, facade, resolvedDeployment); return store; }
private String getResponseConsumerUrl() { return (deployment.getIDP() == null || deployment.getIDP().getSingleSignOnService() == null || deployment.getIDP().getSingleSignOnService().getAssertionConsumerServiceUrl() == null ) ? null : deployment.getIDP().getSingleSignOnService().getAssertionConsumerServiceUrl().toString(); } };
@Override public void onSessionCreated(SamlSession samlSession) { completeAuthentication(samlSession); } });
private void map(String sessionId, Object value) { if (! (value instanceof SamlSession) || sessionId == null) { return; } SamlSession account = (SamlSession) value; idMapper.map(account.getSessionIndex(), account.getPrincipal().getSamlSubject(), sessionId); }
@Override protected void sendAuthnRequest(HttpFacade httpFacade, SAML2AuthnRequestBuilder authnRequestBuilder, BaseSAML2BindingBuilder binding) throws ProcessingException, ConfigurationException, IOException { if (isAutodetectedBearerOnly(httpFacade.getRequest())) { httpFacade.getResponse().setStatus(401); httpFacade.getResponse().end(); } else { Document document = authnRequestBuilder.toDocument(); SamlDeployment.Binding samlBinding = deployment.getIDP().getSingleSignOnService().getRequestBinding(); SamlUtil.sendSaml(true, httpFacade, deployment.getIDP().getSingleSignOnService().getRequestBindingUrl(), binding, document, samlBinding); } } };
public static BaseSAML2BindingBuilder createSaml2Binding(SamlDeployment deployment) { BaseSAML2BindingBuilder binding = new BaseSAML2BindingBuilder(); if (deployment.getIDP().getSingleSignOnService().signRequest()) { binding.signatureAlgorithm(deployment.getSignatureAlgorithm()); KeyPair keypair = deployment.getSigningKeyPair(); if (keypair == null) { throw new RuntimeException("Signing keys not configured"); } if (deployment.getSignatureCanonicalizationMethod() != null) { binding.canonicalizationMethod(deployment.getSignatureCanonicalizationMethod()); } binding.signWith(null, keypair); // TODO: As part of KEYCLOAK-3810, add KeyID to the SAML document // <related DocumentBuilder>.addExtension(new KeycloakKeySamlExtensionGenerator(<key ID>)); binding.signDocument(); } return binding; }
@Override public boolean challenge(HttpFacade httpFacade) { try { SAML2AuthnRequestBuilder authnRequestBuilder = buildSaml2AuthnRequestBuilder(deployment); BaseSAML2BindingBuilder binding = createSaml2Binding(deployment); sessionStore.saveRequest(); sendAuthnRequest(httpFacade, authnRequestBuilder, binding); sessionStore.setCurrentAction(SamlSessionStore.CurrentAction.LOGGING_IN); } catch (Exception e) { throw new RuntimeException("Could not create authentication request.", e); } return true; }
protected boolean authenticateInternal(Request request, HttpServletResponse response, Object loginConfig) throws IOException { log.trace("authenticateInternal"); CatalinaHttpFacade facade = new CatalinaHttpFacade(response, request); SamlDeployment deployment = deploymentContext.resolveDeployment(facade); if (deployment == null || !deployment.isConfigured()) { log.trace("deployment not configured"); return false; } SamlSessionStore tokenStore = getSessionStore(request, facade, deployment); SamlAuthenticator authenticator = new CatalinaSamlAuthenticator(facade, deployment, tokenStore); return executeAuthenticator(request, response, facade, deployment, authenticator); }
private void validateSamlSignature(SAMLDocumentHolder holder, boolean postBinding, String paramKey) throws VerificationException { KeyLocator signatureValidationKey = deployment.getIDP().getSignatureValidationKeyLocator(); if (postBinding) { verifyPostBindingSignature(holder.getSamlDocument(), signatureValidationKey); } else { String keyId = getMessageSigningKeyId(holder.getSamlObject()); verifyRedirectBindingSignature(paramKey, signatureValidationKey, keyId); } }
@Override protected void addTokenStoreUpdaters() { context.addApplicationListenerInstance(new IdMapperUpdaterSessionListener(mapper)); setIdMapperUpdater(SessionIdMapperUpdater.EXTERNAL); super.addTokenStoreUpdaters(); } }
protected AuthOutcome handleLogoutResponse(SAMLDocumentHolder holder, StatusResponseType responseType, String relayState) { boolean loggedIn = sessionStore.isLoggedIn(); if (!loggedIn || !"logout".equals(relayState)) { return AuthOutcome.NOT_ATTEMPTED; } sessionStore.logoutAccount(); return AuthOutcome.LOGGED_OUT; }
protected void logoutInternal(Request request) { CatalinaHttpFacade facade = new CatalinaHttpFacade(null, request); SamlDeployment deployment = deploymentContext.resolveDeployment(facade); SamlSessionStore tokenStore = getSessionStore(request, facade, deployment); tokenStore.logoutAccount(); request.setUserPrincipal(null); }
protected SamlAuthenticationHandler createAuthenticationHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) { if (EcpAuthenticationHandler.canHandle(facade)) { return EcpAuthenticationHandler.create(facade, deployment, sessionStore); } // defaults to the web browser sso profile return createBrowserHandler(facade, deployment, sessionStore); }
private void unmap(String sessionId, Object value) { if (! (value instanceof SamlSession) || sessionId == null) { return; } SamlSession samlSession = (SamlSession) value; if (samlSession.getSessionIndex() != null) { idMapper.removeSession(sessionId); } } }
@Override protected void forwardToLogoutPage(Request request, HttpServletResponse response, SamlDeployment deployment) { super.forwardToLogoutPage(request, response, deployment); }
@Override public boolean restoreRequest() { getSession(true).removeAttribute(SAML_REDIRECT_URI); return valve.keycloakRestoreRequest(request); }
@Override public void saveRequest() { try { valve.keycloakSaveRequest(request); } catch (IOException e) { throw new RuntimeException(e); } getSession(true).setAttribute(SAML_REDIRECT_URI, facade.getRequest().getURI()); }
public static Binding parseBinding(String val) { if (val == null) return POST; return Binding.valueOf(val); } }
public SamlAuthenticator(final HttpFacade facade, final SamlDeployment deployment, final SamlSessionStore sessionStore) { this.handler = createAuthenticationHandler(facade, deployment, sessionStore); }
public SamlDeployment resolveDeployment(HttpFacade facade) { if (deployment != null) { return deployment; } else { return resolver.resolve(facade.getRequest()); } } }