Package org.keycloak.protocol.saml
Class SamlProtocol
- java.lang.Object
-
- org.keycloak.protocol.saml.SamlProtocol
-
- All Implemented Interfaces:
LoginProtocol
,Provider
- Direct Known Subclasses:
TokenEndpoint.TokenExchangeSamlProtocol
public class SamlProtocol extends Object implements LoginProtocol
- Version:
- $Revision: 1 $
- Author:
- Bill Burke
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static class
SamlProtocol.ProtocolMapperProcessor<T>
-
Nested classes/interfaces inherited from interface org.keycloak.protocol.LoginProtocol
LoginProtocol.Error
-
-
Field Summary
-
Constructor Summary
Constructors Constructor Description SamlProtocol()
-
Method Summary
-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
Methods inherited from interface org.keycloak.protocol.LoginProtocol
sendPushRevocationPolicyRequest
-
-
-
-
Field Detail
-
ATTRIBUTE_TRUE_VALUE
public static final String ATTRIBUTE_TRUE_VALUE
- See Also:
- Constant Field Values
-
ATTRIBUTE_FALSE_VALUE
public static final String ATTRIBUTE_FALSE_VALUE
- See Also:
- Constant Field Values
-
SAML_ASSERTION_CONSUMER_URL_POST_ATTRIBUTE
public static final String SAML_ASSERTION_CONSUMER_URL_POST_ATTRIBUTE
- See Also:
- Constant Field Values
-
SAML_ASSERTION_CONSUMER_URL_REDIRECT_ATTRIBUTE
public static final String SAML_ASSERTION_CONSUMER_URL_REDIRECT_ATTRIBUTE
- See Also:
- Constant Field Values
-
SAML_ASSERTION_CONSUMER_URL_ARTIFACT_ATTRIBUTE
public static final String SAML_ASSERTION_CONSUMER_URL_ARTIFACT_ATTRIBUTE
- See Also:
- Constant Field Values
-
SAML_SINGLE_LOGOUT_SERVICE_URL_POST_ATTRIBUTE
public static final String SAML_SINGLE_LOGOUT_SERVICE_URL_POST_ATTRIBUTE
- See Also:
- Constant Field Values
-
SAML_SINGLE_LOGOUT_SERVICE_URL_ARTIFACT_ATTRIBUTE
public static final String SAML_SINGLE_LOGOUT_SERVICE_URL_ARTIFACT_ATTRIBUTE
- See Also:
- Constant Field Values
-
SAML_SINGLE_LOGOUT_SERVICE_URL_REDIRECT_ATTRIBUTE
public static final String SAML_SINGLE_LOGOUT_SERVICE_URL_REDIRECT_ATTRIBUTE
- See Also:
- Constant Field Values
-
SAML_SINGLE_LOGOUT_SERVICE_URL_SOAP_ATTRIBUTE
public static final String SAML_SINGLE_LOGOUT_SERVICE_URL_SOAP_ATTRIBUTE
- See Also:
- Constant Field Values
-
SAML_ARTIFACT_RESOLUTION_SERVICE_URL_ATTRIBUTE
public static final String SAML_ARTIFACT_RESOLUTION_SERVICE_URL_ATTRIBUTE
- See Also:
- Constant Field Values
-
LOGIN_PROTOCOL
public static final String LOGIN_PROTOCOL
- See Also:
- Constant Field Values
-
SAML_BINDING
public static final String SAML_BINDING
- See Also:
- Constant Field Values
-
SAML_IDP_INITIATED_LOGIN
public static final String SAML_IDP_INITIATED_LOGIN
- See Also:
- Constant Field Values
-
SAML_POST_BINDING
public static final String SAML_POST_BINDING
- See Also:
- Constant Field Values
-
SAML_SOAP_BINDING
public static final String SAML_SOAP_BINDING
- See Also:
- Constant Field Values
-
SAML_REDIRECT_BINDING
public static final String SAML_REDIRECT_BINDING
- See Also:
- Constant Field Values
-
SAML_REQUEST_ID
public static final String SAML_REQUEST_ID
- See Also:
- Constant Field Values
-
SAML_REQUEST_ID_BROKER
public static final String SAML_REQUEST_ID_BROKER
- See Also:
- Constant Field Values
-
SAML_LOGOUT_BINDING
public static final String SAML_LOGOUT_BINDING
- See Also:
- Constant Field Values
-
SAML_LOGOUT_ADD_EXTENSIONS_ELEMENT_WITH_KEY_INFO
public static final String SAML_LOGOUT_ADD_EXTENSIONS_ELEMENT_WITH_KEY_INFO
- See Also:
- Constant Field Values
-
SAML_SERVER_SIGNATURE_KEYINFO_KEY_NAME_TRANSFORMER
public static final String SAML_SERVER_SIGNATURE_KEYINFO_KEY_NAME_TRANSFORMER
- See Also:
- Constant Field Values
-
SAML_LOGOUT_REQUEST_ID
public static final String SAML_LOGOUT_REQUEST_ID
- See Also:
- Constant Field Values
-
SAML_LOGOUT_RELAY_STATE
public static final String SAML_LOGOUT_RELAY_STATE
- See Also:
- Constant Field Values
-
SAML_LOGOUT_CANONICALIZATION
public static final String SAML_LOGOUT_CANONICALIZATION
- See Also:
- Constant Field Values
-
SAML_LOGOUT_BINDING_URI
public static final String SAML_LOGOUT_BINDING_URI
- See Also:
- Constant Field Values
-
SAML_LOGOUT_SIGNATURE_ALGORITHM
public static final String SAML_LOGOUT_SIGNATURE_ALGORITHM
- See Also:
- Constant Field Values
-
SAML_NAME_ID
public static final String SAML_NAME_ID
- See Also:
- Constant Field Values
-
SAML_NAME_ID_FORMAT
public static final String SAML_NAME_ID_FORMAT
- See Also:
- Constant Field Values
-
SAML_DEFAULT_NAMEID_FORMAT
public static final String SAML_DEFAULT_NAMEID_FORMAT
-
SAML_PERSISTENT_NAME_ID_FOR
public static final String SAML_PERSISTENT_NAME_ID_FOR
- See Also:
- Constant Field Values
-
SAML_IDP_INITIATED_SSO_RELAY_STATE
public static final String SAML_IDP_INITIATED_SSO_RELAY_STATE
- See Also:
- Constant Field Values
-
SAML_IDP_INITIATED_SSO_URL_NAME
public static final String SAML_IDP_INITIATED_SSO_URL_NAME
- See Also:
- Constant Field Values
-
SAML_LOGIN_REQUEST_FORCEAUTHN
public static final String SAML_LOGIN_REQUEST_FORCEAUTHN
- See Also:
- Constant Field Values
-
SAML_FORCEAUTHN_REQUIREMENT
public static final String SAML_FORCEAUTHN_REQUIREMENT
- See Also:
- Constant Field Values
-
SAML_LOGOUT_INITIATOR_CLIENT_ID
public static final String SAML_LOGOUT_INITIATOR_CLIENT_ID
- See Also:
- Constant Field Values
-
USER_SESSION_ID
public static final String USER_SESSION_ID
- See Also:
- Constant Field Values
-
CLIENT_SESSION_ID
public static final String CLIENT_SESSION_ID
- See Also:
- Constant Field Values
-
logger
protected static final org.jboss.logging.Logger logger
-
session
protected KeycloakSession session
-
realm
protected RealmModel realm
-
uriInfo
protected javax.ws.rs.core.UriInfo uriInfo
-
headers
protected javax.ws.rs.core.HttpHeaders headers
-
event
protected EventBuilder event
-
artifactResolver
protected ArtifactResolver artifactResolver
-
singleUseStore
protected SingleUseObjectProvider singleUseStore
-
-
Method Detail
-
setSession
public SamlProtocol setSession(KeycloakSession session)
- Specified by:
setSession
in interfaceLoginProtocol
-
setRealm
public SamlProtocol setRealm(RealmModel realm)
- Specified by:
setRealm
in interfaceLoginProtocol
-
setUriInfo
public SamlProtocol setUriInfo(javax.ws.rs.core.UriInfo uriInfo)
- Specified by:
setUriInfo
in interfaceLoginProtocol
-
setHttpHeaders
public SamlProtocol setHttpHeaders(javax.ws.rs.core.HttpHeaders headers)
- Specified by:
setHttpHeaders
in interfaceLoginProtocol
-
setEventBuilder
public SamlProtocol setEventBuilder(EventBuilder event)
- Specified by:
setEventBuilder
in interfaceLoginProtocol
-
sendError
public javax.ws.rs.core.Response sendError(AuthenticationSessionModel authSession, LoginProtocol.Error error)
- Specified by:
sendError
in interfaceLoginProtocol
-
buildErrorResponse
protected javax.ws.rs.core.Response buildErrorResponse(boolean isPostBinding, String destination, JaxrsSAML2BindingBuilder binding, Document document) throws ConfigurationException, ProcessingException, IOException
-
getResponseIssuer
protected String getResponseIssuer(RealmModel realm)
-
isPostBinding
protected boolean isPostBinding(AuthenticationSessionModel authSession)
-
isPostBinding
protected boolean isPostBinding(AuthenticatedClientSessionModel clientSession)
-
isLogoutPostBindingForInitiator
public static boolean isLogoutPostBindingForInitiator(UserSessionModel session)
-
isLogoutPostBindingForClient
protected boolean isLogoutPostBindingForClient(AuthenticatedClientSessionModel clientSession)
-
getNameIdFormat
protected String getNameIdFormat(SamlClient samlClient, AuthenticationSessionModel authSession)
-
getNameId
protected String getNameId(String nameIdFormat, CommonClientSessionModel clientSession, UserSessionModel userSession)
-
getPersistentNameId
protected String getPersistentNameId(CommonClientSessionModel clientSession, UserSessionModel userSession)
Attempts to retrieve the persistent type NameId as follows:- saml.persistent.name.id.for.$clientId user attribute
- saml.persistent.name.id.for.* user attribute
- G-$randomUuid
If a randomUuid is generated, an attribute for the given saml.persistent.name.id.for.$clientId will be generated, otherwise no state change will occur with respect to the user's attributes.
- Returns:
- the user's persistent NameId
-
authenticated
public javax.ws.rs.core.Response authenticated(AuthenticationSessionModel authSession, UserSessionModel userSession, ClientSessionContext clientSessionCtx)
- Specified by:
authenticated
in interfaceLoginProtocol
-
buildAuthenticatedResponse
protected javax.ws.rs.core.Response buildAuthenticatedResponse(AuthenticatedClientSessionModel clientSession, String redirectUri, Document samlDocument, JaxrsSAML2BindingBuilder bindingBuilder) throws ConfigurationException, ProcessingException, IOException
-
populateAttributeStatements
public AttributeStatementType populateAttributeStatements(List<SamlProtocol.ProtocolMapperProcessor<SAMLAttributeStatementMapper>> attributeStatementMappers, KeycloakSession session, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession)
-
transformLoginResponse
public ResponseType transformLoginResponse(List<SamlProtocol.ProtocolMapperProcessor<SAMLLoginResponseMapper>> mappers, ResponseType response, KeycloakSession session, UserSessionModel userSession, ClientSessionContext clientSessionCtx)
-
populateRoles
public void populateRoles(SamlProtocol.ProtocolMapperProcessor<SAMLRoleListMapper> roleListMapper, KeycloakSession session, UserSessionModel userSession, ClientSessionContext clientSessionCtx, AttributeStatementType existingAttributeStatement)
-
getSAMLNameId
protected String getSAMLNameId(List<SamlProtocol.ProtocolMapperProcessor<SAMLNameIdMapper>> samlNameIdMappers, String nameIdFormat, KeycloakSession session, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession)
-
getLogoutServiceUrl
public static String getLogoutServiceUrl(KeycloakSession session, ClientModel client, String bindingType, boolean backChannelLogout)
-
useArtifactForLogout
public static boolean useArtifactForLogout(ClientModel client)
-
frontchannelLogout
public javax.ws.rs.core.Response frontchannelLogout(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession)
- Specified by:
frontchannelLogout
in interfaceLoginProtocol
-
finishBrowserLogout
public javax.ws.rs.core.Response finishBrowserLogout(UserSessionModel userSession, AuthenticationSessionModel logoutSession)
Description copied from interface:LoginProtocol
This method is called when browser logout is going to be finished. It is not triggered during backchannel logout- Specified by:
finishBrowserLogout
in interfaceLoginProtocol
- Parameters:
userSession
- user session, which was logged outlogoutSession
- authentication session, which was used during logout to track the logout state- Returns:
- response to be sent to the client
-
buildLogoutResponse
protected javax.ws.rs.core.Response buildLogoutResponse(UserSessionModel userSession, String logoutBindingUri, SAML2LogoutResponseBuilder builder, JaxrsSAML2BindingBuilder binding) throws ConfigurationException, ProcessingException, IOException
-
backchannelLogout
public javax.ws.rs.core.Response backchannelLogout(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession)
- Specified by:
backchannelLogout
in interfaceLoginProtocol
-
createLogoutRequest
protected LogoutRequestType createLogoutRequest(String logoutUrl, AuthenticatedClientSessionModel clientSession, ClientModel client, SamlProtocolExtensionsAwareBuilder.NodeGenerator... extensions) throws ConfigurationException
- Throws:
ConfigurationException
-
requireReauthentication
public boolean requireReauthentication(UserSessionModel userSession, AuthenticationSessionModel authSession)
- Specified by:
requireReauthentication
in interfaceLoginProtocol
- Returns:
- true if SSO cookie authentication can't be used. User will need to "actively" reauthenticate
-
buildArtifactAuthenticatedResponse
protected javax.ws.rs.core.Response buildArtifactAuthenticatedResponse(AuthenticatedClientSessionModel clientSession, String redirectUri, SAML2Object samlDocument, JaxrsSAML2BindingBuilder bindingBuilder) throws ProcessingException, ConfigurationException
This method, instead of sending the actual response with the token sends the artifact message via post or redirect.- Parameters:
clientSession
- the current authenticated client sessionredirectUri
- the redirect uri to the clientsamlDocument
- a Document containing the saml ResponsebindingBuilder
- the current JaxrsSAML2BindingBuilder configured with information for signing and encryption- Returns:
- A response (POSTed form or redirect) with a newly generated artifact
- Throws:
ConfigurationException
ProcessingException
IOException
-
buildLogoutArtifactResponse
protected javax.ws.rs.core.Response buildLogoutArtifactResponse(UserSessionModel userSession, String redirectUri, StatusResponseType statusResponseType, JaxrsSAML2BindingBuilder bindingBuilder) throws ProcessingException, ConfigurationException
This method, instead of sending the actual response with the token, sends the artifact message via post or redirect. This method is only to be used for the final LogoutResponse.- Parameters:
userSession
- The current user session being logged outredirectUri
- the redirect uri to the clientstatusResponseType
- a Document containing the saml ResponsebindingBuilder
- the current JaxrsSAML2BindingBuilder configured with information for signing and encryption- Returns:
- A response (POSTed form or redirect) with a newly generated artifact
- Throws:
ProcessingException
IOException
ConfigurationException
-
buildArtifactAndStoreResponse
protected String buildArtifactAndStoreResponse(SAML2Object statusResponseType, UserSessionModel userSession) throws ArtifactResolverProcessingException, ConfigurationException, ProcessingException
-
buildArtifactAndStoreResponse
protected String buildArtifactAndStoreResponse(SAML2Object saml2Object, AuthenticatedClientSessionModel clientSessionModel) throws ArtifactResolverProcessingException, ProcessingException, ConfigurationException
-
-