Package org.keycloak.protocol.saml
Class SamlProtocol
java.lang.Object
org.keycloak.protocol.saml.SamlProtocol
- All Implemented Interfaces:
LoginProtocol,Provider
- Direct Known Subclasses:
TokenEndpoint.TokenExchangeSamlProtocol
- Version:
- $Revision: 1 $
- Author:
- Bill Burke
-
Nested Class Summary
Nested ClassesNested classes/interfaces inherited from interface org.keycloak.protocol.LoginProtocol
LoginProtocol.Error -
Field Summary
FieldsModifier and TypeFieldDescriptionprotected ArtifactResolverstatic final Stringstatic final Stringstatic final Stringprotected EventBuilderprotected jakarta.ws.rs.core.HttpHeadersprotected static final org.jboss.logging.Loggerstatic final Stringprotected RealmModelstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringprotected KeycloakSessionprotected SingleUseObjectProviderprotected jakarta.ws.rs.core.UriInfostatic final String -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionjakarta.ws.rs.core.Responseauthenticated(AuthenticationSessionModel authSession, UserSessionModel userSession, ClientSessionContext clientSessionCtx) jakarta.ws.rs.core.ResponsebackchannelLogout(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) protected StringbuildArtifactAndStoreResponse(SAML2Object saml2Object, AuthenticatedClientSessionModel clientSessionModel) protected StringbuildArtifactAndStoreResponse(SAML2Object statusResponseType, UserSessionModel userSession) protected jakarta.ws.rs.core.ResponsebuildArtifactAuthenticatedResponse(AuthenticatedClientSessionModel clientSession, String redirectUri, SAML2Object samlDocument, JaxrsSAML2BindingBuilder bindingBuilder) This method, instead of sending the actual response with the token sends the artifact message via post or redirect.protected jakarta.ws.rs.core.ResponsebuildAuthenticatedResponse(AuthenticatedClientSessionModel clientSession, String redirectUri, Document samlDocument, JaxrsSAML2BindingBuilder bindingBuilder) protected jakarta.ws.rs.core.ResponsebuildErrorResponse(boolean isPostBinding, String destination, JaxrsSAML2BindingBuilder binding, Document document) protected jakarta.ws.rs.core.ResponsebuildLogoutArtifactResponse(UserSessionModel userSession, String redirectUri, StatusResponseType statusResponseType, JaxrsSAML2BindingBuilder bindingBuilder) This method, instead of sending the actual response with the token, sends the artifact message via post or redirect.protected jakarta.ws.rs.core.ResponsebuildLogoutResponse(UserSessionModel userSession, String logoutBindingUri, SAML2LogoutResponseBuilder builder, JaxrsSAML2BindingBuilder binding) voidclose()protected LogoutRequestTypecreateLogoutRequest(String logoutUrl, AuthenticatedClientSessionModel clientSession, ClientModel client, SamlProtocolExtensionsAwareBuilder.NodeGenerator... extensions) jakarta.ws.rs.core.ResponsefinishBrowserLogout(UserSessionModel userSession, AuthenticationSessionModel logoutSession) This method is called when browser logout is going to be finished.jakarta.ws.rs.core.ResponsefrontchannelLogout(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) static StringgetLogoutServiceUrl(KeycloakSession session, ClientModel client, String bindingType, boolean backChannelLogout) protected StringgetNameId(String nameIdFormat, CommonClientSessionModel clientSession, UserSessionModel userSession) protected StringgetNameIdFormat(SamlClient samlClient, AuthenticationSessionModel authSession) protected StringgetPersistentNameId(CommonClientSessionModel clientSession, UserSessionModel userSession) Attempts to retrieve the persistent type NameId as follows: saml.persistent.name.id.for.$clientId user attribute saml.persistent.name.id.for.* user attribute G-$randomUuidprotected StringgetResponseIssuer(RealmModel realm) protected StringgetSAMLNameId(List<SamlProtocol.ProtocolMapperProcessor<SAMLNameIdMapper>> samlNameIdMappers, String nameIdFormat, KeycloakSession session, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) protected booleanisLogoutPostBindingForClient(AuthenticatedClientSessionModel clientSession) static booleanprotected booleanisPostBinding(AuthenticatedClientSessionModel clientSession) protected booleanisPostBinding(AuthenticationSessionModel authSession) populateAttributeStatements(List<SamlProtocol.ProtocolMapperProcessor<SAMLAttributeStatementMapper>> attributeStatementMappers, KeycloakSession session, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) voidpopulateRoles(SamlProtocol.ProtocolMapperProcessor<SAMLRoleListMapper> roleListMapper, KeycloakSession session, UserSessionModel userSession, ClientSessionContext clientSessionCtx, AttributeStatementType existingAttributeStatement) booleanrequireReauthentication(UserSessionModel userSession, AuthenticationSessionModel authSession) jakarta.ws.rs.core.ResponsesendError(AuthenticationSessionModel authSession, LoginProtocol.Error error) setEventBuilder(EventBuilder event) setHttpHeaders(jakarta.ws.rs.core.HttpHeaders headers) setRealm(RealmModel realm) setSession(KeycloakSession session) setUriInfo(jakarta.ws.rs.core.UriInfo uriInfo) transformLoginResponse(List<SamlProtocol.ProtocolMapperProcessor<SAMLLoginResponseMapper>> mappers, ResponseType response, KeycloakSession session, UserSessionModel userSession, ClientSessionContext clientSessionCtx) static booleanuseArtifactForLogout(ClientModel client) Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, waitMethods inherited from interface org.keycloak.protocol.LoginProtocol
sendPushRevocationPolicyRequest
-
Field Details
-
ATTRIBUTE_TRUE_VALUE
- See Also:
-
ATTRIBUTE_FALSE_VALUE
- See Also:
-
SAML_ASSERTION_CONSUMER_URL_POST_ATTRIBUTE
- See Also:
-
SAML_ASSERTION_CONSUMER_URL_REDIRECT_ATTRIBUTE
- See Also:
-
SAML_ASSERTION_CONSUMER_URL_ARTIFACT_ATTRIBUTE
- See Also:
-
SAML_SINGLE_LOGOUT_SERVICE_URL_POST_ATTRIBUTE
- See Also:
-
SAML_SINGLE_LOGOUT_SERVICE_URL_ARTIFACT_ATTRIBUTE
- See Also:
-
SAML_SINGLE_LOGOUT_SERVICE_URL_REDIRECT_ATTRIBUTE
- See Also:
-
SAML_SINGLE_LOGOUT_SERVICE_URL_SOAP_ATTRIBUTE
- See Also:
-
SAML_ARTIFACT_RESOLUTION_SERVICE_URL_ATTRIBUTE
- See Also:
-
LOGIN_PROTOCOL
- See Also:
-
SAML_BINDING
- See Also:
-
SAML_IDP_INITIATED_LOGIN
- See Also:
-
SAML_POST_BINDING
- See Also:
-
SAML_SOAP_BINDING
- See Also:
-
SAML_REDIRECT_BINDING
- See Also:
-
SAML_REQUEST_ID
- See Also:
-
SAML_REQUEST_ID_BROKER
- See Also:
-
SAML_LOGOUT_BINDING
- See Also:
-
SAML_LOGOUT_ADD_EXTENSIONS_ELEMENT_WITH_KEY_INFO
- See Also:
-
SAML_SERVER_SIGNATURE_KEYINFO_KEY_NAME_TRANSFORMER
- See Also:
-
SAML_LOGOUT_REQUEST_ID
- See Also:
-
SAML_LOGOUT_RELAY_STATE
- See Also:
-
SAML_LOGOUT_CANONICALIZATION
- See Also:
-
SAML_LOGOUT_BINDING_URI
- See Also:
-
SAML_LOGOUT_SIGNATURE_ALGORITHM
- See Also:
-
SAML_NAME_ID
- See Also:
-
SAML_NAME_ID_FORMAT
- See Also:
-
SAML_DEFAULT_NAMEID_FORMAT
-
SAML_PERSISTENT_NAME_ID_FOR
- See Also:
-
SAML_IDP_INITIATED_SSO_RELAY_STATE
- See Also:
-
SAML_IDP_INITIATED_SSO_URL_NAME
- See Also:
-
SAML_LOGIN_REQUEST_FORCEAUTHN
- See Also:
-
SAML_FORCEAUTHN_REQUIREMENT
- See Also:
-
SAML_LOGOUT_INITIATOR_CLIENT_ID
- See Also:
-
USER_SESSION_ID
- See Also:
-
CLIENT_SESSION_ID
- See Also:
-
logger
protected static final org.jboss.logging.Logger logger -
session
-
realm
-
uriInfo
protected jakarta.ws.rs.core.UriInfo uriInfo -
headers
protected jakarta.ws.rs.core.HttpHeaders headers -
event
-
artifactResolver
-
singleUseStore
-
-
Constructor Details
-
SamlProtocol
public SamlProtocol()
-
-
Method Details
-
setSession
- Specified by:
setSessionin interfaceLoginProtocol
-
setRealm
- Specified by:
setRealmin interfaceLoginProtocol
-
setUriInfo
- Specified by:
setUriInfoin interfaceLoginProtocol
-
setHttpHeaders
- Specified by:
setHttpHeadersin interfaceLoginProtocol
-
setEventBuilder
- Specified by:
setEventBuilderin interfaceLoginProtocol
-
sendError
public jakarta.ws.rs.core.Response sendError(AuthenticationSessionModel authSession, LoginProtocol.Error error) - Specified by:
sendErrorin interfaceLoginProtocol
-
buildErrorResponse
protected jakarta.ws.rs.core.Response buildErrorResponse(boolean isPostBinding, String destination, JaxrsSAML2BindingBuilder binding, Document document) throws ConfigurationException, ProcessingException, IOException -
getResponseIssuer
-
isPostBinding
-
isPostBinding
-
isLogoutPostBindingForInitiator
-
isLogoutPostBindingForClient
-
getNameIdFormat
-
getNameId
protected String getNameId(String nameIdFormat, CommonClientSessionModel clientSession, UserSessionModel userSession) -
getPersistentNameId
protected String getPersistentNameId(CommonClientSessionModel clientSession, UserSessionModel userSession) Attempts to retrieve the persistent type NameId as follows:- saml.persistent.name.id.for.$clientId user attribute
- saml.persistent.name.id.for.* user attribute
- G-$randomUuid
If a randomUuid is generated, an attribute for the given saml.persistent.name.id.for.$clientId will be generated, otherwise no state change will occur with respect to the user's attributes.
- Returns:
- the user's persistent NameId
-
authenticated
public jakarta.ws.rs.core.Response authenticated(AuthenticationSessionModel authSession, UserSessionModel userSession, ClientSessionContext clientSessionCtx) - Specified by:
authenticatedin interfaceLoginProtocol
-
buildAuthenticatedResponse
protected jakarta.ws.rs.core.Response buildAuthenticatedResponse(AuthenticatedClientSessionModel clientSession, String redirectUri, Document samlDocument, JaxrsSAML2BindingBuilder bindingBuilder) throws ConfigurationException, ProcessingException, IOException -
populateAttributeStatements
public AttributeStatementType populateAttributeStatements(List<SamlProtocol.ProtocolMapperProcessor<SAMLAttributeStatementMapper>> attributeStatementMappers, KeycloakSession session, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) -
transformLoginResponse
public ResponseType transformLoginResponse(List<SamlProtocol.ProtocolMapperProcessor<SAMLLoginResponseMapper>> mappers, ResponseType response, KeycloakSession session, UserSessionModel userSession, ClientSessionContext clientSessionCtx) -
populateRoles
public void populateRoles(SamlProtocol.ProtocolMapperProcessor<SAMLRoleListMapper> roleListMapper, KeycloakSession session, UserSessionModel userSession, ClientSessionContext clientSessionCtx, AttributeStatementType existingAttributeStatement) -
getSAMLNameId
protected String getSAMLNameId(List<SamlProtocol.ProtocolMapperProcessor<SAMLNameIdMapper>> samlNameIdMappers, String nameIdFormat, KeycloakSession session, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) -
getLogoutServiceUrl
public static String getLogoutServiceUrl(KeycloakSession session, ClientModel client, String bindingType, boolean backChannelLogout) -
useArtifactForLogout
-
frontchannelLogout
public jakarta.ws.rs.core.Response frontchannelLogout(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) - Specified by:
frontchannelLogoutin interfaceLoginProtocol
-
finishBrowserLogout
public jakarta.ws.rs.core.Response finishBrowserLogout(UserSessionModel userSession, AuthenticationSessionModel logoutSession) Description copied from interface:LoginProtocolThis method is called when browser logout is going to be finished. It is not triggered during backchannel logout- Specified by:
finishBrowserLogoutin interfaceLoginProtocol- Parameters:
userSession- user session, which was logged outlogoutSession- authentication session, which was used during logout to track the logout state- Returns:
- response to be sent to the client
-
buildLogoutResponse
protected jakarta.ws.rs.core.Response buildLogoutResponse(UserSessionModel userSession, String logoutBindingUri, SAML2LogoutResponseBuilder builder, JaxrsSAML2BindingBuilder binding) throws ConfigurationException, ProcessingException, IOException -
backchannelLogout
public jakarta.ws.rs.core.Response backchannelLogout(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) - Specified by:
backchannelLogoutin interfaceLoginProtocol
-
createLogoutRequest
protected LogoutRequestType createLogoutRequest(String logoutUrl, AuthenticatedClientSessionModel clientSession, ClientModel client, SamlProtocolExtensionsAwareBuilder.NodeGenerator... extensions) throws ConfigurationException - Throws:
ConfigurationException
-
requireReauthentication
public boolean requireReauthentication(UserSessionModel userSession, AuthenticationSessionModel authSession) - Specified by:
requireReauthenticationin interfaceLoginProtocol- Returns:
- true if SSO cookie authentication can't be used. User will need to "actively" reauthenticate
-
close
public void close() -
buildArtifactAuthenticatedResponse
protected jakarta.ws.rs.core.Response buildArtifactAuthenticatedResponse(AuthenticatedClientSessionModel clientSession, String redirectUri, SAML2Object samlDocument, JaxrsSAML2BindingBuilder bindingBuilder) throws ProcessingException, ConfigurationException This method, instead of sending the actual response with the token sends the artifact message via post or redirect.- Parameters:
clientSession- the current authenticated client sessionredirectUri- the redirect uri to the clientsamlDocument- a Document containing the saml ResponsebindingBuilder- the current JaxrsSAML2BindingBuilder configured with information for signing and encryption- Returns:
- A response (POSTed form or redirect) with a newly generated artifact
- Throws:
ConfigurationExceptionProcessingExceptionIOException
-
buildLogoutArtifactResponse
protected jakarta.ws.rs.core.Response buildLogoutArtifactResponse(UserSessionModel userSession, String redirectUri, StatusResponseType statusResponseType, JaxrsSAML2BindingBuilder bindingBuilder) throws ProcessingException, ConfigurationException This method, instead of sending the actual response with the token, sends the artifact message via post or redirect. This method is only to be used for the final LogoutResponse.- Parameters:
userSession- The current user session being logged outredirectUri- the redirect uri to the clientstatusResponseType- a Document containing the saml ResponsebindingBuilder- the current JaxrsSAML2BindingBuilder configured with information for signing and encryption- Returns:
- A response (POSTed form or redirect) with a newly generated artifact
- Throws:
ProcessingExceptionIOExceptionConfigurationException
-
buildArtifactAndStoreResponse
protected String buildArtifactAndStoreResponse(SAML2Object statusResponseType, UserSessionModel userSession) throws ArtifactResolverProcessingException, ConfigurationException, ProcessingException -
buildArtifactAndStoreResponse
protected String buildArtifactAndStoreResponse(SAML2Object saml2Object, AuthenticatedClientSessionModel clientSessionModel) throws ArtifactResolverProcessingException, ProcessingException, ConfigurationException
-