Package org.keycloak.broker.saml

Class SAMLIdentityProvider

java.lang.Object

org.keycloak.broker.provider.AbstractIdentityProvider<SAMLIdentityProviderConfig>

org.keycloak.broker.saml.SAMLIdentityProvider

All Implemented Interfaces:

IdentityProvider<SAMLIdentityProviderConfig>, Provider

public class SAMLIdentityProvider
extends AbstractIdentityProvider<SAMLIdentityProviderConfig>

Author:

Pedro Igor

Nested Class Summary

Nested classes/interfaces inherited from interface org.keycloak.broker.provider.IdentityProvider

IdentityProvider.AuthenticationCallback

Field Summary

Fields

Modifier and Type	Field	Description
protected static final org.jboss.logging.Logger	logger

Fields inherited from class org.keycloak.broker.provider.AbstractIdentityProvider

ACCOUNT_LINK_URL, session

Fields inherited from interface org.keycloak.broker.provider.IdentityProvider

EXTERNAL_IDENTITY_PROVIDER, FEDERATED_ACCESS_TOKEN

Constructor Summary

Constructors

Constructor	Description
SAMLIdentityProvider(KeycloakSession session, SAMLIdentityProviderConfig config, DestinationValidator destinationValidator)

Method Summary

Modifier and Type	Method	Description
void	authenticationFinished(AuthenticationSessionModel authSession, BrokeredIdentityContext context)
void	backchannelLogout(KeycloakSession session, UserSessionModel userSession, jakarta.ws.rs.core.UriInfo uriInfo, RealmModel realm)
protected ArtifactResolveType	buildArtifactResolveRequest(jakarta.ws.rs.core.UriInfo uriInfo, RealmModel realm, String artifactServiceUrl, String artifact, SamlProtocolExtensionsAwareBuilder.NodeGenerator... extensions)
protected LogoutRequestType	buildLogoutRequest(UserSessionModel userSession, jakarta.ws.rs.core.UriInfo uriInfo, RealmModel realm, String singleLogoutServiceUrl, SamlProtocolExtensionsAwareBuilder.NodeGenerator... extensions)
Object	callback(RealmModel realm, IdentityProvider.AuthenticationCallback callback, EventBuilder event)	JAXRS callback endpoint for when the remote IDP wants to callback to keycloak.
jakarta.ws.rs.core.Response	export(jakarta.ws.rs.core.UriInfo uriInfo, RealmModel realm, String format)	Export a representation of the IdentityProvider in a specific format.
IdentityProviderDataMarshaller	getMarshaller()	Implementation of marshaller to serialize/deserialize attached data to Strings, which can be saved in clientSession
SignatureAlgorithm	getSignatureAlgorithm()
jakarta.ws.rs.core.Response	keycloakInitiatedBrowserLogout(KeycloakSession session, UserSessionModel userSession, jakarta.ws.rs.core.UriInfo uriInfo, RealmModel realm)	Called when a Keycloak application initiates a logout through the browser.
jakarta.ws.rs.core.Response	performLogin(AuthenticationRequest request)	Initiates the authentication process by sending an authentication request to an identity provider.
boolean	reloadKeys()	Reload keys for the identity provider if permitted in it.For example OIDC or SAML providers will reload the keys from the jwks or metadata endpoint.
SAMLDocumentHolder	resolveArtifact(KeycloakSession session, jakarta.ws.rs.core.UriInfo uriInfo, RealmModel realm, String relayState, String samlArt)
jakarta.ws.rs.core.Response	retrieveToken(KeycloakSession session, FederatedIdentityModel identity)	Returns a Response containing the token previously stored during the authentication process for a specific user.
boolean	supportsLongStateParameter()

Methods inherited from class org.keycloak.broker.provider.AbstractIdentityProvider

close, exchangeErrorResponse, exchangeNotLinked, exchangeNotLinkedNoStore, exchangeNotSupported, exchangeTokenExpired, exchangeUnsupportedRequiredType, getConfig, getLinkingUrl, importNewUser, preprocessFederatedIdentity, updateBrokeredUser

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.keycloak.broker.provider.IdentityProvider

isMapperSupported

Field Details

logger

protected static final org.jboss.logging.Logger logger

Constructor Details

SAMLIdentityProvider

public SAMLIdentityProvider(KeycloakSession session,
 SAMLIdentityProviderConfig config,
 DestinationValidator destinationValidator)

Method Details

callback

public Object callback(RealmModel realm,
 IdentityProvider.AuthenticationCallback callback,
 EventBuilder event)

Description copied from interface: IdentityProvider

JAXRS callback endpoint for when the remote IDP wants to callback to keycloak.

Specified by:

callback in interface IdentityProvider<SAMLIdentityProviderConfig>

Overrides:

callback in class AbstractIdentityProvider<SAMLIdentityProviderConfig>

Returns:

performLogin

public jakarta.ws.rs.core.Response performLogin(AuthenticationRequest request)

Description copied from interface: IdentityProvider

Initiates the authentication process by sending an authentication request to an identity provider. This method is called only once during the authentication.

Specified by:

performLogin in interface IdentityProvider<SAMLIdentityProviderConfig>

Overrides:

performLogin in class AbstractIdentityProvider<SAMLIdentityProviderConfig>

Parameters:

request - The initial authentication request. Contains all the contextual information in order to build an authentication request to the identity provider.

Returns:

authenticationFinished

public void authenticationFinished(AuthenticationSessionModel authSession,
 BrokeredIdentityContext context)

Specified by:

authenticationFinished in interface IdentityProvider<SAMLIdentityProviderConfig>

Overrides:

authenticationFinished in class AbstractIdentityProvider<SAMLIdentityProviderConfig>

retrieveToken

public jakarta.ws.rs.core.Response retrieveToken(KeycloakSession session,
 FederatedIdentityModel identity)

Description copied from interface: IdentityProvider

Returns a Response containing the token previously stored during the authentication process for a specific user.

Returns:

backchannelLogout

public void backchannelLogout(KeycloakSession session,
 UserSessionModel userSession,
 jakarta.ws.rs.core.UriInfo uriInfo,
 RealmModel realm)

Specified by:

backchannelLogout in interface IdentityProvider<SAMLIdentityProviderConfig>

Overrides:

backchannelLogout in class AbstractIdentityProvider<SAMLIdentityProviderConfig>

keycloakInitiatedBrowserLogout

public jakarta.ws.rs.core.Response keycloakInitiatedBrowserLogout(KeycloakSession session,
 UserSessionModel userSession,
 jakarta.ws.rs.core.UriInfo uriInfo,
 RealmModel realm)

Description copied from interface: IdentityProvider

Called when a Keycloak application initiates a logout through the browser. This is expected to do a logout with the IDP

Specified by:

keycloakInitiatedBrowserLogout in interface IdentityProvider<SAMLIdentityProviderConfig>

Overrides:

keycloakInitiatedBrowserLogout in class AbstractIdentityProvider<SAMLIdentityProviderConfig>

Returns:

null if this is not supported by this provider

buildLogoutRequest

protected LogoutRequestType buildLogoutRequest(UserSessionModel userSession,
 jakarta.ws.rs.core.UriInfo uriInfo,
 RealmModel realm,
 String singleLogoutServiceUrl,
 SamlProtocolExtensionsAwareBuilder.NodeGenerator... extensions)
                                        throws ConfigurationException

Throws:

ConfigurationException

export

public jakarta.ws.rs.core.Response export(jakarta.ws.rs.core.UriInfo uriInfo,
 RealmModel realm,
 String format)

Description copied from interface: IdentityProvider

Export a representation of the IdentityProvider in a specific format. For example, a SAML EntityDescriptor

Specified by:

export in interface IdentityProvider<SAMLIdentityProviderConfig>

Overrides:

export in class AbstractIdentityProvider<SAMLIdentityProviderConfig>

Returns:

getSignatureAlgorithm

public SignatureAlgorithm getSignatureAlgorithm()

getMarshaller

public IdentityProviderDataMarshaller getMarshaller()

Description copied from interface: IdentityProvider

Implementation of marshaller to serialize/deserialize attached data to Strings, which can be saved in clientSession

Specified by:

getMarshaller in interface IdentityProvider<SAMLIdentityProviderConfig>

Overrides:

getMarshaller in class AbstractIdentityProvider<SAMLIdentityProviderConfig>

Returns:

reloadKeys

public boolean reloadKeys()

Description copied from interface: IdentityProvider

Reload keys for the identity provider if permitted in it.For example OIDC or SAML providers will reload the keys from the jwks or metadata endpoint.

Returns:

true if reloaded, false if not

supportsLongStateParameter

public boolean supportsLongStateParameter()

Returns:

true if identity provider supports long value of "state" parameter (or "RelayState" parameter), which can hold relatively big amount of context data

resolveArtifact

public SAMLDocumentHolder resolveArtifact(KeycloakSession session,
 jakarta.ws.rs.core.UriInfo uriInfo,
 RealmModel realm,
 String relayState,
 String samlArt)

buildArtifactResolveRequest

protected ArtifactResolveType buildArtifactResolveRequest(jakarta.ws.rs.core.UriInfo uriInfo,
 RealmModel realm,
 String artifactServiceUrl,
 String artifact,
 SamlProtocolExtensionsAwareBuilder.NodeGenerator... extensions)
                                                   throws ConfigurationException

Throws:

ConfigurationException