Package org.keycloak.protocol.saml
Class SamlProtocol
java.lang.Object
org.keycloak.protocol.saml.SamlProtocol
- All Implemented Interfaces:
LoginProtocol,Provider
- Direct Known Subclasses:
TokenEndpoint.TokenExchangeSamlProtocol
- Version:
- $Revision: 1 $
- Author:
- Bill Burke
-
Nested Class Summary
Nested ClassesNested classes/interfaces inherited from interface org.keycloak.protocol.LoginProtocol
LoginProtocol.Error -
Field Summary
FieldsModifier and TypeFieldDescriptionprotected ArtifactResolverstatic final Stringstatic final Stringstatic final Stringprotected EventBuilderprotected jakarta.ws.rs.core.HttpHeadersprotected static final org.jboss.logging.Loggerstatic final Stringprotected RealmModelstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringprotected KeycloakSessionprotected SingleUseObjectProviderprotected jakarta.ws.rs.core.UriInfostatic final String -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionjakarta.ws.rs.core.Responseauthenticated(AuthenticationSessionModel authSession, UserSessionModel userSession, ClientSessionContext clientSessionCtx) jakarta.ws.rs.core.ResponsebackchannelLogout(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) protected StringbuildArtifactAndStoreResponse(SAML2Object saml2Object, AuthenticatedClientSessionModel clientSessionModel) protected StringbuildArtifactAndStoreResponse(SAML2Object statusResponseType, UserSessionModel userSession) protected jakarta.ws.rs.core.ResponsebuildArtifactAuthenticatedResponse(AuthenticatedClientSessionModel clientSession, String redirectUri, SAML2Object samlDocument, JaxrsSAML2BindingBuilder bindingBuilder) This method, instead of sending the actual response with the token sends the artifact message via post or redirect.protected jakarta.ws.rs.core.ResponsebuildAuthenticatedResponse(AuthenticatedClientSessionModel clientSession, String redirectUri, Document samlDocument, JaxrsSAML2BindingBuilder bindingBuilder) protected jakarta.ws.rs.core.ResponsebuildErrorResponse(boolean isPostBinding, String destination, JaxrsSAML2BindingBuilder binding, Document document) protected jakarta.ws.rs.core.ResponsebuildLogoutArtifactResponse(UserSessionModel userSession, String redirectUri, StatusResponseType statusResponseType, JaxrsSAML2BindingBuilder bindingBuilder) This method, instead of sending the actual response with the token, sends the artifact message via post or redirect.protected jakarta.ws.rs.core.ResponsebuildLogoutResponse(UserSessionModel userSession, String logoutBindingUri, SAML2LogoutResponseBuilder builder, JaxrsSAML2BindingBuilder binding) voidclose()protected LogoutRequestTypecreateLogoutRequest(String logoutUrl, AuthenticatedClientSessionModel clientSession, ClientModel client, SamlProtocolExtensionsAwareBuilder.NodeGenerator... extensions) jakarta.ws.rs.core.ResponsefinishBrowserLogout(UserSessionModel userSession, AuthenticationSessionModel logoutSession) This method is called when browser logout is going to be finished.jakarta.ws.rs.core.ResponsefrontchannelLogout(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) getClientData(AuthenticationSessionModel authSession) Returns client data, which will be wrapped in the "clientData" parameter sent within "authentication flow" requests.static StringgetLogoutServiceUrl(KeycloakSession session, ClientModel client, String bindingType, boolean backChannelLogout) protected StringgetNameId(String nameIdFormat, CommonClientSessionModel clientSession, UserSessionModel userSession) protected StringgetNameIdFormat(SamlClient samlClient, AuthenticationSessionModel authSession) protected StringgetPersistentNameId(CommonClientSessionModel clientSession, UserSessionModel userSession) Attempts to retrieve the persistent type NameId as follows: saml.persistent.name.id.for.$clientId user attribute saml.persistent.name.id.for.* user attribute G-$randomUuidprotected StringgetResponseIssuer(RealmModel realm) protected StringgetSAMLNameId(List<SamlProtocol.ProtocolMapperProcessor<SAMLNameIdMapper>> samlNameIdMappers, String nameIdFormat, KeycloakSession session, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) protected booleanisLogoutPostBindingForClient(AuthenticatedClientSessionModel clientSession) static booleanprotected booleanisPostBinding(AuthenticatedClientSessionModel clientSession) protected booleanisPostBinding(AuthenticationSessionModel authSession) populateAttributeStatements(List<SamlProtocol.ProtocolMapperProcessor<SAMLAttributeStatementMapper>> attributeStatementMappers, KeycloakSession session, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) voidpopulateRoles(SamlProtocol.ProtocolMapperProcessor<SAMLRoleListMapper> roleListMapper, KeycloakSession session, UserSessionModel userSession, ClientSessionContext clientSessionCtx, AttributeStatementType existingAttributeStatement) booleanrequireReauthentication(UserSessionModel userSession, AuthenticationSessionModel authSession) jakarta.ws.rs.core.ResponsesendError(ClientModel client, ClientData clientData, LoginProtocol.Error error) Send the specified error to the specified client with the use of this protocol.jakarta.ws.rs.core.ResponsesendError(AuthenticationSessionModel authSession, LoginProtocol.Error error) setEventBuilder(EventBuilder event) setHttpHeaders(jakarta.ws.rs.core.HttpHeaders headers) setRealm(RealmModel realm) setSession(KeycloakSession session) setUriInfo(jakarta.ws.rs.core.UriInfo uriInfo) transformLoginResponse(List<SamlProtocol.ProtocolMapperProcessor<SAMLLoginResponseMapper>> mappers, ResponseType response, KeycloakSession session, UserSessionModel userSession, ClientSessionContext clientSessionCtx) static booleanuseArtifactForLogout(ClientModel client) Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, waitMethods inherited from interface org.keycloak.protocol.LoginProtocol
sendPushRevocationPolicyRequest
-
Field Details
-
ATTRIBUTE_TRUE_VALUE
- See Also:
-
ATTRIBUTE_FALSE_VALUE
- See Also:
-
SAML_ASSERTION_CONSUMER_URL_POST_ATTRIBUTE
- See Also:
-
SAML_ASSERTION_CONSUMER_URL_REDIRECT_ATTRIBUTE
- See Also:
-
SAML_ASSERTION_CONSUMER_URL_ARTIFACT_ATTRIBUTE
- See Also:
-
SAML_SINGLE_LOGOUT_SERVICE_URL_POST_ATTRIBUTE
- See Also:
-
SAML_SINGLE_LOGOUT_SERVICE_URL_ARTIFACT_ATTRIBUTE
- See Also:
-
SAML_SINGLE_LOGOUT_SERVICE_URL_REDIRECT_ATTRIBUTE
- See Also:
-
SAML_SINGLE_LOGOUT_SERVICE_URL_SOAP_ATTRIBUTE
- See Also:
-
SAML_ARTIFACT_RESOLUTION_SERVICE_URL_ATTRIBUTE
- See Also:
-
LOGIN_PROTOCOL
- See Also:
-
SAML_BINDING
- See Also:
-
SAML_IDP_INITIATED_LOGIN
- See Also:
-
SAML_POST_BINDING
- See Also:
-
SAML_ARTIFACT_BINDING
- See Also:
-
SAML_SOAP_BINDING
- See Also:
-
SAML_REDIRECT_BINDING
- See Also:
-
SAML_REQUEST_ID
- See Also:
-
SAML_REQUEST_ID_BROKER
- See Also:
-
SAML_LOGOUT_BINDING
- See Also:
-
SAML_LOGOUT_ADD_EXTENSIONS_ELEMENT_WITH_KEY_INFO
- See Also:
-
SAML_SERVER_SIGNATURE_KEYINFO_KEY_NAME_TRANSFORMER
- See Also:
-
SAML_LOGOUT_REQUEST_ID
- See Also:
-
SAML_LOGOUT_RELAY_STATE
- See Also:
-
SAML_LOGOUT_CANONICALIZATION
- See Also:
-
SAML_LOGOUT_BINDING_URI
- See Also:
-
SAML_LOGOUT_SIGNATURE_ALGORITHM
- See Also:
-
SAML_NAME_ID
- See Also:
-
SAML_NAME_ID_FORMAT
- See Also:
-
SAML_DEFAULT_NAMEID_FORMAT
-
SAML_PERSISTENT_NAME_ID_FOR
- See Also:
-
SAML_IDP_INITIATED_SSO_RELAY_STATE
- See Also:
-
SAML_IDP_INITIATED_SSO_URL_NAME
- See Also:
-
SAML_LOGIN_REQUEST_FORCEAUTHN
- See Also:
-
SAML_FORCEAUTHN_REQUIREMENT
- See Also:
-
SAML_LOGOUT_INITIATOR_CLIENT_ID
- See Also:
-
USER_SESSION_ID
- See Also:
-
CLIENT_SESSION_ID
- See Also:
-
logger
protected static final org.jboss.logging.Logger logger -
session
-
realm
-
uriInfo
protected jakarta.ws.rs.core.UriInfo uriInfo -
headers
protected jakarta.ws.rs.core.HttpHeaders headers -
event
-
artifactResolver
-
singleUseStore
-
-
Constructor Details
-
SamlProtocol
public SamlProtocol()
-
-
Method Details
-
setSession
- Specified by:
setSessionin interfaceLoginProtocol
-
setRealm
- Specified by:
setRealmin interfaceLoginProtocol
-
setUriInfo
- Specified by:
setUriInfoin interfaceLoginProtocol
-
setHttpHeaders
- Specified by:
setHttpHeadersin interfaceLoginProtocol
-
setEventBuilder
- Specified by:
setEventBuilderin interfaceLoginProtocol
-
sendError
public jakarta.ws.rs.core.Response sendError(AuthenticationSessionModel authSession, LoginProtocol.Error error) - Specified by:
sendErrorin interfaceLoginProtocol
-
getClientData
Description copied from interface:LoginProtocolReturns client data, which will be wrapped in the "clientData" parameter sent within "authentication flow" requests. The purpose of clientData is to be able to send HTTP error response back to the client if authentication fails due some error and authenticationSession is not available anymore (was either expired or removed). So clientData need to contain all the data to be able to send such response. For instance redirect-uri, state in case of OIDC or RelayState in case of SAML etc.- Specified by:
getClientDatain interfaceLoginProtocol- Parameters:
authSession- session from which particular clientData can be retrieved- Returns:
- client data, which will be wrapped in the "clientData" parameter sent within "authentication flow" requests
-
sendError
public jakarta.ws.rs.core.Response sendError(ClientModel client, ClientData clientData, LoginProtocol.Error error) Description copied from interface:LoginProtocolSend the specified error to the specified client with the use of this protocol. ClientData can contain additional metadata about how to send error response to the client in a correct way for particular protocol. For instance redirect-uri where to send error, state to be used in OIDC authorization endpoint response etc. This method is usually used when we don't have authenticationSession anymore (it was removed or expired) as otherwise it is recommended to useLoginProtocol.sendError(AuthenticationSessionModel, Error)NOTE: This method should also validate if provided clientData are valid according to given client (for instance if redirect-uri is valid) as clientData is request parameter, which can be injected to HTTP URLs by anyone.- Specified by:
sendErrorin interfaceLoginProtocol- Parameters:
client- client where to send errorclientData- clientData with additional protocol specific metadata needed for being able to properly send error with the use of this protocolerror- error to be used- Returns:
- response if error was sent. Null if error was not sent.
-
buildErrorResponse
protected jakarta.ws.rs.core.Response buildErrorResponse(boolean isPostBinding, String destination, JaxrsSAML2BindingBuilder binding, Document document) throws ConfigurationException, ProcessingException, IOException -
getResponseIssuer
-
isPostBinding
-
isPostBinding
-
isLogoutPostBindingForInitiator
-
isLogoutPostBindingForClient
-
getNameIdFormat
-
getNameId
protected String getNameId(String nameIdFormat, CommonClientSessionModel clientSession, UserSessionModel userSession) -
getPersistentNameId
protected String getPersistentNameId(CommonClientSessionModel clientSession, UserSessionModel userSession) Attempts to retrieve the persistent type NameId as follows:- saml.persistent.name.id.for.$clientId user attribute
- saml.persistent.name.id.for.* user attribute
- G-$randomUuid
If a randomUuid is generated, an attribute for the given saml.persistent.name.id.for.$clientId will be generated, otherwise no state change will occur with respect to the user's attributes.
- Returns:
- the user's persistent NameId
-
authenticated
public jakarta.ws.rs.core.Response authenticated(AuthenticationSessionModel authSession, UserSessionModel userSession, ClientSessionContext clientSessionCtx) - Specified by:
authenticatedin interfaceLoginProtocol
-
buildAuthenticatedResponse
protected jakarta.ws.rs.core.Response buildAuthenticatedResponse(AuthenticatedClientSessionModel clientSession, String redirectUri, Document samlDocument, JaxrsSAML2BindingBuilder bindingBuilder) throws ConfigurationException, ProcessingException, IOException -
populateAttributeStatements
public AttributeStatementType populateAttributeStatements(List<SamlProtocol.ProtocolMapperProcessor<SAMLAttributeStatementMapper>> attributeStatementMappers, KeycloakSession session, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) -
transformLoginResponse
public ResponseType transformLoginResponse(List<SamlProtocol.ProtocolMapperProcessor<SAMLLoginResponseMapper>> mappers, ResponseType response, KeycloakSession session, UserSessionModel userSession, ClientSessionContext clientSessionCtx) -
populateRoles
public void populateRoles(SamlProtocol.ProtocolMapperProcessor<SAMLRoleListMapper> roleListMapper, KeycloakSession session, UserSessionModel userSession, ClientSessionContext clientSessionCtx, AttributeStatementType existingAttributeStatement) -
getSAMLNameId
protected String getSAMLNameId(List<SamlProtocol.ProtocolMapperProcessor<SAMLNameIdMapper>> samlNameIdMappers, String nameIdFormat, KeycloakSession session, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) -
getLogoutServiceUrl
public static String getLogoutServiceUrl(KeycloakSession session, ClientModel client, String bindingType, boolean backChannelLogout) -
useArtifactForLogout
-
frontchannelLogout
public jakarta.ws.rs.core.Response frontchannelLogout(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) - Specified by:
frontchannelLogoutin interfaceLoginProtocol
-
finishBrowserLogout
public jakarta.ws.rs.core.Response finishBrowserLogout(UserSessionModel userSession, AuthenticationSessionModel logoutSession) Description copied from interface:LoginProtocolThis method is called when browser logout is going to be finished. It is not triggered during backchannel logout- Specified by:
finishBrowserLogoutin interfaceLoginProtocol- Parameters:
userSession- user session, which was logged outlogoutSession- authentication session, which was used during logout to track the logout state- Returns:
- response to be sent to the client
-
buildLogoutResponse
protected jakarta.ws.rs.core.Response buildLogoutResponse(UserSessionModel userSession, String logoutBindingUri, SAML2LogoutResponseBuilder builder, JaxrsSAML2BindingBuilder binding) throws ConfigurationException, ProcessingException, IOException -
backchannelLogout
public jakarta.ws.rs.core.Response backchannelLogout(UserSessionModel userSession, AuthenticatedClientSessionModel clientSession) - Specified by:
backchannelLogoutin interfaceLoginProtocol
-
createLogoutRequest
protected LogoutRequestType createLogoutRequest(String logoutUrl, AuthenticatedClientSessionModel clientSession, ClientModel client, SamlProtocolExtensionsAwareBuilder.NodeGenerator... extensions) throws ConfigurationException - Throws:
ConfigurationException
-
requireReauthentication
public boolean requireReauthentication(UserSessionModel userSession, AuthenticationSessionModel authSession) - Specified by:
requireReauthenticationin interfaceLoginProtocol- Returns:
- true if SSO cookie authentication can't be used. User will need to "actively" reauthenticate
-
close
public void close() -
buildArtifactAuthenticatedResponse
protected jakarta.ws.rs.core.Response buildArtifactAuthenticatedResponse(AuthenticatedClientSessionModel clientSession, String redirectUri, SAML2Object samlDocument, JaxrsSAML2BindingBuilder bindingBuilder) throws ProcessingException, ConfigurationException This method, instead of sending the actual response with the token sends the artifact message via post or redirect.- Parameters:
clientSession- the current authenticated client sessionredirectUri- the redirect uri to the clientsamlDocument- a Document containing the saml ResponsebindingBuilder- the current JaxrsSAML2BindingBuilder configured with information for signing and encryption- Returns:
- A response (POSTed form or redirect) with a newly generated artifact
- Throws:
ConfigurationExceptionProcessingExceptionIOException
-
buildLogoutArtifactResponse
protected jakarta.ws.rs.core.Response buildLogoutArtifactResponse(UserSessionModel userSession, String redirectUri, StatusResponseType statusResponseType, JaxrsSAML2BindingBuilder bindingBuilder) throws ProcessingException, ConfigurationException This method, instead of sending the actual response with the token, sends the artifact message via post or redirect. This method is only to be used for the final LogoutResponse.- Parameters:
userSession- The current user session being logged outredirectUri- the redirect uri to the clientstatusResponseType- a Document containing the saml ResponsebindingBuilder- the current JaxrsSAML2BindingBuilder configured with information for signing and encryption- Returns:
- A response (POSTed form or redirect) with a newly generated artifact
- Throws:
ProcessingExceptionIOExceptionConfigurationException
-
buildArtifactAndStoreResponse
protected String buildArtifactAndStoreResponse(SAML2Object statusResponseType, UserSessionModel userSession) throws ArtifactResolverProcessingException, ConfigurationException, ProcessingException -
buildArtifactAndStoreResponse
protected String buildArtifactAndStoreResponse(SAML2Object saml2Object, AuthenticatedClientSessionModel clientSessionModel) throws ArtifactResolverProcessingException, ProcessingException, ConfigurationException
-