Package org.keycloak.protocol.saml

Class SamlProtocol

  • All Implemented Interfaces:
    org.keycloak.protocol.LoginProtocol, org.keycloak.provider.Provider
    Direct Known Subclasses:
    TokenEndpoint.TokenExchangeSamlProtocol
    public class SamlProtocol
extends Object
implements org.keycloak.protocol.LoginProtocol
    Version:
    $Revision: 1 $
    Author:
    Bill Burke

    • Constructor Detail

      • SamlProtocol

        public SamlProtocol()

    • Method Detail

      • setSession

        public SamlProtocol setSession​(org.keycloak.models.KeycloakSession session)
        Specified by:
        setSession in interface org.keycloak.protocol.LoginProtocol

      • setRealm

        public SamlProtocol setRealm​(org.keycloak.models.RealmModel realm)
        Specified by:
        setRealm in interface org.keycloak.protocol.LoginProtocol

      • setUriInfo

        public SamlProtocol setUriInfo​(javax.ws.rs.core.UriInfo uriInfo)
        Specified by:
        setUriInfo in interface org.keycloak.protocol.LoginProtocol

      • setHttpHeaders

        public SamlProtocol setHttpHeaders​(javax.ws.rs.core.HttpHeaders headers)
        Specified by:
        setHttpHeaders in interface org.keycloak.protocol.LoginProtocol

      • setEventBuilder

        public SamlProtocol setEventBuilder​(org.keycloak.events.EventBuilder event)
        Specified by:
        setEventBuilder in interface org.keycloak.protocol.LoginProtocol

      • sendError

        public javax.ws.rs.core.Response sendError​(org.keycloak.sessions.AuthenticationSessionModel authSession,
                                           org.keycloak.protocol.LoginProtocol.Error error)
        Specified by:
        sendError in interface org.keycloak.protocol.LoginProtocol

      • buildErrorResponse

        protected javax.ws.rs.core.Response buildErrorResponse​(boolean isPostBinding,
                                                       String destination,
                                                       JaxrsSAML2BindingBuilder binding,
                                                       Document document)
                                                throws org.keycloak.saml.common.exceptions.ConfigurationException,
                                                       org.keycloak.saml.common.exceptions.ProcessingException,
                                                       IOException
        Throws:
        org.keycloak.saml.common.exceptions.ConfigurationException
        org.keycloak.saml.common.exceptions.ProcessingException
        IOException

      • getResponseIssuer

        protected String getResponseIssuer​(org.keycloak.models.RealmModel realm)

      • isPostBinding

        protected boolean isPostBinding​(org.keycloak.sessions.AuthenticationSessionModel authSession)

      • isPostBinding

        protected boolean isPostBinding​(org.keycloak.models.AuthenticatedClientSessionModel clientSession)

      • isLogoutPostBindingForInitiator

        public static boolean isLogoutPostBindingForInitiator​(org.keycloak.models.UserSessionModel session)

      • isLogoutPostBindingForClient

        protected boolean isLogoutPostBindingForClient​(org.keycloak.models.AuthenticatedClientSessionModel clientSession)

      • getNameIdFormat

        protected String getNameIdFormat​(SamlClient samlClient,
                                 org.keycloak.sessions.AuthenticationSessionModel authSession)

      • getNameId

        protected String getNameId​(String nameIdFormat,
                           org.keycloak.sessions.CommonClientSessionModel clientSession,
                           org.keycloak.models.UserSessionModel userSession)

      • getPersistentNameId

        protected String getPersistentNameId​(org.keycloak.sessions.CommonClientSessionModel clientSession,
                                     org.keycloak.models.UserSessionModel userSession)
        Attempts to retrieve the persistent type NameId as follows:
        1. saml.persistent.name.id.for.$clientId user attribute
        2. saml.persistent.name.id.for.* user attribute
        3. G-$randomUuid

        If a randomUuid is generated, an attribute for the given saml.persistent.name.id.for.$clientId will be generated, otherwise no state change will occur with respect to the user's attributes.

        Returns:
        the user's persistent NameId

      • authenticated

        public javax.ws.rs.core.Response authenticated​(org.keycloak.sessions.AuthenticationSessionModel authSession,
                                               org.keycloak.models.UserSessionModel userSession,
                                               org.keycloak.models.ClientSessionContext clientSessionCtx)
        Specified by:
        authenticated in interface org.keycloak.protocol.LoginProtocol

      • buildAuthenticatedResponse

        protected javax.ws.rs.core.Response buildAuthenticatedResponse​(org.keycloak.models.AuthenticatedClientSessionModel clientSession,
                                                               String redirectUri,
                                                               Document samlDocument,
                                                               JaxrsSAML2BindingBuilder bindingBuilder)
                                                        throws org.keycloak.saml.common.exceptions.ConfigurationException,
                                                               org.keycloak.saml.common.exceptions.ProcessingException,
                                                               IOException
        Throws:
        org.keycloak.saml.common.exceptions.ConfigurationException
        org.keycloak.saml.common.exceptions.ProcessingException
        IOException

      • populateAttributeStatements

        public org.keycloak.dom.saml.v2.assertion.AttributeStatementType populateAttributeStatements​(List<SamlProtocol.ProtocolMapperProcessor<SAMLAttributeStatementMapper>> attributeStatementMappers,
                                                                                             org.keycloak.models.KeycloakSession session,
                                                                                             org.keycloak.models.UserSessionModel userSession,
                                                                                             org.keycloak.models.AuthenticatedClientSessionModel clientSession)

      • transformLoginResponse

        public org.keycloak.dom.saml.v2.protocol.ResponseType transformLoginResponse​(List<SamlProtocol.ProtocolMapperProcessor<SAMLLoginResponseMapper>> mappers,
                                                                             org.keycloak.dom.saml.v2.protocol.ResponseType response,
                                                                             org.keycloak.models.KeycloakSession session,
                                                                             org.keycloak.models.UserSessionModel userSession,
                                                                             org.keycloak.models.ClientSessionContext clientSessionCtx)

      • populateRoles

        public void populateRoles​(SamlProtocol.ProtocolMapperProcessor<SAMLRoleListMapper> roleListMapper,
                          org.keycloak.models.KeycloakSession session,
                          org.keycloak.models.UserSessionModel userSession,
                          org.keycloak.models.ClientSessionContext clientSessionCtx,
                          org.keycloak.dom.saml.v2.assertion.AttributeStatementType existingAttributeStatement)

      • getLogoutServiceUrl

        public static String getLogoutServiceUrl​(org.keycloak.models.KeycloakSession session,
                                         org.keycloak.models.ClientModel client,
                                         String bindingType,
                                         boolean backChannelLogout)

      • useArtifactForLogout

        public static boolean useArtifactForLogout​(org.keycloak.models.ClientModel client)

      • frontchannelLogout

        public javax.ws.rs.core.Response frontchannelLogout​(org.keycloak.models.UserSessionModel userSession,
                                                    org.keycloak.models.AuthenticatedClientSessionModel clientSession)
        Specified by:
        frontchannelLogout in interface org.keycloak.protocol.LoginProtocol

      • finishBrowserLogout

        public javax.ws.rs.core.Response finishBrowserLogout​(org.keycloak.models.UserSessionModel userSession,
                                                     org.keycloak.sessions.AuthenticationSessionModel logoutSession)
        Specified by:
        finishBrowserLogout in interface org.keycloak.protocol.LoginProtocol

      • buildLogoutResponse

        protected javax.ws.rs.core.Response buildLogoutResponse​(org.keycloak.models.UserSessionModel userSession,
                                                        String logoutBindingUri,
                                                        org.keycloak.saml.SAML2LogoutResponseBuilder builder,
                                                        JaxrsSAML2BindingBuilder binding)
                                                 throws org.keycloak.saml.common.exceptions.ConfigurationException,
                                                        org.keycloak.saml.common.exceptions.ProcessingException,
                                                        IOException
        Throws:
        org.keycloak.saml.common.exceptions.ConfigurationException
        org.keycloak.saml.common.exceptions.ProcessingException
        IOException

      • backchannelLogout

        public javax.ws.rs.core.Response backchannelLogout​(org.keycloak.models.UserSessionModel userSession,
                                                   org.keycloak.models.AuthenticatedClientSessionModel clientSession)
        Specified by:
        backchannelLogout in interface org.keycloak.protocol.LoginProtocol

      • createLogoutRequest

        protected org.keycloak.dom.saml.v2.protocol.LogoutRequestType createLogoutRequest​(String logoutUrl,
                                                                                  org.keycloak.models.AuthenticatedClientSessionModel clientSession,
                                                                                  org.keycloak.models.ClientModel client,
                                                                                  org.keycloak.saml.SamlProtocolExtensionsAwareBuilder.NodeGenerator... extensions)
                                                                           throws org.keycloak.saml.common.exceptions.ConfigurationException
        Throws:
        org.keycloak.saml.common.exceptions.ConfigurationException

      • requireReauthentication

        public boolean requireReauthentication​(org.keycloak.models.UserSessionModel userSession,
                                       org.keycloak.sessions.AuthenticationSessionModel authSession)
        Specified by:
        requireReauthentication in interface org.keycloak.protocol.LoginProtocol

      • close

        public void close()
        Specified by:
        close in interface org.keycloak.provider.Provider

      • buildArtifactAuthenticatedResponse

        protected javax.ws.rs.core.Response buildArtifactAuthenticatedResponse​(org.keycloak.models.AuthenticatedClientSessionModel clientSession,
                                                                       String redirectUri,
                                                                       org.keycloak.dom.saml.v2.SAML2Object samlDocument,
                                                                       JaxrsSAML2BindingBuilder bindingBuilder)
                                                                throws org.keycloak.saml.common.exceptions.ProcessingException,
                                                                       org.keycloak.saml.common.exceptions.ConfigurationException
        This method, instead of sending the actual response with the token sends the artifact message via post or redirect.
        Parameters:
        clientSession - the current authenticated client session
        redirectUri - the redirect uri to the client
        samlDocument - a Document containing the saml Response
        bindingBuilder - the current JaxrsSAML2BindingBuilder configured with information for signing and encryption
        Returns:
        A response (POSTed form or redirect) with a newly generated artifact
        Throws:
        org.keycloak.saml.common.exceptions.ConfigurationException
        org.keycloak.saml.common.exceptions.ProcessingException
        IOException

      • buildLogoutArtifactResponse

        protected javax.ws.rs.core.Response buildLogoutArtifactResponse​(org.keycloak.models.UserSessionModel userSession,
                                                                String redirectUri,
                                                                org.keycloak.dom.saml.v2.protocol.StatusResponseType statusResponseType,
                                                                JaxrsSAML2BindingBuilder bindingBuilder)
                                                         throws org.keycloak.saml.common.exceptions.ProcessingException,
                                                                org.keycloak.saml.common.exceptions.ConfigurationException
        This method, instead of sending the actual response with the token, sends the artifact message via post or redirect. This method is only to be used for the final LogoutResponse.
        Parameters:
        userSession - The current user session being logged out
        redirectUri - the redirect uri to the client
        statusResponseType - a Document containing the saml Response
        bindingBuilder - the current JaxrsSAML2BindingBuilder configured with information for signing and encryption
        Returns:
        A response (POSTed form or redirect) with a newly generated artifact
        Throws:
        org.keycloak.saml.common.exceptions.ProcessingException
        IOException
        org.keycloak.saml.common.exceptions.ConfigurationException

      • buildArtifactAndStoreResponse

        protected String buildArtifactAndStoreResponse​(org.keycloak.dom.saml.v2.SAML2Object statusResponseType,
                                               org.keycloak.models.UserSessionModel userSession)
                                        throws org.keycloak.protocol.saml.ArtifactResolverProcessingException,
                                               org.keycloak.saml.common.exceptions.ConfigurationException,
                                               org.keycloak.saml.common.exceptions.ProcessingException
        Throws:
        org.keycloak.protocol.saml.ArtifactResolverProcessingException
        org.keycloak.saml.common.exceptions.ConfigurationException
        org.keycloak.saml.common.exceptions.ProcessingException

      • buildArtifactAndStoreResponse

        protected String buildArtifactAndStoreResponse​(org.keycloak.dom.saml.v2.SAML2Object saml2Object,
                                               org.keycloak.models.AuthenticatedClientSessionModel clientSessionModel)
                                        throws org.keycloak.protocol.saml.ArtifactResolverProcessingException,
                                               org.keycloak.saml.common.exceptions.ProcessingException,
                                               org.keycloak.saml.common.exceptions.ConfigurationException
        Throws:
        org.keycloak.protocol.saml.ArtifactResolverProcessingException
        org.keycloak.saml.common.exceptions.ProcessingException
        org.keycloak.saml.common.exceptions.ConfigurationException