org.keycloak.protocol.saml.SamlService.BindingProtocol の継承関係図

org.keycloak.protocol.saml.SamlService.BindingProtocol 連携図

公開メンバ関数
Response	execute (String samlRequest, String samlResponse, String relayState)

限定公開メンバ関数
Response	basicChecks (String samlRequest, String samlResponse)

Response	handleSamlResponse (String samlResponse, String relayState)

Response	handleSamlRequest (String samlRequest, String relayState)

abstract void	verifySignature (SAMLDocumentHolder documentHolder, ClientModel client) throws VerificationException

abstract SAMLDocumentHolder	extractRequestDocument (String samlRequest)

abstract SAMLDocumentHolder	extractResponseDocument (String response)

Response	loginRequest (String relayState, AuthnRequestType requestAbstractType, ClientModel client)

String	getBindingType (AuthnRequestType requestAbstractType)

abstract String	getBindingType ()

Response	logoutRequest (LogoutRequestType logoutRequest, ClientModel client, String relayState)

限定公開変数類
boolean	redirectToAuthentication

非公開メンバ関数
boolean	isSupportedNameIdFormat (String nameIdFormat)

boolean	checkSsl ()

詳解

関数詳解

◆ basicChecks()

Response org.keycloak.protocol.saml.SamlService.BindingProtocol.basicChecks	(	String	samlRequest,
		String	samlResponse
	)

inlineprotected

                                                                                 {
             if (!checkSsl()) {
                 event.event(EventType.LOGIN);
                 event.error(Errors.SSL_REQUIRED);
                 return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.HTTPS_REQUIRED);
             }
             if (!realm.isEnabled()) {
                 event.event(EventType.LOGIN_ERROR);
                 event.error(Errors.REALM_DISABLED);
                 return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.REALM_NOT_ENABLED);
             }
 
             if (samlRequest == null && samlResponse == null) {
                 event.event(EventType.LOGIN);
                 event.error(Errors.INVALID_TOKEN);
                 return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST);
 
             }
             return null;
         }

◆ checkSsl()

boolean org.keycloak.protocol.saml.SamlService.BindingProtocol.checkSsl ( )

inlineprivate

                                    {
             if (session.getContext().getUri().getBaseUri().getScheme().equals("https")) {
                 return true;
             } else {
                 return !realm.getSslRequired().isRequired(clientConnection);
             }
         }

◆ execute()

Response org.keycloak.protocol.saml.SamlService.BindingProtocol.execute	(	String	samlRequest,
		String	samlResponse,
		String	relayState
	)

inline

                                                                                             {
             Response response = basicChecks(samlRequest, samlResponse);
             if (response != null)
                 return response;
             if (samlRequest != null)
                 return handleSamlRequest(samlRequest, relayState);
             else
                 return handleSamlResponse(samlResponse, relayState);
         }

◆ extractRequestDocument()

abstract SAMLDocumentHolder org.keycloak.protocol.saml.SamlService.BindingProtocol.extractRequestDocument ( String samlRequest )

abstractprotected

◆ extractResponseDocument()

abstract SAMLDocumentHolder org.keycloak.protocol.saml.SamlService.BindingProtocol.extractResponseDocument ( String response )

abstractprotected

◆ getBindingType() [1/2]

String org.keycloak.protocol.saml.SamlService.BindingProtocol.getBindingType ( AuthnRequestType requestAbstractType )

inlineprotected

                                                                               {
             URI requestedProtocolBinding = requestAbstractType.getProtocolBinding();
 
             if (requestedProtocolBinding != null) {
                 if (JBossSAMLURIConstants.SAML_HTTP_POST_BINDING.get().equals(requestedProtocolBinding.toString())) {
                     return SamlProtocol.SAML_POST_BINDING;
                 } else {
                     return SamlProtocol.SAML_REDIRECT_BINDING;
                 }
             }
 
             return getBindingType();
         }

◆ getBindingType() [2/2]

abstract String org.keycloak.protocol.saml.SamlService.BindingProtocol.getBindingType ( )

abstractprotected

◆ handleSamlRequest()

Response org.keycloak.protocol.saml.SamlService.BindingProtocol.handleSamlRequest	(	String	samlRequest,
		String	relayState
	)

inlineprotected

                                                                                     {
             SAMLDocumentHolder documentHolder = extractRequestDocument(samlRequest);
             if (documentHolder == null) {
                 event.event(EventType.LOGIN);
                 event.error(Errors.INVALID_TOKEN);
                 return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST);
             }
 
             SAML2Object samlObject = documentHolder.getSamlObject();
 
             if (! (samlObject instanceof RequestAbstractType)) {
                 event.event(EventType.LOGIN);
                 event.error(Errors.INVALID_SAML_AUTHN_REQUEST);
                 return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST);
             }
 
             RequestAbstractType requestAbstractType = (RequestAbstractType) samlObject;
             final NameIDType issuerNameId = requestAbstractType.getIssuer();
             String issuer = requestAbstractType.getIssuer() == null ? null : issuerNameId.getValue();
             ClientModel client = realm.getClientByClientId(issuer);
 
             if (client == null) {
                 event.event(EventType.LOGIN);
                 event.client(issuer);
                 event.error(Errors.CLIENT_NOT_FOUND);
                 return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.UNKNOWN_LOGIN_REQUESTER);
             }
 
             if (!client.isEnabled()) {
                 event.event(EventType.LOGIN);
                 event.error(Errors.CLIENT_DISABLED);
                 return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.LOGIN_REQUESTER_NOT_ENABLED);
             }
             if (client.isBearerOnly()) {
                 event.event(EventType.LOGIN);
                 event.error(Errors.NOT_ALLOWED);
                 return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.BEARER_ONLY);
             }
             if (!client.isStandardFlowEnabled()) {
                 event.event(EventType.LOGIN);
                 event.error(Errors.NOT_ALLOWED);
                 return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.STANDARD_FLOW_DISABLED);
             }
 
             session.getContext().setClient(client);
 
             try {
                 verifySignature(documentHolder, client);
             } catch (VerificationException e) {
                 SamlService.logger.error("request validation failed", e);
                 event.event(EventType.LOGIN);
                 event.error(Errors.INVALID_SIGNATURE);
                 return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REQUESTER);
             }
             logger.debug("verified request");
             if (samlObject instanceof AuthnRequestType) {
                 logger.debug("** login request");
                 event.event(EventType.LOGIN);
                 // Get the SAML Request Message
                 AuthnRequestType authn = (AuthnRequestType) samlObject;
                 return loginRequest(relayState, authn, client);
             } else if (samlObject instanceof LogoutRequestType) {
                 logger.debug("** logout request");
                 event.event(EventType.LOGOUT);
                 LogoutRequestType logout = (LogoutRequestType) samlObject;
                 return logoutRequest(logout, client, relayState);
 
             } else {
                 event.event(EventType.LOGIN);
                 event.error(Errors.INVALID_TOKEN);
                 return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST);
             }
         }

◆ handleSamlResponse()

Response org.keycloak.protocol.saml.SamlService.BindingProtocol.handleSamlResponse	(	String	samlResponse,
		String	relayState
	)

inlineprotected

                                                                                       {
             event.event(EventType.LOGOUT);
             SAMLDocumentHolder holder = extractResponseDocument(samlResponse);
 
             if (! (holder.getSamlObject() instanceof StatusResponseType)) {
                 event.detail(Details.REASON, "invalid_saml_response");
                 event.error(Errors.INVALID_SAML_RESPONSE);
                 return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST);
             }
 
             StatusResponseType statusResponse = (StatusResponseType) holder.getSamlObject();
             // validate destination
             if (! destinationValidator.validate(session.getContext().getUri().getAbsolutePath(), statusResponse.getDestination())) {
                 event.detail(Details.REASON, "invalid_destination");
                 event.error(Errors.INVALID_SAML_LOGOUT_RESPONSE);
                 return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST);
             }
 
             AuthenticationManager.AuthResult authResult = authManager.authenticateIdentityCookie(session, realm, false);
             if (authResult == null) {
                 logger.warn("Unknown saml response.");
                 event.event(EventType.LOGOUT);
                 event.error(Errors.INVALID_TOKEN);
                 return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST);
             }
             // assume this is a logout response
             UserSessionModel userSession = authResult.getSession();
             if (userSession.getState() != UserSessionModel.State.LOGGING_OUT) {
                 logger.warn("Unknown saml response.");
                 logger.warn("UserSession is not tagged as logging out.");
                 event.event(EventType.LOGOUT);
                 event.error(Errors.INVALID_SAML_LOGOUT_RESPONSE);
                 return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST);
             }
             String issuer = statusResponse.getIssuer().getValue();
             ClientModel client = realm.getClientByClientId(issuer);
             if (client == null) {
                 event.event(EventType.LOGOUT);
                 event.client(issuer);
                 event.error(Errors.CLIENT_NOT_FOUND);
                 return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.CLIENT_NOT_FOUND);
             }
             session.getContext().setClient(client);
             logger.debug("logout response");
             Response response = authManager.browserLogout(session, realm, userSession, session.getContext().getUri(), clientConnection, headers);
             event.success();
             return response;
         }

◆ isSupportedNameIdFormat()

boolean org.keycloak.protocol.saml.SamlService.BindingProtocol.isSupportedNameIdFormat ( String nameIdFormat )

inlineprivate

                                                                      {
             if (nameIdFormat.equals(JBossSAMLURIConstants.NAMEID_FORMAT_EMAIL.get()) || nameIdFormat.equals(JBossSAMLURIConstants.NAMEID_FORMAT_TRANSIENT.get()) || nameIdFormat.equals(JBossSAMLURIConstants.NAMEID_FORMAT_PERSISTENT.get())
                     || nameIdFormat.equals(JBossSAMLURIConstants.NAMEID_FORMAT_UNSPECIFIED.get())) {
                 return true;
             }
             return false;
         }

◆ loginRequest()

Response org.keycloak.protocol.saml.SamlService.BindingProtocol.loginRequest	(	String	relayState,
		AuthnRequestType	requestAbstractType,
		ClientModel	client
	)

inlineprotected

                                                                                                                      {
             SamlClient samlClient = new SamlClient(client);
             // validate destination
             if (requestAbstractType.getDestination() == null && samlClient.requiresClientSignature()) {
                 event.detail(Details.REASON, "invalid_destination");
                 event.error(Errors.INVALID_SAML_AUTHN_REQUEST);
                 return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST);
             }
             if (! destinationValidator.validate(session.getContext().getUri().getAbsolutePath(), requestAbstractType.getDestination())) {
                 event.detail(Details.REASON, "invalid_destination");
                 event.error(Errors.INVALID_SAML_AUTHN_REQUEST);
                 return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST);
             }
             String bindingType = getBindingType(requestAbstractType);
             if (samlClient.forcePostBinding())
                 bindingType = SamlProtocol.SAML_POST_BINDING;
             String redirect;
             URI redirectUri = requestAbstractType.getAssertionConsumerServiceURL();
             if (redirectUri != null && ! "null".equals(redirectUri.toString())) { // "null" is for testing purposes
                 redirect = RedirectUtils.verifyRedirectUri(session.getContext().getUri(), redirectUri.toString(), realm, client);
             } else {
                 if (bindingType.equals(SamlProtocol.SAML_POST_BINDING)) {
                     redirect = client.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_POST_ATTRIBUTE);
                 } else {
                     redirect = client.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_REDIRECT_ATTRIBUTE);
                 }
                 if (redirect == null) {
                     redirect = client.getManagementUrl();
                 }
 
             }
 
             if (redirect == null) {
                 event.error(Errors.INVALID_REDIRECT_URI);
                 return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REDIRECT_URI);
             }
 
             AuthenticationSessionModel authSession = createAuthenticationSession(client, relayState);
 
             authSession.setProtocol(SamlProtocol.LOGIN_PROTOCOL);
             authSession.setRedirectUri(redirect);
             authSession.setAction(AuthenticationSessionModel.Action.AUTHENTICATE.name());
             authSession.setClientNote(SamlProtocol.SAML_BINDING, bindingType);
             authSession.setClientNote(GeneralConstants.RELAY_STATE, relayState);
             authSession.setClientNote(SamlProtocol.SAML_REQUEST_ID, requestAbstractType.getID());
 
             // Handle NameIDPolicy from SP
             NameIDPolicyType nameIdPolicy = requestAbstractType.getNameIDPolicy();
             final URI nameIdFormatUri = nameIdPolicy == null ? null : nameIdPolicy.getFormat();
             if (nameIdFormatUri != null && ! samlClient.forceNameIDFormat()) {
                 String nameIdFormat = nameIdFormatUri.toString();
                 // TODO: Handle AllowCreate too, relevant for persistent NameID.
                 if (isSupportedNameIdFormat(nameIdFormat)) {
                     authSession.setClientNote(GeneralConstants.NAMEID_FORMAT, nameIdFormat);
                 } else {
                     event.detail(Details.REASON, "unsupported_nameid_format");
                     event.error(Errors.INVALID_SAML_AUTHN_REQUEST);
                     return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.UNSUPPORTED_NAME_ID_FORMAT);
                 }
             }
 
             //Reading subject/nameID in the saml request
             SubjectType subject = requestAbstractType.getSubject();
             if (subject != null) {
                 SubjectType.STSubType subType = subject.getSubType();
                 if (subType != null) {
                     BaseIDAbstractType baseID = subject.getSubType().getBaseID();
                     if (baseID != null && baseID instanceof NameIDType) {
                         NameIDType nameID = (NameIDType) baseID;
                         authSession.setClientNote(OIDCLoginProtocol.LOGIN_HINT_PARAM, nameID.getValue());
                     }
 
                 }
             }
             //If unset we fall back to default "false"
             final boolean isPassive = (null == requestAbstractType.isIsPassive() ?
                     false : requestAbstractType.isIsPassive().booleanValue());
             return newBrowserAuthentication(authSession, isPassive, redirectToAuthentication);
         }

◆ logoutRequest()

Response org.keycloak.protocol.saml.SamlService.BindingProtocol.logoutRequest	(	LogoutRequestType	logoutRequest,
		ClientModel	client,
		String	relayState
	)

inlineprotected

                                                                                                                  {
             SamlClient samlClient = new SamlClient(client);
             // validate destination
             if (logoutRequest.getDestination() == null && samlClient.requiresClientSignature()) {
                 event.detail(Details.REASON, "invalid_destination");
                 event.error(Errors.INVALID_SAML_LOGOUT_REQUEST);
                 return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST);
             }
             if (! destinationValidator.validate(logoutRequest.getDestination(), session.getContext().getUri().getAbsolutePath())) {
                 event.detail(Details.REASON, "invalid_destination");
                 event.error(Errors.INVALID_SAML_LOGOUT_REQUEST);
                 return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST);
             }
 
             // authenticate identity cookie, but ignore an access token timeout as we're logging out anyways.
             AuthenticationManager.AuthResult authResult = authManager.authenticateIdentityCookie(session, realm, false);
             if (authResult != null) {
                 String logoutBinding = getBindingType();
                 String postBindingUri = SamlProtocol.getLogoutServiceUrl(session.getContext().getUri(), client, SamlProtocol.SAML_POST_BINDING);
                 if (samlClient.forcePostBinding() && postBindingUri != null && ! postBindingUri.trim().isEmpty())
                     logoutBinding = SamlProtocol.SAML_POST_BINDING;
                 boolean postBinding = Objects.equals(SamlProtocol.SAML_POST_BINDING, logoutBinding);
 
                 String bindingUri = SamlProtocol.getLogoutServiceUrl(session.getContext().getUri(), client, logoutBinding);
                 UserSessionModel userSession = authResult.getSession();
                 userSession.setNote(SamlProtocol.SAML_LOGOUT_BINDING_URI, bindingUri);
                 if (samlClient.requiresRealmSignature()) {
                     userSession.setNote(SamlProtocol.SAML_LOGOUT_SIGNATURE_ALGORITHM, samlClient.getSignatureAlgorithm().toString());
 
                 }
                 if (relayState != null)
                     userSession.setNote(SamlProtocol.SAML_LOGOUT_RELAY_STATE, relayState);
                 userSession.setNote(SamlProtocol.SAML_LOGOUT_REQUEST_ID, logoutRequest.getID());
                 userSession.setNote(SamlProtocol.SAML_LOGOUT_BINDING, logoutBinding);
                 userSession.setNote(SamlProtocol.SAML_LOGOUT_ADD_EXTENSIONS_ELEMENT_WITH_KEY_INFO, Boolean.toString((! postBinding) && samlClient.addExtensionsElementWithKeyInfo()));
                 userSession.setNote(SamlProtocol.SAML_SERVER_SIGNATURE_KEYINFO_KEY_NAME_TRANSFORMER, samlClient.getXmlSigKeyInfoKeyNameTransformer().name());
                 userSession.setNote(SamlProtocol.SAML_LOGOUT_CANONICALIZATION, samlClient.getCanonicalizationMethod());
                 userSession.setNote(AuthenticationManager.KEYCLOAK_LOGOUT_PROTOCOL, SamlProtocol.LOGIN_PROTOCOL);
                 // remove client from logout requests
                 AuthenticatedClientSessionModel clientSession = userSession.getAuthenticatedClientSessionByClient(client.getId());
                 if (clientSession != null) {
                     clientSession.setAction(AuthenticationSessionModel.Action.LOGGED_OUT.name());
                 }
                 logger.debug("browser Logout");
                 return authManager.browserLogout(session, realm, userSession, session.getContext().getUri(), clientConnection, headers);
             } else if (logoutRequest.getSessionIndex() != null) {
                 for (String sessionIndex : logoutRequest.getSessionIndex()) {
 
                     AuthenticatedClientSessionModel clientSession = SamlSessionUtils.getClientSession(session, realm, sessionIndex);
                     if (clientSession == null)
                         continue;
                     UserSessionModel userSession = clientSession.getUserSession();
                     if (clientSession.getClient().getClientId().equals(client.getClientId())) {
                         // remove requesting client from logout
                         clientSession.setAction(AuthenticationSessionModel.Action.LOGGED_OUT.name());
                     }
 
                     try {
                         authManager.backchannelLogout(session, realm, userSession, session.getContext().getUri(), clientConnection, headers, true);
                     } catch (Exception e) {
                         logger.warn("Failure with backchannel logout", e);
                     }
 
                 }
 
             }
 
             // default
 
             String logoutBinding = getBindingType();
             String logoutBindingUri = SamlProtocol.getLogoutServiceUrl(session.getContext().getUri(), client, logoutBinding);
             String logoutRelayState = relayState;
             SAML2LogoutResponseBuilder builder = new SAML2LogoutResponseBuilder();
             builder.logoutRequestID(logoutRequest.getID());
             builder.destination(logoutBindingUri);
             builder.issuer(RealmsResource.realmBaseUrl(session.getContext().getUri()).build(realm.getName()).toString());
             JaxrsSAML2BindingBuilder binding = new JaxrsSAML2BindingBuilder().relayState(logoutRelayState);
             boolean postBinding = SamlProtocol.SAML_POST_BINDING.equals(logoutBinding);
             if (samlClient.requiresRealmSignature()) {
                 SignatureAlgorithm algorithm = samlClient.getSignatureAlgorithm();
                 KeyManager.ActiveRsaKey keys = session.keys().getActiveRsaKey(realm);
                 binding.signatureAlgorithm(algorithm).signWith(keys.getKid(), keys.getPrivateKey(), keys.getPublicKey(), keys.getCertificate()).signDocument();
                 if (! postBinding && samlClient.addExtensionsElementWithKeyInfo()) {    // Only include extension if REDIRECT binding and signing whole SAML protocol message
                     builder.addExtension(new KeycloakKeySamlExtensionGenerator(keys.getKid()));
                 }
             }
             try {
                 if (postBinding) {
                     return binding.postBinding(builder.buildDocument()).response(logoutBindingUri);
                 } else {
                     return binding.redirectBinding(builder.buildDocument()).response(logoutBindingUri);
                 }
             } catch (Exception e) {
                 throw new RuntimeException(e);
             }
         }

◆ verifySignature()

abstract void org.keycloak.protocol.saml.SamlService.BindingProtocol.verifySignature	(	SAMLDocumentHolder	documentHolder,
		ClientModel	client
	)		throws VerificationException

abstractprotected

メンバ詳解

◆ redirectToAuthentication

boolean org.keycloak.protocol.saml.SamlService.BindingProtocol.redirectToAuthentication

protected

このクラス詳解は次のファイルから抽出されました:

D:/AppData/doxygen/keycloak/src/keycloak/src/main/java/org/keycloak/protocol/saml/SamlService.java

公開メンバ関数

限定公開メンバ関数

限定公開変数類

非公開メンバ関数

詳解

関数詳解

◆ basicChecks()

◆ checkSsl()

◆ execute()

◆ extractRequestDocument()

◆ extractResponseDocument()

◆ getBindingType() [1/2]

◆ getBindingType() [2/2]

◆ handleSamlRequest()

◆ handleSamlResponse()

◆ isSupportedNameIdFormat()

◆ loginRequest()

◆ logoutRequest()

◆ verifySignature()

メンバ詳解

◆ redirectToAuthentication