org.keycloak.protocol.saml.SamlService クラス

org.keycloak.protocol.saml.SamlService の継承関係図

org.keycloak.protocol.saml.SamlService 連携図

クラス
class	BindingProtocol
class	PostBindingProtocol
class	RedirectBindingProtocol

公開メンバ関数
	SamlService (RealmModel realm, EventBuilder event, DestinationValidator destinationValidator)
Response	redirectBinding (@QueryParam(GeneralConstants.SAML_REQUEST_KEY) String samlRequest, @QueryParam(GeneralConstants.SAML_RESPONSE_KEY) String samlResponse, @QueryParam(GeneralConstants.RELAY_STATE) String relayState)
Response	postBinding (@FormParam(GeneralConstants.SAML_REQUEST_KEY) String samlRequest, @FormParam(GeneralConstants.SAML_RESPONSE_KEY) String samlResponse, @FormParam(GeneralConstants.RELAY_STATE) String relayState)
String	getDescriptor () throws Exception
Response	idpInitiatedSSO (@PathParam("client") String clientUrlName, @QueryParam("RelayState") String relayState)
AuthenticationSessionModel	getOrCreateLoginSessionForIdpInitiatedSso (KeycloakSession session, RealmModel realm, ClientModel client, String relayState)
Response	soapBinding (InputStream inputStream)

静的公開メンバ関数
static String	getIDPMetadataDescriptor (UriInfo uriInfo, KeycloakSession session, RealmModel realm) throws IOException

静的公開変数類
static final String	APP_INITIATED_FLOW = "APP_INITIATED_FLOW"

限定公開メンバ関数
Response	newBrowserAuthentication (AuthenticationSessionModel authSession, boolean isPassive, boolean redirectToAuthentication)
Response	newBrowserAuthentication (AuthenticationSessionModel authSession, boolean isPassive, boolean redirectToAuthentication, SamlProtocol samlProtocol)
AuthenticationProcessor	createProcessor (AuthenticationSessionModel authSession, String flowId, String flowPath)
Response	handleBrowserAuthenticationRequest (AuthenticationSessionModel authSession, LoginProtocol protocol, boolean isPassive, boolean redirectToAuthentication)
AuthenticationFlowModel	getAuthenticationFlow (AuthenticationSessionModel authSession)
void	checkSsl ()
void	checkRealm ()
AuthenticationSessionModel	createAuthenticationSession (ClientModel client, String requestState)

限定公開変数類
RealmModel	realm
EventBuilder	event
AuthenticationManager	authManager
HttpHeaders	headers
HttpRequest	httpRequest
KeycloakSession	session
ClientConnection	clientConnection

静的限定公開変数類
static final Logger	logger = Logger.getLogger(SamlService.class)

静的非公開メンバ関数
static void	addKeyInfo (StringBuilder target, RsaKeyMetadata key, String purpose)

非公開変数類
final DestinationValidator	destinationValidator

詳解

Resource class for the saml connect token service

著者

Bill Burke

バージョン

Revision

1

構築子と解体子

SamlService()

org.keycloak.protocol.saml.SamlService.SamlService ( RealmModel  realm, EventBuilder  event, DestinationValidator  destinationValidator  )

inline

                                                                                                        {
        super(realm, event);
        this.destinationValidator = destinationValidator;
    }

関数詳解

addKeyInfo()

static void org.keycloak.protocol.saml.SamlService.addKeyInfo ( StringBuilder  target, RsaKeyMetadata  key, String  purpose  )

inlinestaticprivate

                                                                                             {
        if (key == null) {
            return;
        }

        target.append(SPMetadataDescriptor.xmlKeyInfo("                        ",
          key.getKid(), PemUtils.encodeCertificate(key.getCertificate()), purpose, false));
    }

checkRealm()

void org.keycloak.protocol.AuthorizationEndpointBase.checkRealm ( )

inlineprotectedinherited

                                {
        if (!realm.isEnabled()) {
            event.error(Errors.REALM_DISABLED);
            throw new ErrorPageException(session, Response.Status.BAD_REQUEST, Messages.REALM_NOT_ENABLED);
        }
    }

checkSsl()

void org.keycloak.protocol.AuthorizationEndpointBase.checkSsl ( )

inlineprotectedinherited

                              {
        if (!session.getContext().getUri().getBaseUri().getScheme().equals("https") && realm.getSslRequired().isRequired(clientConnection)) {
            event.error(Errors.SSL_REQUIRED);
            throw new ErrorPageException(session, Response.Status.BAD_REQUEST, Messages.HTTPS_REQUIRED);
        }
    }

createAuthenticationSession()

AuthenticationSessionModel org.keycloak.protocol.AuthorizationEndpointBase.createAuthenticationSession ( ClientModel  client, String  requestState  )

inlineprotectedinherited

                                                                                                              {
        AuthenticationSessionManager manager = new AuthenticationSessionManager(session);
        RootAuthenticationSessionModel rootAuthSession = manager.getCurrentRootAuthenticationSession(realm);

        AuthenticationSessionModel authSession;

        if (rootAuthSession != null) {
            authSession = rootAuthSession.createAuthenticationSession(client);

            logger.debugf("Sent request to authz endpoint. Root authentication session with ID '%s' exists. Client is '%s' . Created new authentication session with tab ID: %s",
                    rootAuthSession.getId(), client.getClientId(), authSession.getTabId());
        } else {
            UserSessionCrossDCManager userSessionCrossDCManager = new UserSessionCrossDCManager(session);
            UserSessionModel userSession = userSessionCrossDCManager.getUserSessionIfExistsRemotely(manager, realm);

            if (userSession != null) {
                String userSessionId = userSession.getId();
                rootAuthSession = session.authenticationSessions().createRootAuthenticationSession(userSessionId, realm);
                authSession = rootAuthSession.createAuthenticationSession(client);
                logger.debugf("Sent request to authz endpoint. We don't have root authentication session with ID '%s' but we have userSession." +
                        "Re-created root authentication session with same ID. Client is: %s . New authentication session tab ID: %s", userSessionId, client.getClientId(), authSession.getTabId());
            } else {
                rootAuthSession = manager.createAuthenticationSession(realm, true);
                authSession = rootAuthSession.createAuthenticationSession(client);
                logger.debugf("Sent request to authz endpoint. Created new root authentication session with ID '%s' . Client: %s . New authentication session tab ID: %s",
                        rootAuthSession.getId(), client.getClientId(), authSession.getTabId());
            }
        }

        session.getProvider(LoginFormsProvider.class).setAuthenticationSession(authSession);

        return authSession;

    }

createProcessor()

AuthenticationProcessor org.keycloak.protocol.AuthorizationEndpointBase.createProcessor ( AuthenticationSessionModel  authSession, String  flowId, String  flowPath  )

inlineprotectedinherited

                                                                                                                              {
        AuthenticationProcessor processor = new AuthenticationProcessor();
        processor.setAuthenticationSession(authSession)
                .setFlowPath(flowPath)
                .setFlowId(flowId)
                .setBrowserFlow(true)
                .setConnection(clientConnection)
                .setEventBuilder(event)
                .setRealm(realm)
                .setSession(session)
                .setUriInfo(session.getContext().getUri())
                .setRequest(httpRequest);

        authSession.setAuthNote(AuthenticationProcessor.CURRENT_FLOW_PATH, flowPath);

        return processor;
    }

getAuthenticationFlow()

AuthenticationFlowModel org.keycloak.protocol.AuthorizationEndpointBase.getAuthenticationFlow ( AuthenticationSessionModel  authSession )

inlineprotectedinherited

                                                                                                    {
        return AuthenticationFlowResolver.resolveBrowserFlow(authSession);
    }

getDescriptor()

String org.keycloak.protocol.saml.SamlService.getDescriptor ( ) throws Exception

inline

                                                   {
        return getIDPMetadataDescriptor(session.getContext().getUri(), session, realm);

    }

getIDPMetadataDescriptor()

static String org.keycloak.protocol.saml.SamlService.getIDPMetadataDescriptor ( UriInfo  uriInfo, KeycloakSession  session, RealmModel  realm  ) throws IOException

inlinestatic

                                                                                                                                 {
        InputStream is = SamlService.class.getResourceAsStream("/idp-metadata-template.xml");
        String template = StreamUtil.readString(is);
        Properties props = new Properties();
        props.put("idp.entityID", RealmsResource.realmBaseUrl(uriInfo).build(realm.getName()).toString());
        props.put("idp.sso.HTTP-POST", RealmsResource.protocolUrl(uriInfo).build(realm.getName(), SamlProtocol.LOGIN_PROTOCOL).toString());
        props.put("idp.sso.HTTP-Redirect", RealmsResource.protocolUrl(uriInfo).build(realm.getName(), SamlProtocol.LOGIN_PROTOCOL).toString());
        props.put("idp.sls.HTTP-POST", RealmsResource.protocolUrl(uriInfo).build(realm.getName(), SamlProtocol.LOGIN_PROTOCOL).toString());
        StringBuilder keysString = new StringBuilder();
        Set<RsaKeyMetadata> keys = new TreeSet<>((o1, o2) -> o1.getStatus() == o2.getStatus() // Status can be only PASSIVE OR ACTIVE, push PASSIVE to end of list
          ? (int) (o2.getProviderPriority() - o1.getProviderPriority())
          : (o1.getStatus() == KeyStatus.PASSIVE ? 1 : -1));
        keys.addAll(session.keys().getRsaKeys(realm));
        for (RsaKeyMetadata key : keys) {
            addKeyInfo(keysString, key, KeyTypes.SIGNING.value());
        }
        props.put("idp.signing.certificates", keysString.toString());
        return StringPropertyReplacer.replaceProperties(template, props);
    }

getOrCreateLoginSessionForIdpInitiatedSso()

AuthenticationSessionModel org.keycloak.protocol.saml.SamlService.getOrCreateLoginSessionForIdpInitiatedSso ( KeycloakSession  session, RealmModel  realm, ClientModel  client, String  relayState  )

inline

Creates a client session object for SAML IdP-initiated SSO session. The session takes the parameters from from client definition, namely binding type and redirect URL.

引数

session	KC session
realm	Realm to create client session in
client	Client to create client session for
relayState	Optional relay state - free field as per SAML specification

戻り値

                                                                                                                                                                  {
        String bindingType = SamlProtocol.SAML_POST_BINDING;
        if (client.getManagementUrl() == null && client.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_POST_ATTRIBUTE) == null && client.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_REDIRECT_ATTRIBUTE) != null) {
            bindingType = SamlProtocol.SAML_REDIRECT_BINDING;
        }

        String redirect;
        if (bindingType.equals(SamlProtocol.SAML_REDIRECT_BINDING)) {
            redirect = client.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_REDIRECT_ATTRIBUTE);
        } else {
            redirect = client.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_POST_ATTRIBUTE);
        }
        if (redirect == null) {
            redirect = client.getManagementUrl();
        }

        AuthenticationSessionModel authSession = createAuthenticationSession(client, null);

        authSession.setProtocol(SamlProtocol.LOGIN_PROTOCOL);
        authSession.setAction(AuthenticationSessionModel.Action.AUTHENTICATE.name());
        authSession.setClientNote(SamlProtocol.SAML_BINDING, SamlProtocol.SAML_POST_BINDING);
        authSession.setClientNote(SamlProtocol.SAML_IDP_INITIATED_LOGIN, "true");
        authSession.setRedirectUri(redirect);

        if (relayState == null) {
            relayState = client.getAttribute(SamlProtocol.SAML_IDP_INITIATED_SSO_RELAY_STATE);
        }
        if (relayState != null && !relayState.trim().equals("")) {
            authSession.setClientNote(GeneralConstants.RELAY_STATE, relayState);
        }

        return authSession;
    }

handleBrowserAuthenticationRequest()

Response org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest ( AuthenticationSessionModel  authSession, LoginProtocol  protocol, boolean  isPassive, boolean  redirectToAuthentication  )

inlineprotectedinherited

Common method to handle browser authentication request in protocols unified way.

引数

authSession	for current request
protocol	handler for protocol used to initiate login
isPassive	set to true if login should be passive (without login screen shown)
redirectToAuthentication	if true redirect to flow url. If initial call to protocol is a POST, you probably want to do this. This is so we can disable the back button on browser

戻り値

response to be returned to the browser

                                                                                                                                                                               {
        AuthenticationFlowModel flow = getAuthenticationFlow(authSession);
        String flowId = flow.getId();
        AuthenticationProcessor processor = createProcessor(authSession, flowId, LoginActionsService.AUTHENTICATE_PATH);
        event.detail(Details.CODE_ID, authSession.getParentSession().getId());
        if (isPassive) {
            // OIDC prompt == NONE or SAML 2 IsPassive flag
            // This means that client is just checking if the user is already completely logged in.
            // We cancel login if any authentication action or required action is required
            try {
                if (processor.authenticateOnly() == null) {
                    // processor.attachSession();
                } else {
                    Response response = protocol.sendError(authSession, Error.PASSIVE_LOGIN_REQUIRED);
                    return response;
                }

                AuthenticationManager.setClientScopesInSession(authSession);

                if (processor.nextRequiredAction() != null) {
                    Response response = protocol.sendError(authSession, Error.PASSIVE_INTERACTION_REQUIRED);
                    return response;
                }

                // Attach session once no requiredActions or other things are required
                processor.attachSession();
            } catch (Exception e) {
                return processor.handleBrowserException(e);
            }
            return processor.finishAuthentication(protocol);
        } else {
            try {
                RestartLoginCookie.setRestartCookie(session, realm, clientConnection, session.getContext().getUri(), authSession);
                if (redirectToAuthentication) {
                    return processor.redirectToFlow();
                }
                return processor.authenticate();
            } catch (Exception e) {
                return processor.handleBrowserException(e);
            }
        }
    }

idpInitiatedSSO()

Response org.keycloak.protocol.saml.SamlService.idpInitiatedSSO ( @PathParam("client") String  clientUrlName, @QueryParam("RelayState") String  relayState  )

inline

                                                                                                                            {
        event.event(EventType.LOGIN);
        CacheControlUtil.noBackButtonCacheControlHeader();
        ClientModel client = null;
        for (ClientModel c : realm.getClients()) {
            String urlName = c.getAttribute(SamlProtocol.SAML_IDP_INITIATED_SSO_URL_NAME);
            if (urlName == null)
                continue;
            if (urlName.equals(clientUrlName)) {
                client = c;
                break;
            }
        }
        if (client == null) {
            event.error(Errors.CLIENT_NOT_FOUND);
            return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.CLIENT_NOT_FOUND);
        }
        if (!client.isEnabled()) {
            event.error(Errors.CLIENT_DISABLED);
            return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.CLIENT_DISABLED);
        }
        if (client.getManagementUrl() == null && client.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_POST_ATTRIBUTE) == null && client.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_REDIRECT_ATTRIBUTE) == null) {
            logger.error("SAML assertion consumer url not set up");
            event.error(Errors.INVALID_REDIRECT_URI);
            return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REDIRECT_URI);
        }

        session.getContext().setClient(client);

        AuthenticationSessionModel authSession = getOrCreateLoginSessionForIdpInitiatedSso(this.session, this.realm, client, relayState);

        return newBrowserAuthentication(authSession, false, false);
    }

newBrowserAuthentication() [1/2]

Response org.keycloak.protocol.saml.SamlService.newBrowserAuthentication ( AuthenticationSessionModel  authSession, boolean  isPassive, boolean  redirectToAuthentication  )

inlineprotected

                                                                                                                                             {
        SamlProtocol samlProtocol = new SamlProtocol().setEventBuilder(event).setHttpHeaders(headers).setRealm(realm).setSession(session).setUriInfo(session.getContext().getUri());
        return newBrowserAuthentication(authSession, isPassive, redirectToAuthentication, samlProtocol);
    }

newBrowserAuthentication() [2/2]

Response org.keycloak.protocol.saml.SamlService.newBrowserAuthentication ( AuthenticationSessionModel  authSession, boolean  isPassive, boolean  redirectToAuthentication, SamlProtocol  samlProtocol  )

inlineprotected

                                                                                                                                                                        {
        return handleBrowserAuthenticationRequest(authSession, samlProtocol, isPassive, redirectToAuthentication);
    }

postBinding()

Response org.keycloak.protocol.saml.SamlService.postBinding ( @FormParam(GeneralConstants.SAML_REQUEST_KEY) String  samlRequest, @FormParam(GeneralConstants.SAML_RESPONSE_KEY) String  samlResponse, @FormParam(GeneralConstants.RELAY_STATE) String  relayState  )

inline

                                                                                                                                                                                                                                  {
        logger.debug("SAML POST");
        PostBindingProtocol postBindingProtocol = new PostBindingProtocol();
        // this is to support back button on browser
        // if true, we redirect to authenticate URL otherwise back button behavior has bad side effects
        // and we want to turn it off.
        postBindingProtocol.redirectToAuthentication = true;
        return postBindingProtocol.execute(samlRequest, samlResponse, relayState);
    }

redirectBinding()

Response org.keycloak.protocol.saml.SamlService.redirectBinding ( @QueryParam(GeneralConstants.SAML_REQUEST_KEY) String  samlRequest, @QueryParam(GeneralConstants.SAML_RESPONSE_KEY) String  samlResponse, @QueryParam(GeneralConstants.RELAY_STATE) String  relayState  )

inline

                                                                                                                                                                                                                                         {
        logger.debug("SAML GET");
        CacheControlUtil.noBackButtonCacheControlHeader();
        return new RedirectBindingProtocol().execute(samlRequest, samlResponse, relayState);
    }

soapBinding()

Response org.keycloak.protocol.saml.SamlService.soapBinding ( InputStream  inputStream )

inline

                                                         {
        SamlEcpProfileService bindingService = new SamlEcpProfileService(realm, event, destinationValidator);

        ResteasyProviderFactory.getInstance().injectProperties(bindingService);

        return bindingService.authenticate(inputStream);
    }

メンバ詳解

APP_INITIATED_FLOW

final String org.keycloak.protocol.AuthorizationEndpointBase.APP_INITIATED_FLOW = "APP_INITIATED_FLOW"

staticinherited

authManager

AuthenticationManager org.keycloak.protocol.AuthorizationEndpointBase.authManager

protectedinherited

clientConnection

ClientConnection org.keycloak.protocol.AuthorizationEndpointBase.clientConnection

protectedinherited

destinationValidator

final DestinationValidator org.keycloak.protocol.saml.SamlService.destinationValidator

private

event

EventBuilder org.keycloak.protocol.AuthorizationEndpointBase.event

protectedinherited

headers

HttpHeaders org.keycloak.protocol.AuthorizationEndpointBase.headers

protectedinherited

httpRequest

HttpRequest org.keycloak.protocol.AuthorizationEndpointBase.httpRequest

protectedinherited

logger

final Logger org.keycloak.protocol.saml.SamlService.logger = Logger.getLogger(SamlService.class)

staticprotected

realm

RealmModel org.keycloak.protocol.AuthorizationEndpointBase.realm

protectedinherited

session

KeycloakSession org.keycloak.protocol.AuthorizationEndpointBase.session

protectedinherited

---

このクラス詳解は次のファイルから抽出されました:

• D:/AppData/doxygen/keycloak/src/keycloak/src/main/java/org/keycloak/protocol/saml/SamlService.java