org.keycloak.broker.saml.SAMLIdentityProvider の継承関係図

org.keycloak.broker.saml.SAMLIdentityProvider 連携図

公開メンバ関数
	SAMLIdentityProvider (KeycloakSession session, SAMLIdentityProviderConfig config, DestinationValidator destinationValidator)

Object	callback (RealmModel realm, AuthenticationCallback callback, EventBuilder event)

Response	performLogin (AuthenticationRequest request)

void	authenticationFinished (AuthenticationSessionModel authSession, BrokeredIdentityContext context)

Response	retrieveToken (KeycloakSession session, FederatedIdentityModel identity)

void	backchannelLogout (KeycloakSession session, UserSessionModel userSession, UriInfo uriInfo, RealmModel realm)

Response	keycloakInitiatedBrowserLogout (KeycloakSession session, UserSessionModel userSession, UriInfo uriInfo, RealmModel realm)

Response	export (UriInfo uriInfo, RealmModel realm, String format)

SignatureAlgorithm	getSignatureAlgorithm ()

IdentityProviderDataMarshaller	getMarshaller ()

C	getConfig ()

void	close ()

Response	exchangeNotSupported ()

Response	exchangeNotLinked (UriInfo uriInfo, ClientModel authorizedClient, UserSessionModel tokenUserSession, UserModel tokenSubject)

Response	exchangeNotLinkedNoStore (UriInfo uriInfo, ClientModel authorizedClient, UserSessionModel tokenUserSession, UserModel tokenSubject)

Response	exchangeTokenExpired (UriInfo uriInfo, ClientModel authorizedClient, UserSessionModel tokenUserSession, UserModel tokenSubject)

Response	exchangeUnsupportedRequiredType ()

void	preprocessFederatedIdentity (KeycloakSession session, RealmModel realm, BrokeredIdentityContext context)

void	importNewUser (KeycloakSession session, RealmModel realm, UserModel user, BrokeredIdentityContext context)

void	updateBrokeredUser (KeycloakSession session, RealmModel realm, UserModel user, BrokeredIdentityContext context)

静的公開変数類
static final String	ACCOUNT_LINK_URL

限定公開メンバ関数
SAML2LogoutRequestBuilder	buildLogoutRequest (UserSessionModel userSession, UriInfo uriInfo, RealmModel realm, String singleLogoutServiceUrl)

Response	exchangeErrorResponse (UriInfo uriInfo, ClientModel authorizedClient, UserSessionModel tokenUserSession, String errorCode, String reason)

String	getLinkingUrl (UriInfo uriInfo, ClientModel authorizedClient, UserSessionModel tokenUserSession)

限定公開変数類
final KeycloakSession	session

静的限定公開変数類
static final Logger	logger = Logger.getLogger(SAMLIdentityProvider.class)

非公開メンバ関数
String	getEntityId (UriInfo uriInfo, RealmModel realm)

JaxrsSAML2BindingBuilder	buildLogoutBinding (KeycloakSession session, UserSessionModel userSession, RealmModel realm)

静的非公開メンバ関数
static void	addKeyInfo (StringBuilder target, RsaKeyMetadata key, String purpose)

非公開変数類
final DestinationValidator	destinationValidator

詳解

著者: Pedro Igor

構築子と解体子

◆ SAMLIdentityProvider()

org.keycloak.broker.saml.SAMLIdentityProvider.SAMLIdentityProvider	(	KeycloakSession	session,
		SAMLIdentityProviderConfig	config,
		DestinationValidator	destinationValidator
	)

inline

                                                                                                                                        {
         super(session, config);
         this.destinationValidator = destinationValidator;
     }

関数詳解

◆ addKeyInfo()

static void org.keycloak.broker.saml.SAMLIdentityProvider.addKeyInfo	(	StringBuilder	target,
		RsaKeyMetadata	key,
		String	purpose
	)

inlinestaticprivate

                                                                                              {
         if (key == null) {
             return;
         }
 
         target.append(SPMetadataDescriptor.xmlKeyInfo("        ", key.getKid(), PemUtils.encodeCertificate(key.getCertificate()), purpose, true));
     }

◆ authenticationFinished()

void org.keycloak.broker.saml.SAMLIdentityProvider.authenticationFinished	(	AuthenticationSessionModel	authSession,
		BrokeredIdentityContext	context
	)

inline

                                                                                                                  {
         ResponseType responseType = (ResponseType)context.getContextData().get(SAMLEndpoint.SAML_LOGIN_RESPONSE);
         AssertionType assertion = (AssertionType)context.getContextData().get(SAMLEndpoint.SAML_ASSERTION);
         SubjectType subject = assertion.getSubject();
         SubjectType.STSubType subType = subject.getSubType();
         NameIDType subjectNameID = (NameIDType) subType.getBaseID();
         authSession.setUserSessionNote(SAMLEndpoint.SAML_FEDERATED_SUBJECT, subjectNameID.getValue());
         if (subjectNameID.getFormat() != null) authSession.setUserSessionNote(SAMLEndpoint.SAML_FEDERATED_SUBJECT_NAMEFORMAT, subjectNameID.getFormat().toString());
         AuthnStatementType authn =  (AuthnStatementType)context.getContextData().get(SAMLEndpoint.SAML_AUTHN_STATEMENT);
         if (authn != null && authn.getSessionIndex() != null) {
             authSession.setUserSessionNote(SAMLEndpoint.SAML_FEDERATED_SESSION_INDEX, authn.getSessionIndex());
 
         }
     }

◆ backchannelLogout()

void org.keycloak.broker.saml.SAMLIdentityProvider.backchannelLogout	(	KeycloakSession	session,
		UserSessionModel	userSession,
		UriInfo	uriInfo,
		RealmModel	realm
	)

inline

                                                                                                                             {
         String singleLogoutServiceUrl = getConfig().getSingleLogoutServiceUrl();
         if (singleLogoutServiceUrl == null || singleLogoutServiceUrl.trim().equals("") || !getConfig().isBackchannelSupported()) return;
         SAML2LogoutRequestBuilder logoutBuilder = buildLogoutRequest(userSession, uriInfo, realm, singleLogoutServiceUrl);
         JaxrsSAML2BindingBuilder binding = buildLogoutBinding(session, userSession, realm);
         try {
             int status = SimpleHttp.doPost(singleLogoutServiceUrl, session)
                     .param(GeneralConstants.SAML_REQUEST_KEY, binding.postBinding(logoutBuilder.buildDocument()).encoded())
                     .param(GeneralConstants.RELAY_STATE, userSession.getId()).asStatus();
             boolean success = status >=200 && status < 400;
             if (!success) {
                 logger.warn("Failed saml backchannel broker logout to: " + singleLogoutServiceUrl);
             }
         } catch (Exception e) {
             logger.warn("Failed saml backchannel broker logout to: " + singleLogoutServiceUrl, e);
         }
 
     }

◆ buildLogoutBinding()

JaxrsSAML2BindingBuilder org.keycloak.broker.saml.SAMLIdentityProvider.buildLogoutBinding	(	KeycloakSession	session,
		UserSessionModel	userSession,
		RealmModel	realm
	)

inlineprivate

                                                                                                                                  {
         JaxrsSAML2BindingBuilder binding = new JaxrsSAML2BindingBuilder()
                 .relayState(userSession.getId());
         if (getConfig().isWantAuthnRequestsSigned()) {
             KeyManager.ActiveRsaKey keys = session.keys().getActiveRsaKey(realm);
             String keyName = getConfig().getXmlSigKeyInfoKeyNameTransformer().getKeyName(keys.getKid(), keys.getCertificate());
             binding.signWith(keyName, keys.getPrivateKey(), keys.getPublicKey(), keys.getCertificate())
                     .signatureAlgorithm(getSignatureAlgorithm())
                     .signDocument();
         }
         return binding;
     }

◆ buildLogoutRequest()

SAML2LogoutRequestBuilder org.keycloak.broker.saml.SAMLIdentityProvider.buildLogoutRequest	(	UserSessionModel	userSession,
		UriInfo	uriInfo,
		RealmModel	realm,
		String	singleLogoutServiceUrl
	)

inlineprotected

                                                                                                                                                            {
         SAML2LogoutRequestBuilder logoutBuilder = new SAML2LogoutRequestBuilder()
                 .assertionExpiration(realm.getAccessCodeLifespan())
                 .issuer(getEntityId(uriInfo, realm))
                 .sessionIndex(userSession.getNote(SAMLEndpoint.SAML_FEDERATED_SESSION_INDEX))
                 .userPrincipal(userSession.getNote(SAMLEndpoint.SAML_FEDERATED_SUBJECT), userSession.getNote(SAMLEndpoint.SAML_FEDERATED_SUBJECT_NAMEFORMAT))
                 .destination(singleLogoutServiceUrl);
         return logoutBuilder;
     }

◆ callback()

Object org.keycloak.broker.saml.SAMLIdentityProvider.callback	(	RealmModel	realm,
		AuthenticationCallback	callback,
		EventBuilder	event
	)

inline

                                                                                                   {
         return new SAMLEndpoint(realm, this, getConfig(), callback, destinationValidator);
     }

◆ close()

void org.keycloak.broker.provider.AbstractIdentityProvider< C extends IdentityProviderModel >.close ( )

inlineinherited

                         {
         // no-op
     }

◆ exchangeErrorResponse()

Response org.keycloak.broker.provider.AbstractIdentityProvider< C extends IdentityProviderModel >.exchangeErrorResponse	(	UriInfo	uriInfo,
		ClientModel	authorizedClient,
		UserSessionModel	tokenUserSession,
		String	errorCode,
		String	reason
	)

inlineprotectedinherited

                                                                                                                                                                 {
         Map<String, String> error = new HashMap<>();
         error.put("error", errorCode);
         error.put("error_description", reason);
         String accountLinkUrl = getLinkingUrl(uriInfo, authorizedClient, tokenUserSession);
         if (accountLinkUrl != null) error.put(ACCOUNT_LINK_URL, accountLinkUrl);
         return Response.status(400).entity(error).type(MediaType.APPLICATION_JSON_TYPE).build();
     }

◆ exchangeNotLinked()

Response org.keycloak.broker.provider.AbstractIdentityProvider< C extends IdentityProviderModel >.exchangeNotLinked	(	UriInfo	uriInfo,
		ClientModel	authorizedClient,
		UserSessionModel	tokenUserSession,
		UserModel	tokenSubject
	)

inlineinherited

                                                                                                                                                 {
         return exchangeErrorResponse(uriInfo, authorizedClient, tokenUserSession, "not_linked", "identity provider is not linked");
     }

◆ exchangeNotLinkedNoStore()

Response org.keycloak.broker.provider.AbstractIdentityProvider< C extends IdentityProviderModel >.exchangeNotLinkedNoStore	(	UriInfo	uriInfo,
		ClientModel	authorizedClient,
		UserSessionModel	tokenUserSession,
		UserModel	tokenSubject
	)

inlineinherited

                                                                                                                                                        {
         return exchangeErrorResponse(uriInfo, authorizedClient, tokenUserSession, "not_linked", "identity provider is not linked, can only link to current user session");
     }

◆ exchangeNotSupported()

Response org.keycloak.broker.provider.AbstractIdentityProvider< C extends IdentityProviderModel >.exchangeNotSupported ( )

inlineinherited

                                            {
         Map<String, String> error = new HashMap<>();
         error.put("error", "invalid_target");
         error.put("error_description", "target_exchange_unsupported");
         return  Response.status(400).entity(error).type(MediaType.APPLICATION_JSON_TYPE).build();
     }

◆ exchangeTokenExpired()

Response org.keycloak.broker.provider.AbstractIdentityProvider< C extends IdentityProviderModel >.exchangeTokenExpired	(	UriInfo	uriInfo,
		ClientModel	authorizedClient,
		UserSessionModel	tokenUserSession,
		UserModel	tokenSubject
	)

inlineinherited

                                                                                                                                                    {
         return exchangeErrorResponse(uriInfo, authorizedClient, tokenUserSession, "token_expired", "linked token is expired");
     }

◆ exchangeUnsupportedRequiredType()

Response org.keycloak.broker.provider.AbstractIdentityProvider< C extends IdentityProviderModel >.exchangeUnsupportedRequiredType ( )

inlineinherited

                                                       {
         Map<String, String> error = new HashMap<>();
         error.put("error", "invalid_target");
         error.put("error_description", "response_token_type_unsupported");
         return Response.status(400).entity(error).type(MediaType.APPLICATION_JSON_TYPE).build();
     }

◆ export()

Response org.keycloak.broker.saml.SAMLIdentityProvider.export	(	UriInfo	uriInfo,
		RealmModel	realm,
		String	format
	)

inline

                                                                              {
 
         String authnBinding = JBossSAMLURIConstants.SAML_HTTP_REDIRECT_BINDING.get();
 
         if (getConfig().isPostBindingAuthnRequest()) {
             authnBinding = JBossSAMLURIConstants.SAML_HTTP_POST_BINDING.get();
         }
 
         String endpoint = uriInfo.getBaseUriBuilder()
                 .path("realms").path(realm.getName())
                 .path("broker")
                 .path(getConfig().getAlias())
                 .path("endpoint")
                 .build().toString();
 
 
         boolean wantAuthnRequestsSigned = getConfig().isWantAuthnRequestsSigned();
         boolean wantAssertionsSigned = getConfig().isWantAssertionsSigned();
         boolean wantAssertionsEncrypted = getConfig().isWantAssertionsEncrypted();
         String entityId = getEntityId(uriInfo, realm);
         String nameIDPolicyFormat = getConfig().getNameIDPolicyFormat();
 
         StringBuilder signingKeysString = new StringBuilder();
         StringBuilder encryptionKeysString = new StringBuilder();
         Set<RsaKeyMetadata> keys = new TreeSet<>((o1, o2) -> o1.getStatus() == o2.getStatus() // Status can be only PASSIVE OR ACTIVE, push PASSIVE to end of list
           ? (int) (o2.getProviderPriority() - o1.getProviderPriority())
           : (o1.getStatus() == KeyStatus.PASSIVE ? 1 : -1));
         keys.addAll(session.keys().getRsaKeys(realm));
         for (RsaKeyMetadata key : keys) {
             addKeyInfo(signingKeysString, key, KeyTypes.SIGNING.value());
 
             if (key.getStatus() == KeyStatus.ACTIVE) {
                 addKeyInfo(encryptionKeysString, key, KeyTypes.ENCRYPTION.value());
             }
         }
         String descriptor = SPMetadataDescriptor.getSPDescriptor(authnBinding, endpoint, endpoint,
           wantAuthnRequestsSigned, wantAssertionsSigned, wantAssertionsEncrypted,
           entityId, nameIDPolicyFormat, signingKeysString.toString(), encryptionKeysString.toString());
 
         return Response.ok(descriptor, MediaType.APPLICATION_XML_TYPE).build();
     }

◆ getConfig()

C org.keycloak.broker.provider.AbstractIdentityProvider< C extends IdentityProviderModel >.getConfig ( )

inlineinherited

                          {
         return this.config;
     }

◆ getEntityId()

String org.keycloak.broker.saml.SAMLIdentityProvider.getEntityId	(	UriInfo	uriInfo,
		RealmModel	realm
	)

inlineprivate

                                                                   {
         return UriBuilder.fromUri(uriInfo.getBaseUri()).path("realms").path(realm.getName()).build().toString();
     }

◆ getLinkingUrl()

String org.keycloak.broker.provider.AbstractIdentityProvider< C extends IdentityProviderModel >.getLinkingUrl	(	UriInfo	uriInfo,
		ClientModel	authorizedClient,
		UserSessionModel	tokenUserSession
	)

inlineprotectedinherited

                                                                                                                      {
         String provider = getConfig().getAlias();
         String clientId = authorizedClient.getClientId();
         String nonce = UUID.randomUUID().toString();
         MessageDigest md = null;
         try {
             md = MessageDigest.getInstance("SHA-256");
         } catch (NoSuchAlgorithmException e) {
             throw new RuntimeException(e);
         }
         String input = nonce + tokenUserSession.getId() + clientId + provider;
         byte[] check = md.digest(input.getBytes(StandardCharsets.UTF_8));
         String hash = Base64Url.encode(check);
         return KeycloakUriBuilder.fromUri(uriInfo.getBaseUri())
                 .path("/realms/{realm}/broker/{provider}/link")
                 .queryParam("nonce", nonce)
                 .queryParam("hash", hash)
                 .queryParam("client_id", clientId)
                 .build(authorizedClient.getRealm().getName(), provider)
                 .toString();
     }

◆ getMarshaller()

IdentityProviderDataMarshaller org.keycloak.broker.saml.SAMLIdentityProvider.getMarshaller ( )

inline

                                                           {
         return new SAMLDataMarshaller();
     }

◆ getSignatureAlgorithm()

SignatureAlgorithm org.keycloak.broker.saml.SAMLIdentityProvider.getSignatureAlgorithm ( )

inline

                                                       {
         String alg = getConfig().getSignatureAlgorithm();
         if (alg != null) {
             SignatureAlgorithm algorithm = SignatureAlgorithm.valueOf(alg);
             if (algorithm != null) return algorithm;
         }
         return SignatureAlgorithm.RSA_SHA256;
     }

◆ importNewUser()

void org.keycloak.broker.provider.AbstractIdentityProvider< C extends IdentityProviderModel >.importNewUser	(	KeycloakSession	session,
		RealmModel	realm,
		UserModel	user,
		BrokeredIdentityContext	context
	)

inlineinherited

                                                                                                                           {
 
     }

◆ keycloakInitiatedBrowserLogout()

Response org.keycloak.broker.saml.SAMLIdentityProvider.keycloakInitiatedBrowserLogout	(	KeycloakSession	session,
		UserSessionModel	userSession,
		UriInfo	uriInfo,
		RealmModel	realm
	)

inline

                                                                                                                                              {
         String singleLogoutServiceUrl = getConfig().getSingleLogoutServiceUrl();
         if (singleLogoutServiceUrl == null || singleLogoutServiceUrl.trim().equals("")) return null;
 
         if (getConfig().isBackchannelSupported()) {
             backchannelLogout(session, userSession, uriInfo, realm);
             return null;
        } else {
             try {
                 SAML2LogoutRequestBuilder logoutBuilder = buildLogoutRequest(userSession, uriInfo, realm, singleLogoutServiceUrl);
                 JaxrsSAML2BindingBuilder binding = buildLogoutBinding(session, userSession, realm);
                 if (getConfig().isPostBindingLogout()) {
                     return binding.postBinding(logoutBuilder.buildDocument()).request(singleLogoutServiceUrl);
                 } else {
                     return binding.redirectBinding(logoutBuilder.buildDocument()).request(singleLogoutServiceUrl);
                 }
             } catch (Exception e) {
                 throw new RuntimeException(e);
             }
         }
     }

◆ performLogin()

Response org.keycloak.broker.saml.SAMLIdentityProvider.performLogin ( AuthenticationRequest request )

inline

                                                                 {
         try {
             UriInfo uriInfo = request.getUriInfo();
             RealmModel realm = request.getRealm();
             String issuerURL = getEntityId(uriInfo, realm);
             String destinationUrl = getConfig().getSingleSignOnServiceUrl();
             String nameIDPolicyFormat = getConfig().getNameIDPolicyFormat();
 
             if (nameIDPolicyFormat == null) {
                 nameIDPolicyFormat =  JBossSAMLURIConstants.NAMEID_FORMAT_PERSISTENT.get();
             }
 
             String protocolBinding = JBossSAMLURIConstants.SAML_HTTP_REDIRECT_BINDING.get();
 
             String assertionConsumerServiceUrl = request.getRedirectUri();
 
             if (getConfig().isPostBindingResponse()) {
                 protocolBinding = JBossSAMLURIConstants.SAML_HTTP_POST_BINDING.get();
             }
 
             SAML2AuthnRequestBuilder authnRequestBuilder = new SAML2AuthnRequestBuilder()
                     .assertionConsumerUrl(assertionConsumerServiceUrl)
                     .destination(destinationUrl)
                     .issuer(issuerURL)
                     .forceAuthn(getConfig().isForceAuthn())
                     .protocolBinding(protocolBinding)
                     .nameIdPolicy(SAML2NameIDPolicyBuilder.format(nameIDPolicyFormat));
             JaxrsSAML2BindingBuilder binding = new JaxrsSAML2BindingBuilder()
                     .relayState(request.getState().getEncoded());
             boolean postBinding = getConfig().isPostBindingAuthnRequest();
 
             if (getConfig().isWantAuthnRequestsSigned()) {
                 KeyManager.ActiveRsaKey keys = session.keys().getActiveRsaKey(realm);
 
                 KeyPair keypair = new KeyPair(keys.getPublicKey(), keys.getPrivateKey());
 
                 String keyName = getConfig().getXmlSigKeyInfoKeyNameTransformer().getKeyName(keys.getKid(), keys.getCertificate());
                 binding.signWith(keyName, keypair);
                 binding.signatureAlgorithm(getSignatureAlgorithm());
                 binding.signDocument();
                 if (! postBinding && getConfig().isAddExtensionsElementWithKeyInfo()) {    // Only include extension if REDIRECT binding and signing whole SAML protocol message
                     authnRequestBuilder.addExtension(new KeycloakKeySamlExtensionGenerator(keyName));
                 }
             }
 
             if (postBinding) {
                 return binding.postBinding(authnRequestBuilder.toDocument()).request(destinationUrl);
             } else {
                 return binding.redirectBinding(authnRequestBuilder.toDocument()).request(destinationUrl);
             }
         } catch (Exception e) {
             throw new IdentityBrokerException("Could not create authentication request.", e);
         }
     }

◆ preprocessFederatedIdentity()

void org.keycloak.broker.provider.AbstractIdentityProvider< C extends IdentityProviderModel >.preprocessFederatedIdentity	(	KeycloakSession	session,
		RealmModel	realm,
		BrokeredIdentityContext	context
	)

inlineinherited

                                                                                                                         {
 
     }

◆ retrieveToken()

Response org.keycloak.broker.saml.SAMLIdentityProvider.retrieveToken	(	KeycloakSession	session,
		FederatedIdentityModel	identity
	)

inline

                                                                                             {
         return Response.ok(identity.getToken()).build();
     }

◆ updateBrokeredUser()

void org.keycloak.broker.provider.AbstractIdentityProvider< C extends IdentityProviderModel >.updateBrokeredUser	(	KeycloakSession	session,
		RealmModel	realm,
		UserModel	user,
		BrokeredIdentityContext	context
	)

inlineinherited

                                                                                                                                {
 
     }

メンバ詳解

◆ ACCOUNT_LINK_URL

final String org.keycloak.broker.provider.AbstractIdentityProvider< C extends IdentityProviderModel >.ACCOUNT_LINK_URL

staticinherited

◆ destinationValidator

final DestinationValidator org.keycloak.broker.saml.SAMLIdentityProvider.destinationValidator

private

◆ logger

final Logger org.keycloak.broker.saml.SAMLIdentityProvider.logger = Logger.getLogger(SAMLIdentityProvider.class)

staticprotected

◆ session

final KeycloakSession org.keycloak.broker.provider.AbstractIdentityProvider< C extends IdentityProviderModel >.session

protectedinherited

このクラス詳解は次のファイルから抽出されました:

D:/AppData/doxygen/keycloak/src/keycloak/src/main/java/org/keycloak/broker/saml/SAMLIdentityProvider.java

公開メンバ関数

静的公開変数類

限定公開メンバ関数

限定公開変数類

静的限定公開変数類

非公開メンバ関数

静的非公開メンバ関数

非公開変数類

詳解

構築子と解体子

◆ SAMLIdentityProvider()

関数詳解

◆ addKeyInfo()

◆ authenticationFinished()

◆ backchannelLogout()

◆ buildLogoutBinding()

◆ buildLogoutRequest()

◆ callback()

◆ close()

◆ exchangeErrorResponse()

◆ exchangeNotLinked()

◆ exchangeNotLinkedNoStore()

◆ exchangeNotSupported()

◆ exchangeTokenExpired()

◆ exchangeUnsupportedRequiredType()

◆ export()

◆ getConfig()

◆ getEntityId()

◆ getLinkingUrl()

◆ getMarshaller()

◆ getSignatureAlgorithm()

◆ importNewUser()

◆ keycloakInitiatedBrowserLogout()

◆ performLogin()

◆ preprocessFederatedIdentity()

◆ retrieveToken()

◆ updateBrokeredUser()

メンバ詳解

◆ ACCOUNT_LINK_URL

◆ destinationValidator

◆ logger

◆ session