org.keycloak.broker.saml.SAMLEndpoint.PostBinding の継承関係図

org.keycloak.broker.saml.SAMLEndpoint.PostBinding 連携図

公開メンバ関数
Response	execute (String samlRequest, String samlResponse, String relayState, String clientId)

Response	handleSamlResponse (String samlResponse, String relayState, String clientId)

限定公開メンバ関数
void	verifySignature (String key, SAMLDocumentHolder documentHolder) throws VerificationException

SAMLDocumentHolder	extractRequestDocument (String samlRequest)

SAMLDocumentHolder	extractResponseDocument (String response)

String	getBindingType ()

Response	basicChecks (String samlRequest, String samlResponse)

KeyLocator	getIDPKeyLocator ()

Response	handleSamlRequest (String samlRequest, String relayState)

Response	logoutRequest (LogoutRequestType request, String relayState)

Response	handleLoginResponse (String samlResponse, SAMLDocumentHolder holder, ResponseType responseType, String relayState, String clientId)

Response	handleLogoutResponse (SAMLDocumentHolder holder, StatusResponseType responseType, String relayState)

詳解

関数詳解

◆ basicChecks()

Response org.keycloak.broker.saml.SAMLEndpoint.Binding.basicChecks	(	String	samlRequest,
		String	samlResponse
	)

inlineprotectedinherited

                                                                                 {
             if (!checkSsl()) {
                 event.event(EventType.LOGIN);
                 event.error(Errors.SSL_REQUIRED);
                 return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.HTTPS_REQUIRED);
             }
             if (!realm.isEnabled()) {
                 event.event(EventType.LOGIN_ERROR);
                 event.error(Errors.REALM_DISABLED);
                 return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.REALM_NOT_ENABLED);
             }
 
             if (samlRequest == null && samlResponse == null) {
                 event.event(EventType.LOGIN);
                 event.error(Errors.INVALID_REQUEST);
                 return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST);
 
             }
             return null;
         }

◆ execute()

Response org.keycloak.broker.saml.SAMLEndpoint.Binding.execute	(	String	samlRequest,
		String	samlResponse,
		String	relayState,
		String	clientId
	)

inlineinherited

                                                                                                              {
             event = new EventBuilder(realm, session, clientConnection);
             Response response = basicChecks(samlRequest, samlResponse);
             if (response != null) return response;
             if (samlRequest != null) return handleSamlRequest(samlRequest, relayState);
             else return handleSamlResponse(samlResponse, relayState, clientId);
         }

◆ extractRequestDocument()

SAMLDocumentHolder org.keycloak.broker.saml.SAMLEndpoint.PostBinding.extractRequestDocument ( String samlRequest )

inlineprotected

                                                                                 {
             return SAMLRequestParser.parseRequestPostBinding(samlRequest);
         }

◆ extractResponseDocument()

SAMLDocumentHolder org.keycloak.broker.saml.SAMLEndpoint.PostBinding.extractResponseDocument ( String response )

inlineprotected

                                                                               {
             byte[] samlBytes = PostBindingUtil.base64Decode(response);
             return SAMLRequestParser.parseResponseDocument(samlBytes);
         }

◆ getBindingType()

String org.keycloak.broker.saml.SAMLEndpoint.PostBinding.getBindingType ( )

inlineprotected

                                           {
             return SamlProtocol.SAML_POST_BINDING;
         }

◆ getIDPKeyLocator()

KeyLocator org.keycloak.broker.saml.SAMLEndpoint.Binding.getIDPKeyLocator ( )

inlineprotectedinherited

                                                 {
             List<Key> keys = new LinkedList<>();
 
             for (String signingCertificate : config.getSigningCertificates()) {
                 X509Certificate cert = null;
                 try {
                     cert = XMLSignatureUtil.getX509CertificateFromKeyInfoString(signingCertificate.replaceAll("\\s", ""));
                     cert.checkValidity();
                     keys.add(cert.getPublicKey());
                 } catch (CertificateException e) {
                     logger.warnf("Ignoring invalid certificate: %s", cert);
                 } catch (ProcessingException e) {
                     throw new RuntimeException(e);
                 }
             }
 
             return new HardcodedKeyLocator(keys);
         }

◆ handleLoginResponse()

Response org.keycloak.broker.saml.SAMLEndpoint.Binding.handleLoginResponse	(	String	samlResponse,
		SAMLDocumentHolder	holder,
		ResponseType	responseType,
		String	relayState,
		String	clientId
	)

inlineprotectedinherited

                                                                                                                                                               {
 
             try {
                 KeyManager.ActiveRsaKey keys = session.keys().getActiveRsaKey(realm);
                 if (! isSuccessfulSamlResponse(responseType)) {
                     String statusMessage = responseType.getStatus() == null ? Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR : responseType.getStatus().getStatusMessage();
                     return callback.error(relayState, statusMessage);
                 }
                 if (responseType.getAssertions() == null || responseType.getAssertions().isEmpty()) {
                     return callback.error(relayState, Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR);
                 }
 
                 boolean assertionIsEncrypted = AssertionUtil.isAssertionEncrypted(responseType);
 
                 if (config.isWantAssertionsEncrypted() && !assertionIsEncrypted) {
                     logger.error("The assertion is not encrypted, which is required.");
                     event.event(EventType.IDENTITY_PROVIDER_RESPONSE);
                     event.error(Errors.INVALID_SAML_RESPONSE);
                     return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REQUESTER);
                 }
 
                 Element assertionElement;
 
                 if (assertionIsEncrypted) {
                     // This methods writes the parsed and decrypted assertion back on the responseType parameter:
                     assertionElement = AssertionUtil.decryptAssertion(holder, responseType, keys.getPrivateKey());
                 } else {
                     /* We verify the assertion using original document to handle cases where the IdP
                     includes whitespace and/or newlines inside tags. */
                     assertionElement = DocumentUtil.getElement(holder.getSamlDocument(), new QName(JBossSAMLConstants.ASSERTION.get()));
                 }
 
                 boolean signed = AssertionUtil.isSignedElement(assertionElement);
                 if ((config.isWantAssertionsSigned() && !signed)
                         || (signed && config.isValidateSignature() && !AssertionUtil.isSignatureValid(assertionElement, getIDPKeyLocator()))) {
                     logger.error("validation failed");
                     event.event(EventType.IDENTITY_PROVIDER_RESPONSE);
                     event.error(Errors.INVALID_SIGNATURE);
                     return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REQUESTER);
                 }
 
                 AssertionType assertion = responseType.getAssertions().get(0).getAssertion();
 
                 SubjectType subject = assertion.getSubject();
                 SubjectType.STSubType subType = subject.getSubType();
                 NameIDType subjectNameID = (NameIDType) subType.getBaseID();
                 //Map<String, String> notes = new HashMap<>();
                 BrokeredIdentityContext identity = new BrokeredIdentityContext(subjectNameID.getValue());
                 identity.getContextData().put(SAML_LOGIN_RESPONSE, responseType);
                 identity.getContextData().put(SAML_ASSERTION, assertion);
                 if (clientId != null && ! clientId.trim().isEmpty()) {
                     identity.getContextData().put(SAML_IDP_INITIATED_CLIENT_ID, clientId);
                 }
 
                 identity.setUsername(subjectNameID.getValue());
 
                 //SAML Spec 2.2.2 Format is optional
                 if (subjectNameID.getFormat() != null && subjectNameID.getFormat().toString().equals(JBossSAMLURIConstants.NAMEID_FORMAT_EMAIL.get())) {
                     identity.setEmail(subjectNameID.getValue());
                 }
 
                 if (config.isStoreToken()) {
                     identity.setToken(samlResponse);
                 }
 
                 AuthnStatementType authn = null;
                 for (Object statement : assertion.getStatements()) {
                     if (statement instanceof AuthnStatementType) {
                         authn = (AuthnStatementType)statement;
                         identity.getContextData().put(SAML_AUTHN_STATEMENT, authn);
                         break;
                     }
                 }
                 if (assertion.getAttributeStatements() != null ) {
                     for (AttributeStatementType attrStatement : assertion.getAttributeStatements()) {
                         for (AttributeStatementType.ASTChoiceType choice : attrStatement.getAttributes()) {
                             AttributeType attribute = choice.getAttribute();
                             if (X500SAMLProfileConstants.EMAIL.getFriendlyName().equals(attribute.getFriendlyName())
                                     || X500SAMLProfileConstants.EMAIL.get().equals(attribute.getName())) {
                                 if (!attribute.getAttributeValue().isEmpty()) identity.setEmail(attribute.getAttributeValue().get(0).toString());
                             }
                         }
 
                     }
 
                 }
                 String brokerUserId = config.getAlias() + "." + subjectNameID.getValue();
                 identity.setBrokerUserId(brokerUserId);
                 identity.setIdpConfig(config);
                 identity.setIdp(provider);
                 if (authn != null && authn.getSessionIndex() != null) {
                     identity.setBrokerSessionId(identity.getBrokerUserId() + "." + authn.getSessionIndex());
                  }
                 identity.setCode(relayState);
 
 
                 return callback.authenticated(identity);
             } catch (WebApplicationException e) {
                 return e.getResponse();
             } catch (Exception e) {
                 throw new IdentityBrokerException("Could not process response from SAML identity provider.", e);
             }
         }

◆ handleLogoutResponse()

Response org.keycloak.broker.saml.SAMLEndpoint.Binding.handleLogoutResponse	(	SAMLDocumentHolder	holder,
		StatusResponseType	responseType,
		String	relayState
	)

inlineprotectedinherited

                                                                                                                                {
             if (relayState == null) {
                 logger.error("no valid user session");
                 event.event(EventType.LOGOUT);
                 event.error(Errors.USER_SESSION_NOT_FOUND);
                 return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR);
             }
             UserSessionModel userSession = session.sessions().getUserSession(realm, relayState);
             if (userSession == null) {
                 logger.error("no valid user session");
                 event.event(EventType.LOGOUT);
                 event.error(Errors.USER_SESSION_NOT_FOUND);
                 return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR);
             }
             if (userSession.getState() != UserSessionModel.State.LOGGING_OUT) {
                 logger.error("usersession in different state");
                 event.event(EventType.LOGOUT);
                 event.error(Errors.USER_SESSION_NOT_FOUND);
                 return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.SESSION_NOT_ACTIVE);
             }
             return AuthenticationManager.finishBrowserLogout(session, realm, userSession, session.getContext().getUri(), clientConnection, headers);
         }

◆ handleSamlRequest()

Response org.keycloak.broker.saml.SAMLEndpoint.Binding.handleSamlRequest	(	String	samlRequest,
		String	relayState
	)

inlineprotectedinherited

                                                                                     {
             SAMLDocumentHolder holder = extractRequestDocument(samlRequest);
             RequestAbstractType requestAbstractType = (RequestAbstractType) holder.getSamlObject();
             // validate destination
             if (! destinationValidator.validate(session.getContext().getUri().getAbsolutePath(), requestAbstractType.getDestination())) {
                 event.event(EventType.IDENTITY_PROVIDER_RESPONSE);
                 event.detail(Details.REASON, "invalid_destination");
                 event.error(Errors.INVALID_SAML_RESPONSE);
                 return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST);
             }
             if (config.isValidateSignature()) {
                 try {
                     verifySignature(GeneralConstants.SAML_REQUEST_KEY, holder);
                 } catch (VerificationException e) {
                     logger.error("validation failed", e);
                     event.event(EventType.IDENTITY_PROVIDER_RESPONSE);
                     event.error(Errors.INVALID_SIGNATURE);
                     return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REQUESTER);
                 }
             }
 
             if (requestAbstractType instanceof LogoutRequestType) {
                 logger.debug("** logout request");
                 event.event(EventType.LOGOUT);
                 LogoutRequestType logout = (LogoutRequestType) requestAbstractType;
                 return logoutRequest(logout, relayState);
 
             } else {
                 event.event(EventType.LOGIN);
                 event.error(Errors.INVALID_TOKEN);
                 return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST);
             }
         }

◆ handleSamlResponse()

Response org.keycloak.broker.saml.SAMLEndpoint.Binding.handleSamlResponse	(	String	samlResponse,
		String	relayState,
		String	clientId
	)

inlineinherited

                                                                                                     {
             SAMLDocumentHolder holder = extractResponseDocument(samlResponse);
             StatusResponseType statusResponse = (StatusResponseType)holder.getSamlObject();
             // validate destination
             if (! destinationValidator.validate(session.getContext().getUri().getAbsolutePath(), statusResponse.getDestination())) {
                 event.event(EventType.IDENTITY_PROVIDER_RESPONSE);
                 event.detail(Details.REASON, "invalid_destination");
                 event.error(Errors.INVALID_SAML_RESPONSE);
                 return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.INVALID_FEDERATED_IDENTITY_ACTION);
             }
             if (config.isValidateSignature()) {
                 try {
                     verifySignature(GeneralConstants.SAML_RESPONSE_KEY, holder);
                 } catch (VerificationException e) {
                     logger.error("validation failed", e);
                     event.event(EventType.IDENTITY_PROVIDER_RESPONSE);
                     event.error(Errors.INVALID_SIGNATURE);
                     return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.INVALID_FEDERATED_IDENTITY_ACTION);
                 }
             }
             if (statusResponse instanceof ResponseType) {
                 return handleLoginResponse(samlResponse, holder, (ResponseType)statusResponse, relayState, clientId);
 
             } else {
                 // todo need to check that it is actually a LogoutResponse
                 return handleLogoutResponse(holder, statusResponse, relayState);
             }
             //throw new RuntimeException("Unknown response type");
 
         }

◆ logoutRequest()

Response org.keycloak.broker.saml.SAMLEndpoint.Binding.logoutRequest	(	LogoutRequestType	request,
		String	relayState
	)

inlineprotectedinherited

                                                                                        {
             String brokerUserId = config.getAlias() + "." + request.getNameID().getValue();
             if (request.getSessionIndex() == null || request.getSessionIndex().isEmpty()) {
                 List<UserSessionModel> userSessions = session.sessions().getUserSessionByBrokerUserId(realm, brokerUserId);
                 for (UserSessionModel userSession : userSessions) {
                     if (userSession.getState() == UserSessionModel.State.LOGGING_OUT || userSession.getState() == UserSessionModel.State.LOGGED_OUT) {
                         continue;
                     }
                     try {
                         AuthenticationManager.backchannelLogout(session, realm, userSession, session.getContext().getUri(), clientConnection, headers, false);
                     } catch (Exception e) {
                         logger.warn("failed to do backchannel logout for userSession", e);
                     }
                 }
 
             }  else {
                 for (String sessionIndex : request.getSessionIndex()) {
                     String brokerSessionId = brokerUserId + "." + sessionIndex;
                     UserSessionModel userSession = session.sessions().getUserSessionByBrokerSessionId(realm, brokerSessionId);
                     if (userSession != null) {
                         if (userSession.getState() == UserSessionModel.State.LOGGING_OUT || userSession.getState() == UserSessionModel.State.LOGGED_OUT) {
                             continue;
                         }
                         try {
                             AuthenticationManager.backchannelLogout(session, realm, userSession, session.getContext().getUri(), clientConnection, headers, false);
                         } catch (Exception e) {
                             logger.warn("failed to do backchannel logout for userSession", e);
                         }
                     }
                 }
             }
 
             String issuerURL = getEntityId(session.getContext().getUri(), realm);
             SAML2LogoutResponseBuilder builder = new SAML2LogoutResponseBuilder();
             builder.logoutRequestID(request.getID());
             builder.destination(config.getSingleLogoutServiceUrl());
             builder.issuer(issuerURL);
             JaxrsSAML2BindingBuilder binding = new JaxrsSAML2BindingBuilder()
                         .relayState(relayState);
             boolean postBinding = config.isPostBindingLogout();
             if (config.isWantAuthnRequestsSigned()) {
                 KeyManager.ActiveRsaKey keys = session.keys().getActiveRsaKey(realm);
                 String keyName = config.getXmlSigKeyInfoKeyNameTransformer().getKeyName(keys.getKid(), keys.getCertificate());
                 binding.signWith(keyName, keys.getPrivateKey(), keys.getPublicKey(), keys.getCertificate())
                         .signatureAlgorithm(provider.getSignatureAlgorithm())
                         .signDocument();
                 if (! postBinding && config.isAddExtensionsElementWithKeyInfo()) {    // Only include extension if REDIRECT binding and signing whole SAML protocol message
                     builder.addExtension(new KeycloakKeySamlExtensionGenerator(keyName));
                 }
             }
             try {
                 if (postBinding) {
                     return binding.postBinding(builder.buildDocument()).response(config.getSingleLogoutServiceUrl());
                 } else {
                     return binding.redirectBinding(builder.buildDocument()).response(config.getSingleLogoutServiceUrl());
                 }
             } catch (ConfigurationException e) {
                 throw new RuntimeException(e);
             } catch (ProcessingException e) {
                 throw new RuntimeException(e);
             } catch (IOException e) {
                 throw new RuntimeException(e);
             }
 
         }

◆ verifySignature()

void org.keycloak.broker.saml.SAMLEndpoint.PostBinding.verifySignature	(	String	key,
		SAMLDocumentHolder	documentHolder
	)		throws VerificationException

inlineprotected

                                                                                                                    {
             NodeList nl = documentHolder.getSamlDocument().getElementsByTagNameNS(XMLSignature.XMLNS, "Signature");
             boolean anyElementSigned = (nl != null && nl.getLength() > 0);
             if ((! anyElementSigned) && (documentHolder.getSamlObject() instanceof ResponseType)) {
                 ResponseType responseType = (ResponseType) documentHolder.getSamlObject();
                 List<ResponseType.RTChoiceType> assertions = responseType.getAssertions();
                 if (! assertions.isEmpty() ) {
                     // Only relax verification if the response is an authnresponse and contains (encrypted/plaintext) assertion.
                     // In that case, signature is validated on assertion element
                     return;
                 }
             }
             SamlProtocolUtils.verifyDocumentSignature(documentHolder.getSamlDocument(), getIDPKeyLocator());
         }

このクラス詳解は次のファイルから抽出されました:

D:/AppData/doxygen/keycloak/rest-service/src/services/src/main/java/org/keycloak/broker/saml/SAMLEndpoint.java

公開メンバ関数

限定公開メンバ関数

詳解

関数詳解

◆ basicChecks()

◆ execute()

◆ extractRequestDocument()

◆ extractResponseDocument()

◆ getBindingType()

◆ getIDPKeyLocator()

◆ handleLoginResponse()

◆ handleLogoutResponse()

◆ handleSamlRequest()

◆ handleSamlResponse()

◆ logoutRequest()

◆ verifySignature()