org.keycloak.protocol.saml.SamlProtocol の継承関係図

org.keycloak.protocol.saml.SamlProtocol 連携図

クラス
class	ProtocolMapperProcessor

公開メンバ関数
SamlProtocol	setSession (KeycloakSession session)

SamlProtocol	setRealm (RealmModel realm)

SamlProtocol	setUriInfo (UriInfo uriInfo)

SamlProtocol	setHttpHeaders (HttpHeaders headers)

SamlProtocol	setEventBuilder (EventBuilder event)

Response	sendError (AuthenticationSessionModel authSession, Error error)

Response	authenticated (UserSessionModel userSession, ClientSessionContext clientSessionCtx)

AttributeStatementType	populateAttributeStatements (List< ProtocolMapperProcessor< SAMLAttributeStatementMapper >> attributeStatementMappers, KeycloakSession session, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession)

ResponseType	transformLoginResponse (List< ProtocolMapperProcessor< SAMLLoginResponseMapper >> mappers, ResponseType response, KeycloakSession session, UserSessionModel userSession, AuthenticatedClientSessionModel clientSession)

void	populateRoles (ProtocolMapperProcessor< SAMLRoleListMapper > roleListMapper, KeycloakSession session, UserSessionModel userSession, ClientSessionContext clientSessionCtx, final AttributeStatementType existingAttributeStatement)

Response	frontchannelLogout (UserSessionModel userSession, AuthenticatedClientSessionModel clientSession)

Response	finishLogout (UserSessionModel userSession)

void	backchannelLogout (UserSessionModel userSession, AuthenticatedClientSessionModel clientSession)

boolean	requireReauthentication (UserSessionModel userSession, AuthenticationSessionModel authSession)

void	close ()

静的公開メンバ関数
static boolean	isLogoutPostBindingForInitiator (UserSessionModel session)

static String	getLogoutServiceUrl (UriInfo uriInfo, ClientModel client, String bindingType)

静的公開変数類
static final String	ATTRIBUTE_TRUE_VALUE = "true"

static final String	ATTRIBUTE_FALSE_VALUE = "false"

static final String	SAML_ASSERTION_CONSUMER_URL_POST_ATTRIBUTE = "saml_assertion_consumer_url_post"

static final String	SAML_ASSERTION_CONSUMER_URL_REDIRECT_ATTRIBUTE = "saml_assertion_consumer_url_redirect"

static final String	SAML_SINGLE_LOGOUT_SERVICE_URL_POST_ATTRIBUTE = "saml_single_logout_service_url_post"

static final String	SAML_SINGLE_LOGOUT_SERVICE_URL_REDIRECT_ATTRIBUTE = "saml_single_logout_service_url_redirect"

static final String	LOGIN_PROTOCOL = "saml"

static final String	SAML_BINDING = "saml_binding"

static final String	SAML_IDP_INITIATED_LOGIN = "saml_idp_initiated_login"

static final String	SAML_POST_BINDING = "post"

static final String	SAML_SOAP_BINDING = "soap"

static final String	SAML_REDIRECT_BINDING = "get"

static final String	SAML_REQUEST_ID = "SAML_REQUEST_ID"

static final String	SAML_LOGOUT_BINDING = "saml.logout.binding"

static final String	SAML_LOGOUT_ADD_EXTENSIONS_ELEMENT_WITH_KEY_INFO = "saml.logout.addExtensionsElementWithKeyInfo"

static final String	SAML_SERVER_SIGNATURE_KEYINFO_KEY_NAME_TRANSFORMER = "SAML_SERVER_SIGNATURE_KEYINFO_KEY_NAME_TRANSFORMER"

static final String	SAML_LOGOUT_REQUEST_ID = "SAML_LOGOUT_REQUEST_ID"

static final String	SAML_LOGOUT_RELAY_STATE = "SAML_LOGOUT_RELAY_STATE"

static final String	SAML_LOGOUT_CANONICALIZATION = "SAML_LOGOUT_CANONICALIZATION"

static final String	SAML_LOGOUT_BINDING_URI = "SAML_LOGOUT_BINDING_URI"

static final String	SAML_LOGOUT_SIGNATURE_ALGORITHM = "saml.logout.signature.algorithm"

static final String	SAML_NAME_ID = "SAML_NAME_ID"

static final String	SAML_NAME_ID_FORMAT = "SAML_NAME_ID_FORMAT"

static final String	SAML_DEFAULT_NAMEID_FORMAT = JBossSAMLURIConstants.NAMEID_FORMAT_UNSPECIFIED.get()

static final String	SAML_PERSISTENT_NAME_ID_FOR = "saml.persistent.name.id.for"

static final String	SAML_IDP_INITIATED_SSO_RELAY_STATE = "saml_idp_initiated_sso_relay_state"

static final String	SAML_IDP_INITIATED_SSO_URL_NAME = "saml_idp_initiated_sso_url_name"

限定公開メンバ関数
Response	buildErrorResponse (boolean isPostBinding, String destination, JaxrsSAML2BindingBuilder binding, Document document) throws ConfigurationException, ProcessingException, IOException

String	getResponseIssuer (RealmModel realm)

boolean	isPostBinding (AuthenticationSessionModel authSession)

boolean	isPostBinding (AuthenticatedClientSessionModel clientSession)

boolean	isLogoutPostBindingForClient (AuthenticatedClientSessionModel clientSession)

String	getNameIdFormat (SamlClient samlClient, AuthenticatedClientSessionModel clientSession)

String	getNameId (String nameIdFormat, CommonClientSessionModel clientSession, UserSessionModel userSession)

String	getPersistentNameId (final CommonClientSessionModel clientSession, final UserSessionModel userSession)

Response	buildAuthenticatedResponse (AuthenticatedClientSessionModel clientSession, String redirectUri, Document samlDocument, JaxrsSAML2BindingBuilder bindingBuilder) throws ConfigurationException, ProcessingException, IOException

Response	buildLogoutResponse (UserSessionModel userSession, String logoutBindingUri, SAML2LogoutResponseBuilder builder, JaxrsSAML2BindingBuilder binding) throws ConfigurationException, ProcessingException, IOException

SAML2LogoutRequestBuilder	createLogoutRequest (String logoutUrl, AuthenticatedClientSessionModel clientSession, ClientModel client)

限定公開変数類
KeycloakSession	session

RealmModel	realm

UriInfo	uriInfo

HttpHeaders	headers

EventBuilder	event

静的限定公開変数類
static final Logger	logger = Logger.getLogger(SamlProtocol.class)

非公開メンバ関数
Response	samlErrorMessage (AuthenticationSessionModel authSession, SamlClient samlClient, boolean isPostBinding, String destination, JBossSAMLURIConstants statusDetail, String relayState)

JBossSAMLURIConstants	translateErrorToSAMLStatus (Error error)

String	translateErrorToIdpInitiatedErrorMessage (Error error)

JaxrsSAML2BindingBuilder	createBindingBuilder (SamlClient samlClient)

詳解

著者: Bill Burke

バージョン

Revision: 1

関数詳解

◆ authenticated()

Response org.keycloak.protocol.saml.SamlProtocol.authenticated	(	UserSessionModel	userSession,
		ClientSessionContext	clientSessionCtx
	)

inline

                                                                                                        {
         AuthenticatedClientSessionModel clientSession = clientSessionCtx.getClientSession();
         ClientModel client = clientSession.getClient();
         SamlClient samlClient = new SamlClient(client);
         String requestID = clientSession.getNote(SAML_REQUEST_ID);
         String relayState = clientSession.getNote(GeneralConstants.RELAY_STATE);
         String redirectUri = clientSession.getRedirectUri();
         String responseIssuer = getResponseIssuer(realm);
         String nameIdFormat = getNameIdFormat(samlClient, clientSession);
         String nameId = getNameId(nameIdFormat, clientSession, userSession);
 
         if (nameId == null) {
             return samlErrorMessage(
               null, samlClient, isPostBinding(clientSession),
               redirectUri, JBossSAMLURIConstants.STATUS_INVALID_NAMEIDPOLICY, relayState
             );
         }
 
         // save NAME_ID and format in clientSession as they may be persistent or transient or email and not username
         // we'll need to send this back on a logout
         clientSession.setNote(SAML_NAME_ID, nameId);
         clientSession.setNote(SAML_NAME_ID_FORMAT, nameIdFormat);
 
         SAML2LoginResponseBuilder builder = new SAML2LoginResponseBuilder();
         builder.requestID(requestID).destination(redirectUri).issuer(responseIssuer).assertionExpiration(realm.getAccessCodeLifespan()).subjectExpiration(realm.getAccessTokenLifespan())
                 .requestIssuer(clientSession.getClient().getClientId()).nameIdentifier(nameIdFormat, nameId).authMethod(JBossSAMLURIConstants.AC_UNSPECIFIED.get());
 
         String sessionIndex = SamlSessionUtils.getSessionIndex(clientSession);
         builder.sessionIndex(sessionIndex);
 
         if (!samlClient.includeAuthnStatement()) {
             builder.disableAuthnStatement(true);
         }
 
                 builder.includeOneTimeUseCondition(samlClient.includeOneTimeUseCondition());
 
         List<ProtocolMapperProcessor<SAMLAttributeStatementMapper>> attributeStatementMappers = new LinkedList<>();
         List<ProtocolMapperProcessor<SAMLLoginResponseMapper>> loginResponseMappers = new LinkedList<>();
         ProtocolMapperProcessor<SAMLRoleListMapper> roleListMapper = null;
 
         Set<ProtocolMapperModel> mappings = clientSessionCtx.getProtocolMappers();
         for (ProtocolMapperModel mapping : mappings) {
 
             ProtocolMapper mapper = (ProtocolMapper) session.getKeycloakSessionFactory().getProviderFactory(ProtocolMapper.class, mapping.getProtocolMapper());
             if (mapper == null)
                 continue;
             if (mapper instanceof SAMLAttributeStatementMapper) {
                 attributeStatementMappers.add(new ProtocolMapperProcessor<SAMLAttributeStatementMapper>((SAMLAttributeStatementMapper) mapper, mapping));
             }
             if (mapper instanceof SAMLLoginResponseMapper) {
                 loginResponseMappers.add(new ProtocolMapperProcessor<SAMLLoginResponseMapper>((SAMLLoginResponseMapper) mapper, mapping));
             }
             if (mapper instanceof SAMLRoleListMapper) {
                 roleListMapper = new ProtocolMapperProcessor<SAMLRoleListMapper>((SAMLRoleListMapper) mapper, mapping);
             }
         }
 
         Document samlDocument = null;
         KeyManager keyManager = session.keys();
         KeyManager.ActiveRsaKey keys = keyManager.getActiveRsaKey(realm);
         boolean postBinding = isPostBinding(clientSession);
         String keyName = samlClient.getXmlSigKeyInfoKeyNameTransformer().getKeyName(keys.getKid(), keys.getCertificate());
 
         try {
             if ((! postBinding) && samlClient.requiresRealmSignature() && samlClient.addExtensionsElementWithKeyInfo()) {
                 builder.addExtension(new KeycloakKeySamlExtensionGenerator(keyName));
             }
 
             ResponseType samlModel = builder.buildModel();
             final AttributeStatementType attributeStatement = populateAttributeStatements(attributeStatementMappers, session, userSession, clientSession);
             populateRoles(roleListMapper, session, userSession, clientSessionCtx, attributeStatement);
 
             // SAML Spec 2.7.3 AttributeStatement must contain one or more Attribute or EncryptedAttribute
             if (attributeStatement.getAttributes().size() > 0) {
                 AssertionType assertion = samlModel.getAssertions().get(0).getAssertion();
                 assertion.addStatement(attributeStatement);
             }
 
             samlModel = transformLoginResponse(loginResponseMappers, samlModel, session, userSession, clientSession);
             samlDocument = builder.buildDocument(samlModel);
         } catch (Exception e) {
             logger.error("failed", e);
             return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.FAILED_TO_PROCESS_RESPONSE);
         }
 
         JaxrsSAML2BindingBuilder bindingBuilder = new JaxrsSAML2BindingBuilder();
         bindingBuilder.relayState(relayState);
 
         if (samlClient.requiresRealmSignature()) {
             String canonicalization = samlClient.getCanonicalizationMethod();
             if (canonicalization != null) {
                 bindingBuilder.canonicalizationMethod(canonicalization);
             }
             bindingBuilder.signatureAlgorithm(samlClient.getSignatureAlgorithm()).signWith(keyName, keys.getPrivateKey(), keys.getPublicKey(), keys.getCertificate()).signDocument();
         }
         if (samlClient.requiresAssertionSignature()) {
             String canonicalization = samlClient.getCanonicalizationMethod();
             if (canonicalization != null) {
                 bindingBuilder.canonicalizationMethod(canonicalization);
             }
             bindingBuilder.signatureAlgorithm(samlClient.getSignatureAlgorithm()).signWith(keyName, keys.getPrivateKey(), keys.getPublicKey(), keys.getCertificate()).signAssertions();
         }
         if (samlClient.requiresEncryption()) {
             PublicKey publicKey = null;
             try {
                 publicKey = SamlProtocolUtils.getEncryptionKey(client);
             } catch (Exception e) {
                 logger.error("failed", e);
                 return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.FAILED_TO_PROCESS_RESPONSE);
             }
             bindingBuilder.encrypt(publicKey);
         }
         try {
             return buildAuthenticatedResponse(clientSession, redirectUri, samlDocument, bindingBuilder);
         } catch (Exception e) {
             logger.error("failed", e);
             return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.FAILED_TO_PROCESS_RESPONSE);
         }
     }

◆ backchannelLogout()

void org.keycloak.protocol.saml.SamlProtocol.backchannelLogout	(	UserSessionModel	userSession,
		AuthenticatedClientSessionModel	clientSession
	)

inline

                                                                                                                {
         ClientModel client = clientSession.getClient();
         SamlClient samlClient = new SamlClient(client);
         String logoutUrl = getLogoutServiceUrl(uriInfo, client, SAML_POST_BINDING);
         if (logoutUrl == null) {
             logger.warnf("Can't do backchannel logout. No SingleLogoutService POST Binding registered for client: %s", client.getClientId());
             return;
         }
         SAML2LogoutRequestBuilder logoutBuilder = createLogoutRequest(logoutUrl, clientSession, client);
 
         String logoutRequestString = null;
         try {
             JaxrsSAML2BindingBuilder binding = createBindingBuilder(samlClient);
             // This is POST binding, hence KeyID is included in dsig:KeyInfo/dsig:KeyName, no need to add <samlp:Extensions> element
             logoutRequestString = binding.postBinding(logoutBuilder.buildDocument()).encoded();
         } catch (Exception e) {
             logger.warn("failed to send saml logout", e);
             return;
         }
 
         HttpClient httpClient = session.getProvider(HttpClientProvider.class).getHttpClient();
         for (int i = 0; i < 2; i++) { // follow redirects once
             try {
                 List<NameValuePair> formparams = new ArrayList<NameValuePair>();
                 formparams.add(new BasicNameValuePair(GeneralConstants.SAML_REQUEST_KEY, logoutRequestString));
                 formparams.add(new BasicNameValuePair("BACK_CHANNEL_LOGOUT", "BACK_CHANNEL_LOGOUT")); // for Picketlink
                                                                                                       // todo remove
                                                                                                       // this
                 UrlEncodedFormEntity form = new UrlEncodedFormEntity(formparams, "UTF-8");
                 HttpPost post = new HttpPost(logoutUrl);
                 post.setEntity(form);
                 HttpResponse response = httpClient.execute(post);
                 try {
                     int status = response.getStatusLine().getStatusCode();
                     if (status == 302 && !logoutUrl.endsWith("/")) {
                         String redirect = response.getFirstHeader(HttpHeaders.LOCATION).getValue();
                         String withSlash = logoutUrl + "/";
                         if (withSlash.equals(redirect)) {
                             logoutUrl = withSlash;
                             continue;
                         }
                     }
                 } finally {
                     HttpEntity entity = response.getEntity();
                     if (entity != null) {
                         InputStream is = entity.getContent();
                         if (is != null)
                             is.close();
                     }
 
                 }
             } catch (IOException e) {
                 logger.warn("failed to send saml logout", e);
             }
             break;
         }
 
     }

◆ buildAuthenticatedResponse()

Response org.keycloak.protocol.saml.SamlProtocol.buildAuthenticatedResponse	(	AuthenticatedClientSessionModel	clientSession,
		String	redirectUri,
		Document	samlDocument,
		JaxrsSAML2BindingBuilder	bindingBuilder
	)		throws ConfigurationException, ProcessingException, IOException

inlineprotected

                                                                                                                                                                                                                                                      {
         if (isPostBinding(clientSession)) {
             return bindingBuilder.postBinding(samlDocument).response(redirectUri);
         } else {
             return bindingBuilder.redirectBinding(samlDocument).response(redirectUri);
         }
     }

◆ buildErrorResponse()

Response org.keycloak.protocol.saml.SamlProtocol.buildErrorResponse	(	boolean	isPostBinding,
		String	destination,
		JaxrsSAML2BindingBuilder	binding,
		Document	document
	)		throws ConfigurationException, ProcessingException, IOException

inlineprotected

                                                                                                                                                                                                           {
         if (isPostBinding) {
             return binding.postBinding(document).response(destination);
         } else {
             return binding.redirectBinding(document).response(destination);
         }
     }

◆ buildLogoutResponse()

Response org.keycloak.protocol.saml.SamlProtocol.buildLogoutResponse	(	UserSessionModel	userSession,
		String	logoutBindingUri,
		SAML2LogoutResponseBuilder	builder,
		JaxrsSAML2BindingBuilder	binding
	)		throws ConfigurationException, ProcessingException, IOException

inlineprotected

                                                                                                                                                                                                                                         {
         if (isLogoutPostBindingForInitiator(userSession)) {
             return binding.postBinding(builder.buildDocument()).response(logoutBindingUri);
         } else {
             return binding.redirectBinding(builder.buildDocument()).response(logoutBindingUri);
         }
     }

◆ close()

void org.keycloak.protocol.saml.SamlProtocol.close ( )

inline

                         {
 
     }

◆ createBindingBuilder()

JaxrsSAML2BindingBuilder org.keycloak.protocol.saml.SamlProtocol.createBindingBuilder ( SamlClient samlClient )

inlineprivate

                                                                                  {
         JaxrsSAML2BindingBuilder binding = new JaxrsSAML2BindingBuilder();
         if (samlClient.requiresRealmSignature()) {
             KeyManager.ActiveRsaKey keys = session.keys().getActiveRsaKey(realm);
             String keyName = samlClient.getXmlSigKeyInfoKeyNameTransformer().getKeyName(keys.getKid(), keys.getCertificate());
             binding.signatureAlgorithm(samlClient.getSignatureAlgorithm()).signWith(keyName, keys.getPrivateKey(), keys.getPublicKey(), keys.getCertificate()).signDocument();
         }
         return binding;
     }

◆ createLogoutRequest()

SAML2LogoutRequestBuilder org.keycloak.protocol.saml.SamlProtocol.createLogoutRequest	(	String	logoutUrl,
		AuthenticatedClientSessionModel	clientSession,
		ClientModel	client
	)

inlineprotected

                                                                                                                                                  {
         // build userPrincipal with subject used at login
         SAML2LogoutRequestBuilder logoutBuilder = new SAML2LogoutRequestBuilder().assertionExpiration(realm.getAccessCodeLifespan()).issuer(getResponseIssuer(realm))
                 .userPrincipal(clientSession.getNote(SAML_NAME_ID), clientSession.getNote(SAML_NAME_ID_FORMAT)).destination(logoutUrl);
 
         String sessionIndex = SamlSessionUtils.getSessionIndex(clientSession);
         logoutBuilder.sessionIndex(sessionIndex);
 
         return logoutBuilder;
     }

◆ finishLogout()

Response org.keycloak.protocol.saml.SamlProtocol.finishLogout ( UserSessionModel userSession )

inline

                                                                {
         logger.debug("finishLogout");
         String logoutBindingUri = userSession.getNote(SAML_LOGOUT_BINDING_URI);
         if (logoutBindingUri == null) {
             logger.error("Can't finish SAML logout as there is no logout binding set.  Please configure the logout service url in the admin console for your client applications.");
             return ErrorPage.error(session, null, Response.Status.BAD_REQUEST, Messages.FAILED_LOGOUT);
 
         }
         String logoutRelayState = userSession.getNote(SAML_LOGOUT_RELAY_STATE);
         SAML2LogoutResponseBuilder builder = new SAML2LogoutResponseBuilder();
         builder.logoutRequestID(userSession.getNote(SAML_LOGOUT_REQUEST_ID));
         builder.destination(logoutBindingUri);
         builder.issuer(getResponseIssuer(realm));
         JaxrsSAML2BindingBuilder binding = new JaxrsSAML2BindingBuilder();
         binding.relayState(logoutRelayState);
         String signingAlgorithm = userSession.getNote(SAML_LOGOUT_SIGNATURE_ALGORITHM);
         boolean postBinding = isLogoutPostBindingForInitiator(userSession);
         if (signingAlgorithm != null) {
             SignatureAlgorithm algorithm = SignatureAlgorithm.valueOf(signingAlgorithm);
             String canonicalization = userSession.getNote(SAML_LOGOUT_CANONICALIZATION);
             if (canonicalization != null) {
                 binding.canonicalizationMethod(canonicalization);
             }
             KeyManager.ActiveRsaKey keys = session.keys().getActiveRsaKey(realm);
             XmlKeyInfoKeyNameTransformer transformer = XmlKeyInfoKeyNameTransformer.from(
               userSession.getNote(SAML_SERVER_SIGNATURE_KEYINFO_KEY_NAME_TRANSFORMER),
               SamlClient.DEFAULT_XML_KEY_INFO_KEY_NAME_TRANSFORMER);
             String keyName = transformer.getKeyName(keys.getKid(), keys.getCertificate());
             binding.signatureAlgorithm(algorithm).signWith(keyName, keys.getPrivateKey(), keys.getPublicKey(), keys.getCertificate()).signDocument();
             boolean addExtension = (! postBinding) && Objects.equals("true", userSession.getNote(SamlProtocol.SAML_LOGOUT_ADD_EXTENSIONS_ELEMENT_WITH_KEY_INFO));
             if (addExtension) {    // Only include extension if REDIRECT binding and signing whole SAML protocol message
                 builder.addExtension(new KeycloakKeySamlExtensionGenerator(keyName));
             }
         }
         Response response;
         try {
             response = buildLogoutResponse(userSession, logoutBindingUri, builder, binding);
         } catch (ConfigurationException | ProcessingException  | IOException e) {
             throw new RuntimeException(e);
         }
         if (logoutBindingUri != null) {
             event.detail(Details.REDIRECT_URI, logoutBindingUri);
         }
         event.event(EventType.LOGOUT)
                 .detail(Details.AUTH_METHOD, userSession.getAuthMethod())
                 .client(session.getContext().getClient())
                 .user(userSession.getUser())
                 .session(userSession)
                 .detail(Details.USERNAME, userSession.getLoginUsername())
                 .detail(Details.RESPONSE_MODE, postBinding ? SamlProtocol.SAML_POST_BINDING : SamlProtocol.SAML_REDIRECT_BINDING)
                 .detail(SamlProtocol.SAML_LOGOUT_REQUEST_ID, userSession.getNote(SAML_LOGOUT_REQUEST_ID))
                 .success();
         return response;
     }

◆ frontchannelLogout()

Response org.keycloak.protocol.saml.SamlProtocol.frontchannelLogout	(	UserSessionModel	userSession,
		AuthenticatedClientSessionModel	clientSession
	)

inline

                                                                                                                     {
         ClientModel client = clientSession.getClient();
         SamlClient samlClient = new SamlClient(client);
         try {
             boolean postBinding = isLogoutPostBindingForClient(clientSession);
             String bindingUri = getLogoutServiceUrl(uriInfo, client, postBinding ? SAML_POST_BINDING : SAML_REDIRECT_BINDING);
             if (bindingUri == null) {
                 logger.warnf("Failed to logout client %s, skipping this client.  Please configure the logout service url in the admin console for your client applications.", client.getClientId());
                 return null;
             }
 
             if (postBinding) {
                 SAML2LogoutRequestBuilder logoutBuilder = createLogoutRequest(bindingUri, clientSession, client);
                 // This is POST binding, hence KeyID is included in dsig:KeyInfo/dsig:KeyName, no need to add <samlp:Extensions> element
                 JaxrsSAML2BindingBuilder binding = createBindingBuilder(samlClient);
                 return binding.postBinding(logoutBuilder.buildDocument()).request(bindingUri);
             } else {
                 logger.debug("frontchannel redirect binding");
                 SAML2LogoutRequestBuilder logoutBuilder = createLogoutRequest(bindingUri, clientSession, client);
                 if (samlClient.requiresRealmSignature() && samlClient.addExtensionsElementWithKeyInfo()) {
                     KeyManager.ActiveRsaKey keys = session.keys().getActiveRsaKey(realm);
                     String keyName = samlClient.getXmlSigKeyInfoKeyNameTransformer().getKeyName(keys.getKid(), keys.getCertificate());
                     logoutBuilder.addExtension(new KeycloakKeySamlExtensionGenerator(keyName));
                 }
                 JaxrsSAML2BindingBuilder binding = createBindingBuilder(samlClient);
                 return binding.redirectBinding(logoutBuilder.buildDocument()).request(bindingUri);
             }
         } catch (ConfigurationException e) {
             throw new RuntimeException(e);
         } catch (ProcessingException e) {
             throw new RuntimeException(e);
         } catch (IOException e) {
             throw new RuntimeException(e);
         } catch (ParsingException e) {
             throw new RuntimeException(e);
         }
 
     }

◆ getLogoutServiceUrl()

static String org.keycloak.protocol.saml.SamlProtocol.getLogoutServiceUrl	(	UriInfo	uriInfo,
		ClientModel	client,
		String	bindingType
	)

inlinestatic

                                                                                                       {
         String logoutServiceUrl = null;
         if (SAML_POST_BINDING.equals(bindingType)) {
             logoutServiceUrl = client.getAttribute(SAML_SINGLE_LOGOUT_SERVICE_URL_POST_ATTRIBUTE);
         } else {
             logoutServiceUrl = client.getAttribute(SAML_SINGLE_LOGOUT_SERVICE_URL_REDIRECT_ATTRIBUTE);
         }
         if (logoutServiceUrl == null)
             logoutServiceUrl = client.getManagementUrl();
         if (logoutServiceUrl == null || logoutServiceUrl.trim().equals(""))
             return null;
         return ResourceAdminManager.resolveUri(uriInfo.getRequestUri(), client.getRootUrl(), logoutServiceUrl);
 
     }

◆ getNameId()

String org.keycloak.protocol.saml.SamlProtocol.getNameId	(	String	nameIdFormat,
		CommonClientSessionModel	clientSession,
		UserSessionModel	userSession
	)

inlineprotected

                                                                                                                            {
         if (nameIdFormat.equals(JBossSAMLURIConstants.NAMEID_FORMAT_EMAIL.get())) {
             final String email = userSession.getUser().getEmail();
             if (email == null) {
                 logger.debugf("E-mail of the user %s has to be set for %s NameIDFormat", userSession.getUser().getUsername(), JBossSAMLURIConstants.NAMEID_FORMAT_EMAIL.get());
             }
             return email;
         } else if (nameIdFormat.equals(JBossSAMLURIConstants.NAMEID_FORMAT_TRANSIENT.get())) {
             // "G-" stands for "generated" Add this for the slight possibility of collisions.
             return "G-" + UUID.randomUUID().toString();
         } else if (nameIdFormat.equals(JBossSAMLURIConstants.NAMEID_FORMAT_PERSISTENT.get())) {
             return getPersistentNameId(clientSession, userSession);
         } else if (nameIdFormat.equals(JBossSAMLURIConstants.NAMEID_FORMAT_UNSPECIFIED.get())) {
             // TODO: Support for persistent NameID (pseudo-random identifier persisted in user object)
             return userSession.getUser().getUsername();
         } else {
             return userSession.getUser().getUsername();
         }
     }

◆ getNameIdFormat()

String org.keycloak.protocol.saml.SamlProtocol.getNameIdFormat	(	SamlClient	samlClient,
		AuthenticatedClientSessionModel	clientSession
	)

inlineprotected

                                                                                                            {
         String nameIdFormat = clientSession.getNote(GeneralConstants.NAMEID_FORMAT);
 
         boolean forceFormat = samlClient.forceNameIDFormat();
         String configuredNameIdFormat = samlClient.getNameIDFormat();
         if ((nameIdFormat == null || forceFormat) && configuredNameIdFormat != null) {
             nameIdFormat = configuredNameIdFormat;
          }
         if (nameIdFormat == null)
             return SAML_DEFAULT_NAMEID_FORMAT;
         return nameIdFormat;
     }

◆ getPersistentNameId()

String org.keycloak.protocol.saml.SamlProtocol.getPersistentNameId	(	final CommonClientSessionModel	clientSession,
		final UserSessionModel	userSession
	)

inlineprotected

Attempts to retrieve the persistent type NameId as follows:

saml.persistent.name.id.for.$clientId user attribute
saml.persistent.name.id.for.* user attribute
G-$randomUuid

If a randomUuid is generated, an attribute for the given saml.persistent.name.id.for.$clientId will be generated, otherwise no state change will occur with respect to the user's attributes.

戻り値: the user's persistent NameId

                                                                                                                            {
         // attempt to retrieve the UserID for the client-specific attribute
         final UserModel user = userSession.getUser();
         final String clientNameId = String.format("%s.%s", SAML_PERSISTENT_NAME_ID_FOR,
                 clientSession.getClient().getClientId());
         String samlPersistentNameId = user.getFirstAttribute(clientNameId);
         if (samlPersistentNameId != null) {
             return samlPersistentNameId;
         }
 
         // check for a wildcard attribute
         final String wildcardNameId = String.format("%s.*", SAML_PERSISTENT_NAME_ID_FOR);
         samlPersistentNameId = user.getFirstAttribute(wildcardNameId);
         if (samlPersistentNameId != null) {
             return samlPersistentNameId;
         }
 
         // default to generated.  "G-" stands for "generated"
         samlPersistentNameId = "G-" + UUID.randomUUID().toString();
         user.setSingleAttribute(clientNameId, samlPersistentNameId);
         return samlPersistentNameId;
     }

◆ getResponseIssuer()

String org.keycloak.protocol.saml.SamlProtocol.getResponseIssuer ( RealmModel realm )

inlineprotected

                                                          {
         return RealmsResource.realmBaseUrl(uriInfo).build(realm.getName()).toString();
     }

◆ isLogoutPostBindingForClient()

boolean org.keycloak.protocol.saml.SamlProtocol.isLogoutPostBindingForClient ( AuthenticatedClientSessionModel clientSession )

inlineprotected

                                                                                                   {
         ClientModel client = clientSession.getClient();
         SamlClient samlClient = new SamlClient(client);
         String logoutPostUrl = client.getAttribute(SAML_SINGLE_LOGOUT_SERVICE_URL_POST_ATTRIBUTE);
         String logoutRedirectUrl = client.getAttribute(SAML_SINGLE_LOGOUT_SERVICE_URL_REDIRECT_ATTRIBUTE);
 
         if (logoutPostUrl == null || logoutPostUrl.trim().isEmpty()) {
             // if we don't have a redirect uri either, return true and default to the admin url + POST binding
             return (logoutRedirectUrl == null || logoutRedirectUrl.trim().isEmpty());
         }
 
         if (samlClient.forcePostBinding()) {
             return true; // configured to force a post binding and post binding logout url is not null
         }
 
         String bindingType = clientSession.getNote(SAML_BINDING);
 
         // if the login binding was POST, return true
         if (SAML_POST_BINDING.equals(bindingType))
             return true;
 
         // true if we don't have a redirect binding url, so use post binding, false for redirect binding
         return (logoutRedirectUrl == null || logoutRedirectUrl.trim().isEmpty());
     }

◆ isLogoutPostBindingForInitiator()

static boolean org.keycloak.protocol.saml.SamlProtocol.isLogoutPostBindingForInitiator ( UserSessionModel session )

inlinestatic

                                                                                     {
         String note = session.getNote(SamlProtocol.SAML_LOGOUT_BINDING);
         return SamlProtocol.SAML_POST_BINDING.equals(note);
     }

◆ isPostBinding() [1/2]

boolean org.keycloak.protocol.saml.SamlProtocol.isPostBinding ( AuthenticationSessionModel authSession )

inlineprotected

                                                                             {
         ClientModel client = authSession.getClient();
         SamlClient samlClient = new SamlClient(client);
         return SamlProtocol.SAML_POST_BINDING.equals(authSession.getClientNote(SamlProtocol.SAML_BINDING)) || samlClient.forcePostBinding();
     }

◆ isPostBinding() [2/2]

boolean org.keycloak.protocol.saml.SamlProtocol.isPostBinding ( AuthenticatedClientSessionModel clientSession )

inlineprotected

                                                                                    {
         ClientModel client = clientSession.getClient();
         SamlClient samlClient = new SamlClient(client);
         return SamlProtocol.SAML_POST_BINDING.equals(clientSession.getNote(SamlProtocol.SAML_BINDING)) || samlClient.forcePostBinding();
     }

◆ populateAttributeStatements()

AttributeStatementType org.keycloak.protocol.saml.SamlProtocol.populateAttributeStatements	(	List< ProtocolMapperProcessor< SAMLAttributeStatementMapper >>	attributeStatementMappers,
		KeycloakSession	session,
		UserSessionModel	userSession,
		AuthenticatedClientSessionModel	clientSession
	)

inline

                                                                                                              {
         AttributeStatementType attributeStatement = new AttributeStatementType();
         for (ProtocolMapperProcessor<SAMLAttributeStatementMapper> processor : attributeStatementMappers) {
             processor.mapper.transformAttributeStatement(attributeStatement, processor.model, session, userSession, clientSession);
         }
 
         return attributeStatement;
     }

◆ populateRoles()

void org.keycloak.protocol.saml.SamlProtocol.populateRoles	(	ProtocolMapperProcessor< SAMLRoleListMapper >	roleListMapper,
		KeycloakSession	session,
		UserSessionModel	userSession,
		ClientSessionContext	clientSessionCtx,
		final AttributeStatementType	existingAttributeStatement
	)

inline

                                                                                                                               {
         if (roleListMapper == null)
             return;
         roleListMapper.mapper.mapRoles(existingAttributeStatement, roleListMapper.model, session, userSession, clientSessionCtx);
     }

◆ requireReauthentication()

boolean org.keycloak.protocol.saml.SamlProtocol.requireReauthentication	(	UserSessionModel	userSession,
		AuthenticationSessionModel	authSession
	)

inline

                                                                                                                  {
         // Not yet supported
         return false;
     }

◆ samlErrorMessage()

Response org.keycloak.protocol.saml.SamlProtocol.samlErrorMessage	(	AuthenticationSessionModel	authSession,
		SamlClient	samlClient,
		boolean	isPostBinding,
		String	destination,
		JBossSAMLURIConstants	statusDetail,
		String	relayState
	)

inlineprivate

                                                                                  {
         JaxrsSAML2BindingBuilder binding = new JaxrsSAML2BindingBuilder().relayState(relayState);
         SAML2ErrorResponseBuilder builder = new SAML2ErrorResponseBuilder().destination(destination).issuer(getResponseIssuer(realm)).status(statusDetail.get());
         KeyManager keyManager = session.keys();
         if (samlClient.requiresRealmSignature()) {
             KeyManager.ActiveRsaKey keys = keyManager.getActiveRsaKey(realm);
             String keyName = samlClient.getXmlSigKeyInfoKeyNameTransformer().getKeyName(keys.getKid(), keys.getCertificate());
             String canonicalization = samlClient.getCanonicalizationMethod();
             if (canonicalization != null) {
                 binding.canonicalizationMethod(canonicalization);
             }
             binding.signatureAlgorithm(samlClient.getSignatureAlgorithm()).signWith(keyName, keys.getPrivateKey(), keys.getPublicKey(), keys.getCertificate()).signDocument();
         }
 
         try {
             // There is no support for encrypting status messages in SAML.
             // Only assertions, attributes, base ID and name ID can be encrypted
             // See Chapter 6 of saml-core-2.0-os.pdf
             Document document = builder.buildDocument();
             return buildErrorResponse(isPostBinding, destination, binding, document);
         } catch (Exception e) {
             return ErrorPage.error(session, authSession, Response.Status.BAD_REQUEST, Messages.FAILED_TO_PROCESS_RESPONSE);
         }
     }

◆ sendError()

Response org.keycloak.protocol.saml.SamlProtocol.sendError	(	AuthenticationSessionModel	authSession,
		Error	error
	)

inline

                                                                                    {
         try {
             ClientModel client = authSession.getClient();
 
             if ("true".equals(authSession.getClientNote(SAML_IDP_INITIATED_LOGIN))) {
                 if (error == Error.CANCELLED_BY_USER) {
                     UriBuilder builder = RealmsResource.protocolUrl(uriInfo).path(SamlService.class, "idpInitiatedSSO");
                     Map<String, String> params = new HashMap<>();
                     params.put("realm", realm.getName());
                     params.put("protocol", LOGIN_PROTOCOL);
                     params.put("client", client.getAttribute(SAML_IDP_INITIATED_SSO_URL_NAME));
                     URI redirect = builder.buildFromMap(params);
                     return Response.status(302).location(redirect).build();
                 } else {
                     return ErrorPage.error(session, authSession, Response.Status.BAD_REQUEST, translateErrorToIdpInitiatedErrorMessage(error));
                 }
             } else {
                 return samlErrorMessage(
                   authSession, new SamlClient(client), isPostBinding(authSession),
                   authSession.getRedirectUri(), translateErrorToSAMLStatus(error), authSession.getClientNote(GeneralConstants.RELAY_STATE)
                 );
             }
         } finally {
             new AuthenticationSessionManager(session).removeAuthenticationSession(realm, authSession, true);
         }
     }

◆ setEventBuilder()

SamlProtocol org.keycloak.protocol.saml.SamlProtocol.setEventBuilder ( EventBuilder event )

inline

                                                             {
         this.event = event;
         return this;
     }

◆ setHttpHeaders()

SamlProtocol org.keycloak.protocol.saml.SamlProtocol.setHttpHeaders ( HttpHeaders headers )

inline

                                                             {
         this.headers = headers;
         return this;
     }

◆ setRealm()

SamlProtocol org.keycloak.protocol.saml.SamlProtocol.setRealm ( RealmModel realm )

inline

                                                    {
         this.realm = realm;
         return this;
     }

◆ setSession()

SamlProtocol org.keycloak.protocol.saml.SamlProtocol.setSession ( KeycloakSession session )

inline

                                                             {
         this.session = session;
         return this;
     }

◆ setUriInfo()

SamlProtocol org.keycloak.protocol.saml.SamlProtocol.setUriInfo ( UriInfo uriInfo )

inline

                                                     {
         this.uriInfo = uriInfo;
         return this;
     }

◆ transformLoginResponse()

ResponseType org.keycloak.protocol.saml.SamlProtocol.transformLoginResponse	(	List< ProtocolMapperProcessor< SAMLLoginResponseMapper >>	mappers,
		ResponseType	response,
		KeycloakSession	session,
		UserSessionModel	userSession,
		AuthenticatedClientSessionModel	clientSession
	)

inline

                                                                                                                                                                                                                                             {
         for (ProtocolMapperProcessor<SAMLLoginResponseMapper> processor : mappers) {
             response = processor.mapper.transformLoginResponse(response, processor.model, session, userSession, clientSession);
         }
         return response;
     }

◆ translateErrorToIdpInitiatedErrorMessage()

String org.keycloak.protocol.saml.SamlProtocol.translateErrorToIdpInitiatedErrorMessage ( Error error )

inlineprivate

                                                                          {
         switch (error) {
         case CONSENT_DENIED:
             return Messages.CONSENT_DENIED;
         case PASSIVE_INTERACTION_REQUIRED:
         case PASSIVE_LOGIN_REQUIRED:
             return Messages.UNEXPECTED_ERROR_HANDLING_REQUEST;
         default:
             logger.warn("Untranslated protocol Error: " + error.name() + " so we return default error message");
             return Messages.UNEXPECTED_ERROR_HANDLING_REQUEST;
         }
     }

◆ translateErrorToSAMLStatus()

JBossSAMLURIConstants org.keycloak.protocol.saml.SamlProtocol.translateErrorToSAMLStatus ( Error error )

inlineprivate

                                                                           {
         switch (error) {
         case CANCELLED_BY_USER:
         case CONSENT_DENIED:
             return JBossSAMLURIConstants.STATUS_REQUEST_DENIED;
         case PASSIVE_INTERACTION_REQUIRED:
         case PASSIVE_LOGIN_REQUIRED:
             return JBossSAMLURIConstants.STATUS_NO_PASSIVE;
         default:
             logger.warn("Untranslated protocol Error: " + error.name() + " so we return default SAML error");
             return JBossSAMLURIConstants.STATUS_REQUEST_DENIED;
         }
     }

メンバ詳解

◆ ATTRIBUTE_FALSE_VALUE

final String org.keycloak.protocol.saml.SamlProtocol.ATTRIBUTE_FALSE_VALUE = "false"

static

◆ ATTRIBUTE_TRUE_VALUE

final String org.keycloak.protocol.saml.SamlProtocol.ATTRIBUTE_TRUE_VALUE = "true"

static

◆ event

EventBuilder org.keycloak.protocol.saml.SamlProtocol.event

protected

◆ headers

HttpHeaders org.keycloak.protocol.saml.SamlProtocol.headers

protected

◆ logger

final Logger org.keycloak.protocol.saml.SamlProtocol.logger = Logger.getLogger(SamlProtocol.class)

staticprotected

◆ LOGIN_PROTOCOL

final String org.keycloak.protocol.saml.SamlProtocol.LOGIN_PROTOCOL = "saml"

static

◆ realm

RealmModel org.keycloak.protocol.saml.SamlProtocol.realm

protected

◆ SAML_ASSERTION_CONSUMER_URL_POST_ATTRIBUTE

final String org.keycloak.protocol.saml.SamlProtocol.SAML_ASSERTION_CONSUMER_URL_POST_ATTRIBUTE = "saml_assertion_consumer_url_post"

static

◆ SAML_ASSERTION_CONSUMER_URL_REDIRECT_ATTRIBUTE

final String org.keycloak.protocol.saml.SamlProtocol.SAML_ASSERTION_CONSUMER_URL_REDIRECT_ATTRIBUTE = "saml_assertion_consumer_url_redirect"

static

◆ SAML_BINDING

final String org.keycloak.protocol.saml.SamlProtocol.SAML_BINDING = "saml_binding"

static

◆ SAML_DEFAULT_NAMEID_FORMAT

final String org.keycloak.protocol.saml.SamlProtocol.SAML_DEFAULT_NAMEID_FORMAT = JBossSAMLURIConstants.NAMEID_FORMAT_UNSPECIFIED.get()

static

◆ SAML_IDP_INITIATED_LOGIN

final String org.keycloak.protocol.saml.SamlProtocol.SAML_IDP_INITIATED_LOGIN = "saml_idp_initiated_login"

static

◆ SAML_IDP_INITIATED_SSO_RELAY_STATE

final String org.keycloak.protocol.saml.SamlProtocol.SAML_IDP_INITIATED_SSO_RELAY_STATE = "saml_idp_initiated_sso_relay_state"

static

◆ SAML_IDP_INITIATED_SSO_URL_NAME

final String org.keycloak.protocol.saml.SamlProtocol.SAML_IDP_INITIATED_SSO_URL_NAME = "saml_idp_initiated_sso_url_name"

static

◆ SAML_LOGOUT_ADD_EXTENSIONS_ELEMENT_WITH_KEY_INFO

final String org.keycloak.protocol.saml.SamlProtocol.SAML_LOGOUT_ADD_EXTENSIONS_ELEMENT_WITH_KEY_INFO = "saml.logout.addExtensionsElementWithKeyInfo"

static

◆ SAML_LOGOUT_BINDING

final String org.keycloak.protocol.saml.SamlProtocol.SAML_LOGOUT_BINDING = "saml.logout.binding"

static

◆ SAML_LOGOUT_BINDING_URI

final String org.keycloak.protocol.saml.SamlProtocol.SAML_LOGOUT_BINDING_URI = "SAML_LOGOUT_BINDING_URI"

static

◆ SAML_LOGOUT_CANONICALIZATION

final String org.keycloak.protocol.saml.SamlProtocol.SAML_LOGOUT_CANONICALIZATION = "SAML_LOGOUT_CANONICALIZATION"

static

◆ SAML_LOGOUT_RELAY_STATE

final String org.keycloak.protocol.saml.SamlProtocol.SAML_LOGOUT_RELAY_STATE = "SAML_LOGOUT_RELAY_STATE"

static

◆ SAML_LOGOUT_REQUEST_ID

final String org.keycloak.protocol.saml.SamlProtocol.SAML_LOGOUT_REQUEST_ID = "SAML_LOGOUT_REQUEST_ID"

static

◆ SAML_LOGOUT_SIGNATURE_ALGORITHM

final String org.keycloak.protocol.saml.SamlProtocol.SAML_LOGOUT_SIGNATURE_ALGORITHM = "saml.logout.signature.algorithm"

static

◆ SAML_NAME_ID

final String org.keycloak.protocol.saml.SamlProtocol.SAML_NAME_ID = "SAML_NAME_ID"

static

◆ SAML_NAME_ID_FORMAT

final String org.keycloak.protocol.saml.SamlProtocol.SAML_NAME_ID_FORMAT = "SAML_NAME_ID_FORMAT"

static

◆ SAML_PERSISTENT_NAME_ID_FOR

final String org.keycloak.protocol.saml.SamlProtocol.SAML_PERSISTENT_NAME_ID_FOR = "saml.persistent.name.id.for"

static

◆ SAML_POST_BINDING

final String org.keycloak.protocol.saml.SamlProtocol.SAML_POST_BINDING = "post"

static

◆ SAML_REDIRECT_BINDING

final String org.keycloak.protocol.saml.SamlProtocol.SAML_REDIRECT_BINDING = "get"

static

◆ SAML_REQUEST_ID

final String org.keycloak.protocol.saml.SamlProtocol.SAML_REQUEST_ID = "SAML_REQUEST_ID"

static

◆ SAML_SERVER_SIGNATURE_KEYINFO_KEY_NAME_TRANSFORMER

final String org.keycloak.protocol.saml.SamlProtocol.SAML_SERVER_SIGNATURE_KEYINFO_KEY_NAME_TRANSFORMER = "SAML_SERVER_SIGNATURE_KEYINFO_KEY_NAME_TRANSFORMER"

static

◆ SAML_SINGLE_LOGOUT_SERVICE_URL_POST_ATTRIBUTE

final String org.keycloak.protocol.saml.SamlProtocol.SAML_SINGLE_LOGOUT_SERVICE_URL_POST_ATTRIBUTE = "saml_single_logout_service_url_post"

static

◆ SAML_SINGLE_LOGOUT_SERVICE_URL_REDIRECT_ATTRIBUTE

final String org.keycloak.protocol.saml.SamlProtocol.SAML_SINGLE_LOGOUT_SERVICE_URL_REDIRECT_ATTRIBUTE = "saml_single_logout_service_url_redirect"

static

◆ SAML_SOAP_BINDING

final String org.keycloak.protocol.saml.SamlProtocol.SAML_SOAP_BINDING = "soap"

static

◆ session

KeycloakSession org.keycloak.protocol.saml.SamlProtocol.session

protected

◆ uriInfo

UriInfo org.keycloak.protocol.saml.SamlProtocol.uriInfo

protected

このクラス詳解は次のファイルから抽出されました:

D:/AppData/doxygen/keycloak/rest-service/src/services/src/main/java/org/keycloak/protocol/saml/SamlProtocol.java

クラス

公開メンバ関数

静的公開メンバ関数

静的公開変数類

限定公開メンバ関数

限定公開変数類

静的限定公開変数類

非公開メンバ関数

詳解

関数詳解

◆ authenticated()

◆ backchannelLogout()

◆ buildAuthenticatedResponse()

◆ buildErrorResponse()

◆ buildLogoutResponse()

◆ close()

◆ createBindingBuilder()

◆ createLogoutRequest()

◆ finishLogout()

◆ frontchannelLogout()

◆ getLogoutServiceUrl()

◆ getNameId()

◆ getNameIdFormat()

◆ getPersistentNameId()

◆ getResponseIssuer()

◆ isLogoutPostBindingForClient()

◆ isLogoutPostBindingForInitiator()

◆ isPostBinding() [1/2]

◆ isPostBinding() [2/2]

◆ populateAttributeStatements()

◆ populateRoles()

◆ requireReauthentication()

◆ samlErrorMessage()

◆ sendError()

◆ setEventBuilder()

◆ setHttpHeaders()

◆ setRealm()

◆ setSession()

◆ setUriInfo()

◆ transformLoginResponse()

◆ translateErrorToIdpInitiatedErrorMessage()

◆ translateErrorToSAMLStatus()

メンバ詳解

◆ ATTRIBUTE_FALSE_VALUE

◆ ATTRIBUTE_TRUE_VALUE

◆ event

◆ headers

◆ logger

◆ LOGIN_PROTOCOL

◆ realm

◆ SAML_ASSERTION_CONSUMER_URL_POST_ATTRIBUTE

◆ SAML_ASSERTION_CONSUMER_URL_REDIRECT_ATTRIBUTE

◆ SAML_BINDING

◆ SAML_DEFAULT_NAMEID_FORMAT

◆ SAML_IDP_INITIATED_LOGIN

◆ SAML_IDP_INITIATED_SSO_RELAY_STATE

◆ SAML_IDP_INITIATED_SSO_URL_NAME

◆ SAML_LOGOUT_ADD_EXTENSIONS_ELEMENT_WITH_KEY_INFO

◆ SAML_LOGOUT_BINDING

◆ SAML_LOGOUT_BINDING_URI

◆ SAML_LOGOUT_CANONICALIZATION

◆ SAML_LOGOUT_RELAY_STATE

◆ SAML_LOGOUT_REQUEST_ID

◆ SAML_LOGOUT_SIGNATURE_ALGORITHM

◆ SAML_NAME_ID

◆ SAML_NAME_ID_FORMAT

◆ SAML_PERSISTENT_NAME_ID_FOR

◆ SAML_POST_BINDING

◆ SAML_REDIRECT_BINDING

◆ SAML_REQUEST_ID

◆ SAML_SERVER_SIGNATURE_KEYINFO_KEY_NAME_TRANSFORMER

◆ SAML_SINGLE_LOGOUT_SERVICE_URL_POST_ATTRIBUTE

◆ SAML_SINGLE_LOGOUT_SERVICE_URL_REDIRECT_ATTRIBUTE

◆ SAML_SOAP_BINDING

◆ session

◆ uriInfo