org.keycloak.broker.saml.SAMLIdentityProvider クラス

org.keycloak.broker.saml.SAMLIdentityProvider の継承関係図

org.keycloak.broker.saml.SAMLIdentityProvider 連携図

公開メンバ関数
	SAMLIdentityProvider (KeycloakSession session, SAMLIdentityProviderConfig config, DestinationValidator destinationValidator)
Object	callback (RealmModel realm, AuthenticationCallback callback, EventBuilder event)
Response	performLogin (AuthenticationRequest request)
void	authenticationFinished (AuthenticationSessionModel authSession, BrokeredIdentityContext context)
Response	retrieveToken (KeycloakSession session, FederatedIdentityModel identity)
void	backchannelLogout (KeycloakSession session, UserSessionModel userSession, UriInfo uriInfo, RealmModel realm)
Response	keycloakInitiatedBrowserLogout (KeycloakSession session, UserSessionModel userSession, UriInfo uriInfo, RealmModel realm)
Response	export (UriInfo uriInfo, RealmModel realm, String format)
SignatureAlgorithm	getSignatureAlgorithm ()
IdentityProviderDataMarshaller	getMarshaller ()

限定公開メンバ関数
SAML2LogoutRequestBuilder	buildLogoutRequest (UserSessionModel userSession, UriInfo uriInfo, RealmModel realm, String singleLogoutServiceUrl)

静的限定公開変数類
static final Logger	logger = Logger.getLogger(SAMLIdentityProvider.class)

非公開メンバ関数
String	getEntityId (UriInfo uriInfo, RealmModel realm)
JaxrsSAML2BindingBuilder	buildLogoutBinding (KeycloakSession session, UserSessionModel userSession, RealmModel realm)

静的非公開メンバ関数
static void	addKeyInfo (StringBuilder target, RsaKeyMetadata key, String purpose)

非公開変数類
final DestinationValidator	destinationValidator

詳解

著者

Pedro Igor

構築子と解体子

SAMLIdentityProvider()

org.keycloak.broker.saml.SAMLIdentityProvider.SAMLIdentityProvider ( KeycloakSession  session, SAMLIdentityProviderConfig  config, DestinationValidator  destinationValidator  )

inline

                                                                                                                                       {
        super(session, config);
        this.destinationValidator = destinationValidator;
    }

関数詳解

addKeyInfo()

static void org.keycloak.broker.saml.SAMLIdentityProvider.addKeyInfo ( StringBuilder  target, RsaKeyMetadata  key, String  purpose  )

inlinestaticprivate

                                                                                             {
        if (key == null) {
            return;
        }

        target.append(SPMetadataDescriptor.xmlKeyInfo("        ", key.getKid(), PemUtils.encodeCertificate(key.getCertificate()), purpose, true));
    }

authenticationFinished()

void org.keycloak.broker.saml.SAMLIdentityProvider.authenticationFinished ( AuthenticationSessionModel  authSession, BrokeredIdentityContext  context  )

inline

                                                                                                                 {
        ResponseType responseType = (ResponseType)context.getContextData().get(SAMLEndpoint.SAML_LOGIN_RESPONSE);
        AssertionType assertion = (AssertionType)context.getContextData().get(SAMLEndpoint.SAML_ASSERTION);
        SubjectType subject = assertion.getSubject();
        SubjectType.STSubType subType = subject.getSubType();
        NameIDType subjectNameID = (NameIDType) subType.getBaseID();
        authSession.setUserSessionNote(SAMLEndpoint.SAML_FEDERATED_SUBJECT, subjectNameID.getValue());
        if (subjectNameID.getFormat() != null) authSession.setUserSessionNote(SAMLEndpoint.SAML_FEDERATED_SUBJECT_NAMEFORMAT, subjectNameID.getFormat().toString());
        AuthnStatementType authn =  (AuthnStatementType)context.getContextData().get(SAMLEndpoint.SAML_AUTHN_STATEMENT);
        if (authn != null && authn.getSessionIndex() != null) {
            authSession.setUserSessionNote(SAMLEndpoint.SAML_FEDERATED_SESSION_INDEX, authn.getSessionIndex());

        }
    }

backchannelLogout()

void org.keycloak.broker.saml.SAMLIdentityProvider.backchannelLogout ( KeycloakSession  session, UserSessionModel  userSession, UriInfo  uriInfo, RealmModel  realm  )

inline

                                                                                                                            {
        String singleLogoutServiceUrl = getConfig().getSingleLogoutServiceUrl();
        if (singleLogoutServiceUrl == null || singleLogoutServiceUrl.trim().equals("") || !getConfig().isBackchannelSupported()) return;
        SAML2LogoutRequestBuilder logoutBuilder = buildLogoutRequest(userSession, uriInfo, realm, singleLogoutServiceUrl);
        JaxrsSAML2BindingBuilder binding = buildLogoutBinding(session, userSession, realm);
        try {
            int status = SimpleHttp.doPost(singleLogoutServiceUrl, session)
                    .param(GeneralConstants.SAML_REQUEST_KEY, binding.postBinding(logoutBuilder.buildDocument()).encoded())
                    .param(GeneralConstants.RELAY_STATE, userSession.getId()).asStatus();
            boolean success = status >=200 && status < 400;
            if (!success) {
                logger.warn("Failed saml backchannel broker logout to: " + singleLogoutServiceUrl);
            }
        } catch (Exception e) {
            logger.warn("Failed saml backchannel broker logout to: " + singleLogoutServiceUrl, e);
        }

    }

buildLogoutBinding()

JaxrsSAML2BindingBuilder org.keycloak.broker.saml.SAMLIdentityProvider.buildLogoutBinding ( KeycloakSession  session, UserSessionModel  userSession, RealmModel  realm  )

inlineprivate

                                                                                                                                 {
        JaxrsSAML2BindingBuilder binding = new JaxrsSAML2BindingBuilder()
                .relayState(userSession.getId());
        if (getConfig().isWantAuthnRequestsSigned()) {
            KeyManager.ActiveRsaKey keys = session.keys().getActiveRsaKey(realm);
            String keyName = getConfig().getXmlSigKeyInfoKeyNameTransformer().getKeyName(keys.getKid(), keys.getCertificate());
            binding.signWith(keyName, keys.getPrivateKey(), keys.getPublicKey(), keys.getCertificate())
                    .signatureAlgorithm(getSignatureAlgorithm())
                    .signDocument();
        }
        return binding;
    }

buildLogoutRequest()

SAML2LogoutRequestBuilder org.keycloak.broker.saml.SAMLIdentityProvider.buildLogoutRequest ( UserSessionModel  userSession, UriInfo  uriInfo, RealmModel  realm, String  singleLogoutServiceUrl  )

inlineprotected

                                                                                                                                                           {
        SAML2LogoutRequestBuilder logoutBuilder = new SAML2LogoutRequestBuilder()
                .assertionExpiration(realm.getAccessCodeLifespan())
                .issuer(getEntityId(uriInfo, realm))
                .sessionIndex(userSession.getNote(SAMLEndpoint.SAML_FEDERATED_SESSION_INDEX))
                .userPrincipal(userSession.getNote(SAMLEndpoint.SAML_FEDERATED_SUBJECT), userSession.getNote(SAMLEndpoint.SAML_FEDERATED_SUBJECT_NAMEFORMAT))
                .destination(singleLogoutServiceUrl);
        return logoutBuilder;
    }

callback()

Object org.keycloak.broker.saml.SAMLIdentityProvider.callback ( RealmModel  realm, AuthenticationCallback  callback, EventBuilder  event  )

inline

                                                                                                  {
        return new SAMLEndpoint(realm, this, getConfig(), callback, destinationValidator);
    }

export()

Response org.keycloak.broker.saml.SAMLIdentityProvider.export ( UriInfo  uriInfo, RealmModel  realm, String  format  )

inline

                                                                             {

        String authnBinding = JBossSAMLURIConstants.SAML_HTTP_REDIRECT_BINDING.get();

        if (getConfig().isPostBindingAuthnRequest()) {
            authnBinding = JBossSAMLURIConstants.SAML_HTTP_POST_BINDING.get();
        }

        String endpoint = uriInfo.getBaseUriBuilder()
                .path("realms").path(realm.getName())
                .path("broker")
                .path(getConfig().getAlias())
                .path("endpoint")
                .build().toString();


        boolean wantAuthnRequestsSigned = getConfig().isWantAuthnRequestsSigned();
        boolean wantAssertionsSigned = getConfig().isWantAssertionsSigned();
        boolean wantAssertionsEncrypted = getConfig().isWantAssertionsEncrypted();
        String entityId = getEntityId(uriInfo, realm);
        String nameIDPolicyFormat = getConfig().getNameIDPolicyFormat();

        StringBuilder signingKeysString = new StringBuilder();
        StringBuilder encryptionKeysString = new StringBuilder();
        Set<RsaKeyMetadata> keys = new TreeSet<>((o1, o2) -> o1.getStatus() == o2.getStatus() // Status can be only PASSIVE OR ACTIVE, push PASSIVE to end of list
          ? (int) (o2.getProviderPriority() - o1.getProviderPriority())
          : (o1.getStatus() == KeyStatus.PASSIVE ? 1 : -1));
        keys.addAll(session.keys().getRsaKeys(realm));
        for (RsaKeyMetadata key : keys) {
            addKeyInfo(signingKeysString, key, KeyTypes.SIGNING.value());

            if (key.getStatus() == KeyStatus.ACTIVE) {
                addKeyInfo(encryptionKeysString, key, KeyTypes.ENCRYPTION.value());
            }
        }
        String descriptor = SPMetadataDescriptor.getSPDescriptor(authnBinding, endpoint, endpoint,
          wantAuthnRequestsSigned, wantAssertionsSigned, wantAssertionsEncrypted,
          entityId, nameIDPolicyFormat, signingKeysString.toString(), encryptionKeysString.toString());

        return Response.ok(descriptor, MediaType.APPLICATION_XML_TYPE).build();
    }

getEntityId()

String org.keycloak.broker.saml.SAMLIdentityProvider.getEntityId ( UriInfo  uriInfo, RealmModel  realm  )

inlineprivate

                                                                  {
        return UriBuilder.fromUri(uriInfo.getBaseUri()).path("realms").path(realm.getName()).build().toString();
    }

getMarshaller()

IdentityProviderDataMarshaller org.keycloak.broker.saml.SAMLIdentityProvider.getMarshaller ( )

inline

                                                          {
        return new SAMLDataMarshaller();
    }

getSignatureAlgorithm()

SignatureAlgorithm org.keycloak.broker.saml.SAMLIdentityProvider.getSignatureAlgorithm ( )

inline

                                                      {
        String alg = getConfig().getSignatureAlgorithm();
        if (alg != null) {
            SignatureAlgorithm algorithm = SignatureAlgorithm.valueOf(alg);
            if (algorithm != null) return algorithm;
        }
        return SignatureAlgorithm.RSA_SHA256;
    }

keycloakInitiatedBrowserLogout()

Response org.keycloak.broker.saml.SAMLIdentityProvider.keycloakInitiatedBrowserLogout ( KeycloakSession  session, UserSessionModel  userSession, UriInfo  uriInfo, RealmModel  realm  )

inline

                                                                                                                                             {
        String singleLogoutServiceUrl = getConfig().getSingleLogoutServiceUrl();
        if (singleLogoutServiceUrl == null || singleLogoutServiceUrl.trim().equals("")) return null;

        if (getConfig().isBackchannelSupported()) {
            backchannelLogout(session, userSession, uriInfo, realm);
            return null;
       } else {
            try {
                SAML2LogoutRequestBuilder logoutBuilder = buildLogoutRequest(userSession, uriInfo, realm, singleLogoutServiceUrl);
                JaxrsSAML2BindingBuilder binding = buildLogoutBinding(session, userSession, realm);
                if (getConfig().isPostBindingLogout()) {
                    return binding.postBinding(logoutBuilder.buildDocument()).request(singleLogoutServiceUrl);
                } else {
                    return binding.redirectBinding(logoutBuilder.buildDocument()).request(singleLogoutServiceUrl);
                }
            } catch (Exception e) {
                throw new RuntimeException(e);
            }
        }
    }

performLogin()

Response org.keycloak.broker.saml.SAMLIdentityProvider.performLogin ( AuthenticationRequest  request )

inline

                                                                {
        try {
            UriInfo uriInfo = request.getUriInfo();
            RealmModel realm = request.getRealm();
            String issuerURL = getEntityId(uriInfo, realm);
            String destinationUrl = getConfig().getSingleSignOnServiceUrl();
            String nameIDPolicyFormat = getConfig().getNameIDPolicyFormat();

            if (nameIDPolicyFormat == null) {
                nameIDPolicyFormat =  JBossSAMLURIConstants.NAMEID_FORMAT_PERSISTENT.get();
            }

            String protocolBinding = JBossSAMLURIConstants.SAML_HTTP_REDIRECT_BINDING.get();

            String assertionConsumerServiceUrl = request.getRedirectUri();

            if (getConfig().isPostBindingResponse()) {
                protocolBinding = JBossSAMLURIConstants.SAML_HTTP_POST_BINDING.get();
            }

            SAML2AuthnRequestBuilder authnRequestBuilder = new SAML2AuthnRequestBuilder()
                    .assertionConsumerUrl(assertionConsumerServiceUrl)
                    .destination(destinationUrl)
                    .issuer(issuerURL)
                    .forceAuthn(getConfig().isForceAuthn())
                    .protocolBinding(protocolBinding)
                    .nameIdPolicy(SAML2NameIDPolicyBuilder.format(nameIDPolicyFormat));
            JaxrsSAML2BindingBuilder binding = new JaxrsSAML2BindingBuilder()
                    .relayState(request.getState().getEncoded());
            boolean postBinding = getConfig().isPostBindingAuthnRequest();

            if (getConfig().isWantAuthnRequestsSigned()) {
                KeyManager.ActiveRsaKey keys = session.keys().getActiveRsaKey(realm);

                KeyPair keypair = new KeyPair(keys.getPublicKey(), keys.getPrivateKey());

                String keyName = getConfig().getXmlSigKeyInfoKeyNameTransformer().getKeyName(keys.getKid(), keys.getCertificate());
                binding.signWith(keyName, keypair);
                binding.signatureAlgorithm(getSignatureAlgorithm());
                binding.signDocument();
                if (! postBinding && getConfig().isAddExtensionsElementWithKeyInfo()) {    // Only include extension if REDIRECT binding and signing whole SAML protocol message
                    authnRequestBuilder.addExtension(new KeycloakKeySamlExtensionGenerator(keyName));
                }
            }

            if (postBinding) {
                return binding.postBinding(authnRequestBuilder.toDocument()).request(destinationUrl);
            } else {
                return binding.redirectBinding(authnRequestBuilder.toDocument()).request(destinationUrl);
            }
        } catch (Exception e) {
            throw new IdentityBrokerException("Could not create authentication request.", e);
        }
    }

retrieveToken()

Response org.keycloak.broker.saml.SAMLIdentityProvider.retrieveToken ( KeycloakSession  session, FederatedIdentityModel  identity  )

inline

                                                                                            {
        return Response.ok(identity.getToken()).build();
    }

メンバ詳解

destinationValidator

final DestinationValidator org.keycloak.broker.saml.SAMLIdentityProvider.destinationValidator

private

logger

final Logger org.keycloak.broker.saml.SAMLIdentityProvider.logger = Logger.getLogger(SAMLIdentityProvider.class)

staticprotected

---

このクラス詳解は次のファイルから抽出されました:

• D:/AppData/doxygen/keycloak/rest-service/src/services/src/main/java/org/keycloak/broker/saml/SAMLIdentityProvider.java