keycloak-aplcache
Changes
adapters/saml/core/src/main/java/org/keycloak/adapters/saml/profile/webbrowsersso/BrowserHandler.java 24(+24 -0)
adapters/saml/core/src/main/java/org/keycloak/adapters/saml/profile/webbrowsersso/SamlEndpoint.java 33(+33 -0)
adapters/saml/core/src/main/java/org/keycloak/adapters/saml/profile/webbrowsersso/WebBrowserSsoAuthenticationHandler.java 2(+1 -1)
adapters/saml/jetty/jetty-core/src/main/java/org/keycloak/adapters/saml/jetty/AbstractSamlAuthenticator.java 38(+32 -6)
adapters/saml/jetty/jetty-core/src/main/java/org/keycloak/adapters/saml/jetty/JettySamlSessionStore.java 10(+9 -1)
adapters/saml/servlet-filter/src/main/java/org/keycloak/adapters/saml/servlet/FilterSamlSessionStore.java 10(+9 -1)
adapters/saml/servlet-filter/src/main/java/org/keycloak/adapters/saml/servlet/SamlFilter.java 45(+39 -6)
adapters/saml/tomcat/tomcat-core/src/main/java/org/keycloak/adapters/saml/AbstractSamlAuthenticatorValve.java 22(+18 -4)
adapters/saml/tomcat/tomcat-core/src/main/java/org/keycloak/adapters/saml/CatalinaSamlAuthenticator.java 8(+8 -0)
adapters/saml/tomcat/tomcat-core/src/main/java/org/keycloak/adapters/saml/CatalinaSamlEndpoint.java 28(+28 -0)
adapters/saml/tomcat/tomcat-core/src/main/java/org/keycloak/adapters/saml/CatalinaSamlSessionStore.java 10(+9 -1)
adapters/saml/undertow/src/main/java/org/keycloak/adapters/saml/undertow/AbstractSamlAuthMech.java 10(+9 -1)
adapters/saml/undertow/src/main/java/org/keycloak/adapters/saml/undertow/SamlServletExtension.java 16(+16 -0)
adapters/saml/undertow/src/main/java/org/keycloak/adapters/saml/undertow/ServletSamlSessionStore.java 14(+11 -3)
adapters/saml/undertow/src/main/java/org/keycloak/adapters/saml/undertow/UndertowSamlAuthenticator.java 9(+9 -0)
adapters/saml/undertow/src/main/java/org/keycloak/adapters/saml/undertow/UndertowSamlEndpoint.java 32(+32 -0)
testsuite/integration/src/test/java/org/keycloak/testsuite/keycloaksaml/SamlAdapterTest.java 8(+7 -1)
testsuite/integration/src/test/java/org/keycloak/testsuite/keycloaksaml/SamlAdapterTestStrategy.java 24(+17 -7)
testsuite/integration/src/test/java/org/keycloak/testsuite/keycloaksaml/SendUsernameServlet.java 2(+1 -1)
testsuite/integration/src/test/resources/keycloak-saml/simple-post2/WEB-INF/keycloak-saml.xml 24(+24 -0)
testsuite/jetty/jetty81/src/test/resources/keycloak-saml/simple-input/WEB-INF/jetty-web.xml 29(+29 -0)
testsuite/jetty/jetty81/src/test/resources/keycloak-saml/simple-input/WEB-INF/keycloak-saml.xml 24(+24 -0)
testsuite/jetty/jetty81/src/test/resources/keycloak-saml/simple-post2/WEB-INF/jetty-web.xml 29(+29 -0)
testsuite/jetty/jetty81/src/test/resources/keycloak-saml/simple-post2/WEB-INF/keycloak-saml.xml 24(+24 -0)
testsuite/jetty/jetty91/src/test/resources/keycloak-saml/simple-input/WEB-INF/jetty-web.xml 29(+29 -0)
testsuite/jetty/jetty91/src/test/resources/keycloak-saml/simple-input/WEB-INF/keycloak-saml.xml 24(+24 -0)
testsuite/jetty/jetty91/src/test/resources/keycloak-saml/simple-post2/WEB-INF/jetty-web.xml 29(+29 -0)
testsuite/jetty/jetty91/src/test/resources/keycloak-saml/simple-post2/WEB-INF/keycloak-saml.xml 24(+24 -0)
testsuite/jetty/jetty92/src/test/resources/keycloak-saml/simple-input/WEB-INF/jetty-web.xml 29(+29 -0)
testsuite/jetty/jetty92/src/test/resources/keycloak-saml/simple-input/WEB-INF/keycloak-saml.xml 24(+24 -0)
testsuite/jetty/jetty92/src/test/resources/keycloak-saml/simple-post2/WEB-INF/jetty-web.xml 29(+29 -0)
testsuite/jetty/jetty92/src/test/resources/keycloak-saml/simple-post2/WEB-INF/keycloak-saml.xml 24(+24 -0)
testsuite/tomcat6/src/test/resources/keycloak-saml/simple-input/WEB-INF/keycloak-saml.xml 24(+24 -0)
testsuite/tomcat6/src/test/resources/keycloak-saml/simple-post2/WEB-INF/keycloak-saml.xml 24(+24 -0)
testsuite/tomcat7/src/test/resources/keycloak-saml/simple-input/WEB-INF/keycloak-saml.xml 24(+24 -0)
testsuite/tomcat7/src/test/resources/keycloak-saml/simple-post2/WEB-INF/keycloak-saml.xml 24(+24 -0)
testsuite/tomcat8/src/test/resources/keycloak-saml/simple-input/WEB-INF/keycloak-saml.xml 24(+24 -0)
Details
diff --git a/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/profile/webbrowsersso/BrowserHandler.java b/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/profile/webbrowsersso/BrowserHandler.java
new file mode 100755
index 0000000..9008b99
--- /dev/null
+++ b/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/profile/webbrowsersso/BrowserHandler.java
@@ -0,0 +1,24 @@
+package org.keycloak.adapters.saml.profile.webbrowsersso;
+
+import org.keycloak.adapters.saml.OnSessionCreated;
+import org.keycloak.adapters.saml.SamlDeployment;
+import org.keycloak.adapters.saml.SamlSessionStore;
+import org.keycloak.adapters.saml.profile.SamlInvocationContext;
+import org.keycloak.adapters.spi.AuthOutcome;
+import org.keycloak.adapters.spi.HttpFacade;
+import org.keycloak.saml.common.constants.GeneralConstants;
+
+/**
+ * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
+ * @version $Revision: 1 $
+ */
+public class BrowserHandler extends WebBrowserSsoAuthenticationHandler {
+ public BrowserHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
+ super(facade, deployment, sessionStore);
+ }
+
+ @Override
+ public AuthOutcome handle(OnSessionCreated onCreateSession) {
+ return doHandle(new SamlInvocationContext(null, null, null), onCreateSession);
+ }
+}
diff --git a/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/profile/webbrowsersso/SamlEndpoint.java b/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/profile/webbrowsersso/SamlEndpoint.java
new file mode 100755
index 0000000..2debf47
--- /dev/null
+++ b/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/profile/webbrowsersso/SamlEndpoint.java
@@ -0,0 +1,33 @@
+package org.keycloak.adapters.saml.profile.webbrowsersso;
+
+import org.keycloak.adapters.saml.OnSessionCreated;
+import org.keycloak.adapters.saml.SamlDeployment;
+import org.keycloak.adapters.saml.SamlSessionStore;
+import org.keycloak.adapters.saml.profile.SamlInvocationContext;
+import org.keycloak.adapters.spi.AuthOutcome;
+import org.keycloak.adapters.spi.HttpFacade;
+import org.keycloak.saml.common.constants.GeneralConstants;
+
+/**
+ * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
+ * @version $Revision: 1 $
+ */
+public class SamlEndpoint extends WebBrowserSsoAuthenticationHandler {
+ public SamlEndpoint(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
+ super(facade, deployment, sessionStore);
+ }
+
+ @Override
+ public AuthOutcome handle(OnSessionCreated onCreateSession) {
+ String samlRequest = facade.getRequest().getFirstParam(GeneralConstants.SAML_REQUEST_KEY);
+ String samlResponse = facade.getRequest().getFirstParam(GeneralConstants.SAML_RESPONSE_KEY);
+ String relayState = facade.getRequest().getFirstParam(GeneralConstants.RELAY_STATE);
+ if (samlRequest != null) {
+ return handleSamlRequest(samlRequest, relayState);
+ } else if (samlResponse != null) {
+ return handleSamlResponse(samlResponse, relayState, onCreateSession);
+ }
+ return AuthOutcome.NOT_ATTEMPTED;
+
+ }
+}
diff --git a/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/profile/webbrowsersso/WebBrowserSsoAuthenticationHandler.java b/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/profile/webbrowsersso/WebBrowserSsoAuthenticationHandler.java
old mode 100644
new mode 100755
index f3e98e5..0a6700c
--- a/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/profile/webbrowsersso/WebBrowserSsoAuthenticationHandler.java
+++ b/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/profile/webbrowsersso/WebBrowserSsoAuthenticationHandler.java
@@ -25,7 +25,7 @@ public class WebBrowserSsoAuthenticationHandler extends AbstractSamlAuthenticati
return new WebBrowserSsoAuthenticationHandler(facade, deployment, sessionStore);
}
- private WebBrowserSsoAuthenticationHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
+ WebBrowserSsoAuthenticationHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
super(facade, deployment, sessionStore);
}
diff --git a/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/SamlAuthenticator.java b/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/SamlAuthenticator.java
index cd9affd..b494847 100755
--- a/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/SamlAuthenticator.java
+++ b/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/SamlAuthenticator.java
@@ -38,12 +38,16 @@ public abstract class SamlAuthenticator {
protected abstract void completeAuthentication(SamlSession samlSession);
- private SamlAuthenticationHandler createAuthenticationHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
+ protected SamlAuthenticationHandler createAuthenticationHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
if (EcpAuthenticationHandler.canHandle(facade)) {
return EcpAuthenticationHandler.create(facade, deployment, sessionStore);
}
// defaults to the web browser sso profile
+ return createBrowserHandler(facade, deployment, sessionStore);
+ }
+
+ protected SamlAuthenticationHandler createBrowserHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
return WebBrowserSsoAuthenticationHandler.create(facade, deployment, sessionStore);
}
}
\ No newline at end of file
diff --git a/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/SamlUtil.java b/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/SamlUtil.java
index d3d9a0f..65b0fb5 100755
--- a/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/SamlUtil.java
+++ b/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/SamlUtil.java
@@ -2,6 +2,7 @@ package org.keycloak.adapters.saml;
import org.keycloak.adapters.spi.HttpFacade;
import org.keycloak.saml.BaseSAML2BindingBuilder;
+import org.keycloak.saml.common.constants.GeneralConstants;
import org.keycloak.saml.common.exceptions.ConfigurationException;
import org.keycloak.saml.common.exceptions.ProcessingException;
import org.w3c.dom.Document;
@@ -32,4 +33,41 @@ public class SamlUtil {
}
}
+ /**
+ * Gets a url to redirect to if there is an IDP initiated login. Looks for a redirectTo query param first, then looks
+ * in RelayState, if not in either defaults to context path.
+ *
+ * @param facade
+ * @param contextPath
+ * @param baseUri
+ * @return
+ */
+ public static String getRedirectTo(HttpFacade facade, String contextPath, String baseUri) {
+ String redirectTo = facade.getRequest().getQueryParamValue("redirectTo");
+ if (redirectTo != null && !redirectTo.isEmpty()) {
+ return buildRedirectTo(baseUri, redirectTo);
+ } else {
+ redirectTo = facade.getRequest().getFirstParam(GeneralConstants.RELAY_STATE);
+ if (redirectTo != null) {
+ int index = redirectTo.indexOf("redirectTo=");
+ if (index >= 0) {
+ String to = redirectTo.substring(index + "redirectTo=".length());
+ index = to.indexOf(';');
+ if (index >=0) {
+ to = to.substring(0, index);
+ }
+ return buildRedirectTo(baseUri, to);
+ }
+ }
+ if (contextPath.isEmpty()) baseUri += "/";
+ return baseUri;
+ }
+ }
+
+ private static String buildRedirectTo(String baseUri, String redirectTo) {
+ if (redirectTo.startsWith("/")) redirectTo = redirectTo.substring(1);
+ if (baseUri.endsWith("/")) baseUri = baseUri.substring(0, baseUri.length() - 1);
+ redirectTo = baseUri + "/" + redirectTo;
+ return redirectTo;
+ }
}
diff --git a/adapters/saml/jetty/jetty-core/src/main/java/org/keycloak/adapters/saml/jetty/AbstractSamlAuthenticator.java b/adapters/saml/jetty/jetty-core/src/main/java/org/keycloak/adapters/saml/jetty/AbstractSamlAuthenticator.java
index 5028542..1746ccb 100755
--- a/adapters/saml/jetty/jetty-core/src/main/java/org/keycloak/adapters/saml/jetty/AbstractSamlAuthenticator.java
+++ b/adapters/saml/jetty/jetty-core/src/main/java/org/keycloak/adapters/saml/jetty/AbstractSamlAuthenticator.java
@@ -13,6 +13,10 @@ import org.eclipse.jetty.server.UserIdentity;
import org.eclipse.jetty.server.handler.ContextHandler;
import org.eclipse.jetty.util.URIUtil;
import org.jboss.logging.Logger;
+import org.keycloak.adapters.saml.SamlSessionStore;
+import org.keycloak.adapters.saml.profile.SamlAuthenticationHandler;
+import org.keycloak.adapters.saml.profile.webbrowsersso.BrowserHandler;
+import org.keycloak.adapters.saml.profile.webbrowsersso.SamlEndpoint;
import org.keycloak.adapters.spi.AdapterSessionStore;
import org.keycloak.adapters.spi.AuthChallenge;
import org.keycloak.adapters.spi.AuthOutcome;
@@ -234,16 +238,38 @@ public abstract class AbstractSamlAuthenticator extends LoginAuthenticator {
log.debug("*** deployment isn't configured return false");
return Authentication.UNAUTHENTICATED;
}
- if (!mandatory)
+ boolean isEndpoint = request.getRequestURI().substring(request.getContextPath().length()).endsWith("/saml");
+ if (!mandatory && !isEndpoint)
return new DeferredAuthentication(this);
JettySamlSessionStore tokenStore = getTokenStore(request, facade, deployment);
- SamlAuthenticator authenticator = new SamlAuthenticator(facade, deployment, tokenStore ) {
- @Override
- protected void completeAuthentication(SamlSession account) {
+ SamlAuthenticator authenticator = null;
+ if (isEndpoint) {
+ authenticator = new SamlAuthenticator(facade, deployment, tokenStore) {
+ @Override
+ protected void completeAuthentication(SamlSession account) {
- }
- };
+ }
+
+ @Override
+ protected SamlAuthenticationHandler createBrowserHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
+ return new SamlEndpoint(facade, deployment, sessionStore);
+ }
+ };
+
+ } else {
+ authenticator = new SamlAuthenticator(facade, deployment, tokenStore) {
+ @Override
+ protected void completeAuthentication(SamlSession account) {
+
+ }
+
+ @Override
+ protected SamlAuthenticationHandler createBrowserHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
+ return new BrowserHandler(facade, deployment, sessionStore);
+ }
+ };
+ }
AuthOutcome outcome = authenticator.authenticate();
if (outcome == AuthOutcome.AUTHENTICATED) {
if (facade.isEnded()) {
diff --git a/adapters/saml/jetty/jetty-core/src/main/java/org/keycloak/adapters/saml/jetty/JettySamlSessionStore.java b/adapters/saml/jetty/jetty-core/src/main/java/org/keycloak/adapters/saml/jetty/JettySamlSessionStore.java
index 380066e..0128087 100755
--- a/adapters/saml/jetty/jetty-core/src/main/java/org/keycloak/adapters/saml/jetty/JettySamlSessionStore.java
+++ b/adapters/saml/jetty/jetty-core/src/main/java/org/keycloak/adapters/saml/jetty/JettySamlSessionStore.java
@@ -3,12 +3,14 @@ package org.keycloak.adapters.saml.jetty;
import org.eclipse.jetty.server.Request;
import org.jboss.logging.Logger;
import org.keycloak.adapters.saml.SamlDeployment;
+import org.keycloak.adapters.saml.SamlUtil;
import org.keycloak.adapters.spi.AdapterSessionStore;
import org.keycloak.adapters.spi.HttpFacade;
import org.keycloak.adapters.spi.SessionIdMapper;
import org.keycloak.adapters.jetty.spi.JettyUserSessionManagement;
import org.keycloak.adapters.saml.SamlSession;
import org.keycloak.adapters.saml.SamlSessionStore;
+import org.keycloak.common.util.KeycloakUriBuilder;
import org.keycloak.dom.saml.v2.protocol.StatusType;
import javax.servlet.http.HttpSession;
@@ -151,7 +153,13 @@ public class JettySamlSessionStore implements SamlSessionStore {
@Override
public String getRedirectUri() {
- return (String)request.getSession(true).getAttribute(SAML_REDIRECT_URI);
+ String redirect = (String)request.getSession(true).getAttribute(SAML_REDIRECT_URI);
+ if (redirect == null) {
+ String contextPath = request.getContextPath();
+ String baseUri = KeycloakUriBuilder.fromUri(request.getRequestURL().toString()).replacePath(contextPath).build().toString();
+ return SamlUtil.getRedirectTo(facade, contextPath, baseUri);
+ }
+ return redirect;
}
@Override
diff --git a/adapters/saml/servlet-filter/src/main/java/org/keycloak/adapters/saml/servlet/FilterSamlSessionStore.java b/adapters/saml/servlet-filter/src/main/java/org/keycloak/adapters/saml/servlet/FilterSamlSessionStore.java
index e690db5..d25f2da 100755
--- a/adapters/saml/servlet-filter/src/main/java/org/keycloak/adapters/saml/servlet/FilterSamlSessionStore.java
+++ b/adapters/saml/servlet-filter/src/main/java/org/keycloak/adapters/saml/servlet/FilterSamlSessionStore.java
@@ -1,12 +1,14 @@
package org.keycloak.adapters.saml.servlet;
import org.jboss.logging.Logger;
+import org.keycloak.adapters.saml.SamlUtil;
import org.keycloak.adapters.spi.HttpFacade;
import org.keycloak.adapters.spi.KeycloakAccount;
import org.keycloak.adapters.spi.SessionIdMapper;
import org.keycloak.adapters.saml.SamlSession;
import org.keycloak.adapters.saml.SamlSessionStore;
import org.keycloak.adapters.servlet.FilterSessionStore;
+import org.keycloak.common.util.KeycloakUriBuilder;
import org.keycloak.dom.saml.v2.protocol.StatusType;
import javax.servlet.http.HttpServletRequest;
@@ -145,7 +147,13 @@ public class FilterSamlSessionStore extends FilterSessionStore implements SamlSe
public String getRedirectUri() {
HttpSession session = request.getSession(false);
if (session == null) return null;
- return (String)session.getAttribute(REDIRECT_URI);
+ String redirect = (String)session.getAttribute(REDIRECT_URI);
+ if (redirect == null) {
+ String contextPath = request.getContextPath();
+ String baseUri = KeycloakUriBuilder.fromUri(request.getRequestURL().toString()).replacePath(contextPath).build().toString();
+ return SamlUtil.getRedirectTo(facade, contextPath, baseUri);
+ }
+ return redirect;
}
}
diff --git a/adapters/saml/servlet-filter/src/main/java/org/keycloak/adapters/saml/servlet/SamlFilter.java b/adapters/saml/servlet-filter/src/main/java/org/keycloak/adapters/saml/servlet/SamlFilter.java
index ac95784..dcdd3f8 100755
--- a/adapters/saml/servlet-filter/src/main/java/org/keycloak/adapters/saml/servlet/SamlFilter.java
+++ b/adapters/saml/servlet-filter/src/main/java/org/keycloak/adapters/saml/servlet/SamlFilter.java
@@ -23,11 +23,16 @@ import org.keycloak.adapters.saml.SamlAuthenticator;
import org.keycloak.adapters.saml.SamlDeployment;
import org.keycloak.adapters.saml.SamlDeploymentContext;
import org.keycloak.adapters.saml.SamlSession;
+import org.keycloak.adapters.saml.SamlSessionStore;
import org.keycloak.adapters.saml.config.parsers.DeploymentBuilder;
import org.keycloak.adapters.saml.config.parsers.ResourceLoader;
+import org.keycloak.adapters.saml.profile.SamlAuthenticationHandler;
+import org.keycloak.adapters.saml.profile.webbrowsersso.BrowserHandler;
+import org.keycloak.adapters.saml.profile.webbrowsersso.SamlEndpoint;
import org.keycloak.adapters.servlet.ServletHttpFacade;
import org.keycloak.adapters.spi.AuthChallenge;
import org.keycloak.adapters.spi.AuthOutcome;
+import org.keycloak.adapters.spi.HttpFacade;
import org.keycloak.adapters.spi.InMemorySessionIdMapper;
import org.keycloak.adapters.spi.SessionIdMapper;
import org.keycloak.saml.common.exceptions.ParsingException;
@@ -38,11 +43,16 @@ import org.keycloak.saml.common.exceptions.ParsingException;
*/
public class SamlFilter implements Filter {
protected SamlDeploymentContext deploymentContext;
- protected SessionIdMapper idMapper = new InMemorySessionIdMapper();
+ protected SessionIdMapper idMapper;
private final static Logger log = Logger.getLogger("" + SamlFilter.class);
@Override
public void init(final FilterConfig filterConfig) throws ServletException {
+ deploymentContext = (SamlDeploymentContext)filterConfig.getServletContext().getAttribute(SamlDeploymentContext.class.getName());
+ if (deploymentContext != null) {
+ idMapper = (SessionIdMapper)filterConfig.getServletContext().getAttribute(SessionIdMapper.class.getName());
+ return;
+ }
String configResolverClass = filterConfig.getInitParameter("keycloak.config.resolver");
if (configResolverClass != null) {
try {
@@ -92,7 +102,9 @@ public class SamlFilter implements Filter {
deploymentContext = new SamlDeploymentContext(deployment);
log.fine("Keycloak is using a per-deployment configuration.");
}
+ idMapper = new InMemorySessionIdMapper();
filterConfig.getServletContext().setAttribute(SamlDeploymentContext.class.getName(), deploymentContext);
+ filterConfig.getServletContext().setAttribute(SessionIdMapper.class.getName(), idMapper);
}
@@ -108,13 +120,34 @@ public class SamlFilter implements Filter {
return;
}
FilterSamlSessionStore tokenStore = new FilterSamlSessionStore(request, facade, 100000, idMapper);
+ boolean isEndpoint = request.getRequestURI().substring(request.getContextPath().length()).endsWith("/saml");
+ SamlAuthenticator authenticator = null;
+ if (isEndpoint) {
+ authenticator = new SamlAuthenticator(facade, deployment, tokenStore) {
+ @Override
+ protected void completeAuthentication(SamlSession account) {
+
+ }
- SamlAuthenticator authenticator = new SamlAuthenticator(facade, deployment, tokenStore) {
- @Override
- protected void completeAuthentication(SamlSession account) {
+ @Override
+ protected SamlAuthenticationHandler createBrowserHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
+ return new SamlEndpoint(facade, deployment, sessionStore);
+ }
+ };
- }
- };
+ } else {
+ authenticator = new SamlAuthenticator(facade, deployment, tokenStore) {
+ @Override
+ protected void completeAuthentication(SamlSession account) {
+
+ }
+
+ @Override
+ protected SamlAuthenticationHandler createBrowserHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
+ return new BrowserHandler(facade, deployment, sessionStore);
+ }
+ };
+ }
AuthOutcome outcome = authenticator.authenticate();
if (outcome == AuthOutcome.AUTHENTICATED) {
log.fine("AUTHENTICATED");
diff --git a/adapters/saml/tomcat/tomcat-core/src/main/java/org/keycloak/adapters/saml/AbstractSamlAuthenticatorValve.java b/adapters/saml/tomcat/tomcat-core/src/main/java/org/keycloak/adapters/saml/AbstractSamlAuthenticatorValve.java
index 3ec5a8f..2b2c555 100755
--- a/adapters/saml/tomcat/tomcat-core/src/main/java/org/keycloak/adapters/saml/AbstractSamlAuthenticatorValve.java
+++ b/adapters/saml/tomcat/tomcat-core/src/main/java/org/keycloak/adapters/saml/AbstractSamlAuthenticatorValve.java
@@ -150,10 +150,23 @@ public abstract class AbstractSamlAuthenticatorValve extends FormAuthenticator i
@Override
public void invoke(Request request, Response response) throws IOException, ServletException {
log.fine("*********************** SAML ************");
+ if (request.getRequestURI().substring(request.getContextPath().length()).endsWith("/saml")) {
+ CatalinaHttpFacade facade = new CatalinaHttpFacade(response, request);
+ SamlDeployment deployment = deploymentContext.resolveDeployment(facade);
+ if (deployment != null && deployment.isConfigured()) {
+ SamlSessionStore tokenStore = getSessionStore(request, facade, deployment);
+ SamlAuthenticator authenticator = new CatalinaSamlEndpoint(facade, deployment, tokenStore);
+ executeAuthenticator(request, response, facade, deployment, authenticator);
+ return;
+ }
+
+ }
+
try {
super.invoke(request, response);
} finally {
}
+
}
protected abstract GenericPrincipalFactory createPrincipalFactory();
@@ -187,7 +200,11 @@ public abstract class AbstractSamlAuthenticatorValve extends FormAuthenticator i
SamlSessionStore tokenStore = getSessionStore(request, facade, deployment);
- CatalinaSamlAuthenticator authenticator = new CatalinaSamlAuthenticator(facade, deployment, tokenStore);
+ SamlAuthenticator authenticator = new CatalinaSamlAuthenticator(facade, deployment, tokenStore);
+ return executeAuthenticator(request, response, facade, deployment, authenticator);
+ }
+
+ protected boolean executeAuthenticator(Request request, HttpServletResponse response, CatalinaHttpFacade facade, SamlDeployment deployment, SamlAuthenticator authenticator) {
AuthOutcome outcome = authenticator.authenticate();
if (outcome == AuthOutcome.AUTHENTICATED) {
log.fine("AUTHENTICATED");
@@ -209,9 +226,6 @@ public abstract class AbstractSamlAuthenticatorValve extends FormAuthenticator i
AuthChallenge challenge = authenticator.getChallenge();
if (challenge != null) {
log.fine("challenge");
- if (loginConfig == null) {
- loginConfig = request.getContext().getLoginConfig();
- }
challenge.challenge(facade);
}
return false;
diff --git a/adapters/saml/tomcat/tomcat-core/src/main/java/org/keycloak/adapters/saml/CatalinaSamlAuthenticator.java b/adapters/saml/tomcat/tomcat-core/src/main/java/org/keycloak/adapters/saml/CatalinaSamlAuthenticator.java
index b991124..d39eba8 100755
--- a/adapters/saml/tomcat/tomcat-core/src/main/java/org/keycloak/adapters/saml/CatalinaSamlAuthenticator.java
+++ b/adapters/saml/tomcat/tomcat-core/src/main/java/org/keycloak/adapters/saml/CatalinaSamlAuthenticator.java
@@ -1,5 +1,7 @@
package org.keycloak.adapters.saml;
+import org.keycloak.adapters.saml.profile.SamlAuthenticationHandler;
+import org.keycloak.adapters.saml.profile.webbrowsersso.BrowserHandler;
import org.keycloak.adapters.spi.HttpFacade;
/**
@@ -15,4 +17,10 @@ public class CatalinaSamlAuthenticator extends SamlAuthenticator {
protected void completeAuthentication(SamlSession account) {
// complete
}
+
+ @Override
+ protected SamlAuthenticationHandler createBrowserHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
+ return new BrowserHandler(facade, deployment, sessionStore);
+ }
+
}
diff --git a/adapters/saml/tomcat/tomcat-core/src/main/java/org/keycloak/adapters/saml/CatalinaSamlEndpoint.java b/adapters/saml/tomcat/tomcat-core/src/main/java/org/keycloak/adapters/saml/CatalinaSamlEndpoint.java
new file mode 100755
index 0000000..b2e30b3
--- /dev/null
+++ b/adapters/saml/tomcat/tomcat-core/src/main/java/org/keycloak/adapters/saml/CatalinaSamlEndpoint.java
@@ -0,0 +1,28 @@
+package org.keycloak.adapters.saml;
+
+import org.keycloak.adapters.saml.profile.SamlAuthenticationHandler;
+import org.keycloak.adapters.saml.profile.webbrowsersso.BrowserHandler;
+import org.keycloak.adapters.saml.profile.webbrowsersso.SamlEndpoint;
+import org.keycloak.adapters.spi.HttpFacade;
+
+/**
+ * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
+ * @version $Revision: 1 $
+ */
+public class CatalinaSamlEndpoint extends SamlAuthenticator {
+ public CatalinaSamlEndpoint(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
+ super(facade, deployment, sessionStore);
+ }
+
+ @Override
+ protected void completeAuthentication(SamlSession account) {
+ // complete
+ }
+
+ @Override
+ protected SamlAuthenticationHandler createBrowserHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
+ return new SamlEndpoint(facade, deployment, sessionStore);
+ }
+
+
+}
diff --git a/adapters/saml/tomcat/tomcat-core/src/main/java/org/keycloak/adapters/saml/CatalinaSamlSessionStore.java b/adapters/saml/tomcat/tomcat-core/src/main/java/org/keycloak/adapters/saml/CatalinaSamlSessionStore.java
index 340c811..9ebf55f 100755
--- a/adapters/saml/tomcat/tomcat-core/src/main/java/org/keycloak/adapters/saml/CatalinaSamlSessionStore.java
+++ b/adapters/saml/tomcat/tomcat-core/src/main/java/org/keycloak/adapters/saml/CatalinaSamlSessionStore.java
@@ -9,9 +9,11 @@ import org.keycloak.adapters.spi.HttpFacade;
import org.keycloak.adapters.spi.SessionIdMapper;
import org.keycloak.adapters.tomcat.CatalinaUserSessionManagement;
import org.keycloak.adapters.tomcat.GenericPrincipalFactory;
+import org.keycloak.common.util.KeycloakUriBuilder;
import org.keycloak.dom.saml.v2.protocol.StatusResponseType;
import org.keycloak.dom.saml.v2.protocol.StatusType;
+import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import java.io.IOException;
import java.util.LinkedList;
@@ -193,7 +195,13 @@ public class CatalinaSamlSessionStore implements SamlSessionStore {
@Override
public String getRedirectUri() {
- return (String)getSession(true).getAttribute(SAML_REDIRECT_URI);
+ String redirect = (String)getSession(true).getAttribute(SAML_REDIRECT_URI);
+ if (redirect == null) {
+ String contextPath = request.getContextPath();
+ String baseUri = KeycloakUriBuilder.fromUri(request.getRequestURL().toString()).replacePath(contextPath).build().toString();
+ return SamlUtil.getRedirectTo(facade, contextPath, baseUri);
+ }
+ return redirect;
}
@Override
diff --git a/adapters/saml/undertow/src/main/java/org/keycloak/adapters/saml/undertow/AbstractSamlAuthMech.java b/adapters/saml/undertow/src/main/java/org/keycloak/adapters/saml/undertow/AbstractSamlAuthMech.java
index 3d632dd..fdb764b 100755
--- a/adapters/saml/undertow/src/main/java/org/keycloak/adapters/saml/undertow/AbstractSamlAuthMech.java
+++ b/adapters/saml/undertow/src/main/java/org/keycloak/adapters/saml/undertow/AbstractSamlAuthMech.java
@@ -16,6 +16,7 @@
*/
package org.keycloak.adapters.saml.undertow;
+import org.keycloak.adapters.saml.SamlAuthenticator;
import org.keycloak.adapters.saml.SamlDeployment;
import org.keycloak.adapters.saml.SamlDeploymentContext;
import org.keycloak.adapters.saml.SamlSessionStore;
@@ -104,7 +105,14 @@ public abstract class AbstractSamlAuthMech implements AuthenticationMechanism {
return AuthenticationMechanismOutcome.NOT_ATTEMPTED;
}
SamlSessionStore sessionStore = getTokenStore(exchange, facade, deployment, securityContext);
- UndertowSamlAuthenticator authenticator = new UndertowSamlAuthenticator(securityContext, facade, deploymentContext.resolveDeployment(facade), sessionStore);
+ SamlAuthenticator authenticator = null;
+ if (exchange.getRequestPath().endsWith("/saml")) {
+ authenticator = new UndertowSamlEndpoint(facade, deploymentContext.resolveDeployment(facade), sessionStore);
+ } else {
+ authenticator = new UndertowSamlAuthenticator(securityContext, facade, deploymentContext.resolveDeployment(facade), sessionStore);
+
+ }
+
AuthOutcome outcome = authenticator.authenticate();
if (outcome == AuthOutcome.AUTHENTICATED) {
registerNotifications(securityContext);
diff --git a/adapters/saml/undertow/src/main/java/org/keycloak/adapters/saml/undertow/SamlServletExtension.java b/adapters/saml/undertow/src/main/java/org/keycloak/adapters/saml/undertow/SamlServletExtension.java
index a7abb47..ffde30f 100755
--- a/adapters/saml/undertow/src/main/java/org/keycloak/adapters/saml/undertow/SamlServletExtension.java
+++ b/adapters/saml/undertow/src/main/java/org/keycloak/adapters/saml/undertow/SamlServletExtension.java
@@ -26,7 +26,9 @@ import io.undertow.servlet.ServletExtension;
import io.undertow.servlet.api.AuthMethodConfig;
import io.undertow.servlet.api.DeploymentInfo;
import io.undertow.servlet.api.LoginConfig;
+import io.undertow.servlet.api.SecurityConstraint;
import io.undertow.servlet.api.ServletSessionConfig;
+import io.undertow.servlet.api.WebResourceCollection;
import org.jboss.logging.Logger;
import org.keycloak.adapters.saml.AdapterConstants;
import org.keycloak.adapters.saml.DefaultSamlDeployment;
@@ -184,10 +186,24 @@ public class SamlServletExtension implements ServletExtension {
ServletSessionConfig cookieConfig = new ServletSessionConfig();
cookieConfig.setPath(deploymentInfo.getContextPath());
deploymentInfo.setServletSessionConfig(cookieConfig);
+ addEndpointConstraint(deploymentInfo);
+
ChangeSessionId.turnOffChangeSessionIdOnLogin(deploymentInfo);
}
+ /**
+ * add security constraint to /saml so that the endpoint can be called and auth mechanism pinged.
+ * @param deploymentInfo
+ */
+ protected void addEndpointConstraint(DeploymentInfo deploymentInfo) {
+ SecurityConstraint constraint = new SecurityConstraint();
+ WebResourceCollection collection = new WebResourceCollection();
+ collection.addUrlPattern("/saml");
+ constraint.addWebResourceCollection(collection);
+ deploymentInfo.addSecurityConstraint(constraint);
+ }
+
protected ServletSamlAuthMech createAuthMech(DeploymentInfo deploymentInfo, SamlDeploymentContext deploymentContext, UndertowUserSessionManagement userSessionManagement) {
return new ServletSamlAuthMech(deploymentContext, userSessionManagement, getErrorPage(deploymentInfo));
}
diff --git a/adapters/saml/undertow/src/main/java/org/keycloak/adapters/saml/undertow/ServletSamlSessionStore.java b/adapters/saml/undertow/src/main/java/org/keycloak/adapters/saml/undertow/ServletSamlSessionStore.java
index c58f6d0..46b677e 100755
--- a/adapters/saml/undertow/src/main/java/org/keycloak/adapters/saml/undertow/ServletSamlSessionStore.java
+++ b/adapters/saml/undertow/src/main/java/org/keycloak/adapters/saml/undertow/ServletSamlSessionStore.java
@@ -8,19 +8,19 @@ import io.undertow.servlet.handlers.ServletRequestContext;
import io.undertow.servlet.spec.HttpSessionImpl;
import org.jboss.logging.Logger;
import org.keycloak.adapters.saml.SamlDeployment;
+import org.keycloak.adapters.saml.SamlUtil;
import org.keycloak.adapters.spi.SessionIdMapper;
import org.keycloak.adapters.saml.SamlSession;
import org.keycloak.adapters.saml.SamlSessionStore;
import org.keycloak.adapters.undertow.ChangeSessionId;
import org.keycloak.adapters.undertow.SavedRequest;
+import org.keycloak.adapters.undertow.ServletHttpFacade;
import org.keycloak.adapters.undertow.UndertowUserSessionManagement;
import org.keycloak.common.util.KeycloakUriBuilder;
-import org.keycloak.dom.saml.v2.protocol.StatusType;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
-import java.io.IOException;
import java.security.Principal;
import java.util.LinkedList;
import java.util.List;
@@ -179,7 +179,15 @@ public class ServletSamlSessionStore implements SamlSessionStore {
public String getRedirectUri() {
final ServletRequestContext sc = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
HttpSessionImpl session = sc.getCurrentServletContext().getSession(exchange, true);
- return (String)session.getAttribute(SAML_REDIRECT_URI);
+ String redirect = (String)session.getAttribute(SAML_REDIRECT_URI);
+ if (redirect == null) {
+ ServletHttpFacade facade = new ServletHttpFacade(exchange);
+ HttpServletRequest req = (HttpServletRequest)sc.getServletRequest();
+ String contextPath = req.getContextPath();
+ String baseUri = KeycloakUriBuilder.fromUri(req.getRequestURL().toString()).replacePath(contextPath).build().toString();
+ return SamlUtil.getRedirectTo(facade, contextPath, baseUri);
+ }
+ return redirect;
}
@Override
diff --git a/adapters/saml/undertow/src/main/java/org/keycloak/adapters/saml/undertow/UndertowSamlAuthenticator.java b/adapters/saml/undertow/src/main/java/org/keycloak/adapters/saml/undertow/UndertowSamlAuthenticator.java
index eac0cf7..f1f0a6e 100755
--- a/adapters/saml/undertow/src/main/java/org/keycloak/adapters/saml/undertow/UndertowSamlAuthenticator.java
+++ b/adapters/saml/undertow/src/main/java/org/keycloak/adapters/saml/undertow/UndertowSamlAuthenticator.java
@@ -2,6 +2,9 @@ package org.keycloak.adapters.saml.undertow;
import io.undertow.security.api.SecurityContext;
import io.undertow.security.idm.Account;
+import org.keycloak.adapters.saml.profile.SamlAuthenticationHandler;
+import org.keycloak.adapters.saml.profile.webbrowsersso.BrowserHandler;
+import org.keycloak.adapters.saml.profile.webbrowsersso.SamlEndpoint;
import org.keycloak.adapters.spi.HttpFacade;
import org.keycloak.adapters.saml.SamlAuthenticator;
import org.keycloak.adapters.saml.SamlDeployment;
@@ -39,4 +42,10 @@ public class UndertowSamlAuthenticator extends SamlAuthenticator {
securityContext.authenticationComplete(undertowAccount, "KEYCLOAK-SAML", false);
}
+
+ @Override
+ protected SamlAuthenticationHandler createBrowserHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
+ return new BrowserHandler(facade, deployment, sessionStore);
+ }
+
}
diff --git a/adapters/saml/undertow/src/main/java/org/keycloak/adapters/saml/undertow/UndertowSamlEndpoint.java b/adapters/saml/undertow/src/main/java/org/keycloak/adapters/saml/undertow/UndertowSamlEndpoint.java
new file mode 100755
index 0000000..412d104
--- /dev/null
+++ b/adapters/saml/undertow/src/main/java/org/keycloak/adapters/saml/undertow/UndertowSamlEndpoint.java
@@ -0,0 +1,32 @@
+package org.keycloak.adapters.saml.undertow;
+
+import io.undertow.server.HttpHandler;
+import org.keycloak.adapters.saml.SamlAuthenticator;
+import org.keycloak.adapters.saml.SamlDeployment;
+import org.keycloak.adapters.saml.SamlSession;
+import org.keycloak.adapters.saml.SamlSessionStore;
+import org.keycloak.adapters.saml.profile.SamlAuthenticationHandler;
+import org.keycloak.adapters.saml.profile.webbrowsersso.SamlEndpoint;
+import org.keycloak.adapters.spi.HttpFacade;
+
+/**
+ * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
+ * @version $Revision: 1 $
+ */
+public class UndertowSamlEndpoint extends SamlAuthenticator {
+ public UndertowSamlEndpoint(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
+ super(facade, deployment, sessionStore);
+ }
+
+
+
+ @Override
+ protected void completeAuthentication(SamlSession samlSession) {
+
+ }
+
+ @Override
+ protected SamlAuthenticationHandler createBrowserHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
+ return new SamlEndpoint(facade, deployment, sessionStore);
+ }
+}
diff --git a/docbook/auth-server-docs/reference/en/en-US/modules/MigrationFromOlderVersions.xml b/docbook/auth-server-docs/reference/en/en-US/modules/MigrationFromOlderVersions.xml
index 69ac705..79a4c9f 100755
--- a/docbook/auth-server-docs/reference/en/en-US/modules/MigrationFromOlderVersions.xml
+++ b/docbook/auth-server-docs/reference/en/en-US/modules/MigrationFromOlderVersions.xml
@@ -112,6 +112,14 @@
check adapter config switches.
</para>
</simplesect>
+ <simplesect>
+ <title>SAML SP Client Adapter Changes</title>
+ <para>
+ Keycloak SAML SP Client Adapter now requires a specific endpoint, <literal>/saml</literal> to be
+ registered with your IDP.
+ </para>
+ </simplesect>
+
</section>
<section>
<title>Migrating to 1.8.0</title>
diff --git a/docbook/saml-adapter-docs/reference/en/en-US/master.xml b/docbook/saml-adapter-docs/reference/en/en-US/master.xml
index 89d16e6..b1c6938 100755
--- a/docbook/saml-adapter-docs/reference/en/en-US/master.xml
+++ b/docbook/saml-adapter-docs/reference/en/en-US/master.xml
@@ -12,6 +12,8 @@
<!ENTITY Logout SYSTEM "modules/logout.xml">
<!ENTITY ErrorHandling SYSTEM "modules/adapter_error_handling.xml">
<!ENTITY DEBUGGING SYSTEM "modules/debugging.xml">
+ <!ENTITY Migrating SYSTEM "modules/MigrationFromOlderVersions.xml">
+ <!ENTITY IDP_REG SYSTEM "modules/idp-registration.xml">
]>
<book>
@@ -51,10 +53,12 @@ This one is short
&Jetty9Adapter;
&Jetty8Adapter;
&FilterAdapter;
+ &IDP_REG;
&Logout;
&Assertions;
&ErrorHandling;
&DEBUGGING;
+ &Migrating;
diff --git a/docbook/saml-adapter-docs/reference/en/en-US/modules/idp-registration.xml b/docbook/saml-adapter-docs/reference/en/en-US/modules/idp-registration.xml
new file mode 100755
index 0000000..5a3fe34
--- /dev/null
+++ b/docbook/saml-adapter-docs/reference/en/en-US/modules/idp-registration.xml
@@ -0,0 +1,7 @@
+<chapter id="idp-reg">
+ <title>Registering with an IDP</title>
+ <para>
+ For each servlet based adapter, the endpoint you register for the assert consumer service url and and single logout service
+ must be the base url of your servlet application with <literal>/saml</literal> appended to it i.e. https://example.com/contextPath/saml
+ </para>
+</chapter>
\ No newline at end of file
diff --git a/docbook/saml-adapter-docs/reference/en/en-US/modules/MigrationFromOlderVersions.xml b/docbook/saml-adapter-docs/reference/en/en-US/modules/MigrationFromOlderVersions.xml
new file mode 100755
index 0000000..23161fa
--- /dev/null
+++ b/docbook/saml-adapter-docs/reference/en/en-US/modules/MigrationFromOlderVersions.xml
@@ -0,0 +1,21 @@
+<chapter id="Migration_from_older_versions">
+ <title>Migration from older versions</title>
+
+ <section>
+ <title>Version specific migration</title>
+ <section>
+ <title>Migrating to 1.9.0</title>
+ <simplesect>
+ <title>SAML SP Client Adapter Changes</title>
+ <para>
+ Keycloak SAML SP Client Adapter now requires a specific endpoint, <literal>/saml</literal> to be
+ registered with your IDP. The SamlFilter must also be bound to /saml in addition to any other binding it has.
+ This had to be done because SAML POST binding would eat the request input stream and this would be really
+ bad for clients that relied on it.
+ </para>
+ </simplesect>
+
+ </section>
+
+ </section>
+</chapter>
\ No newline at end of file
diff --git a/docbook/saml-adapter-docs/reference/en/en-US/modules/servlet-filter-adapter.xml b/docbook/saml-adapter-docs/reference/en/en-US/modules/servlet-filter-adapter.xml
index dc6526a..9741922 100755
--- a/docbook/saml-adapter-docs/reference/en/en-US/modules/servlet-filter-adapter.xml
+++ b/docbook/saml-adapter-docs/reference/en/en-US/modules/servlet-filter-adapter.xml
@@ -43,6 +43,14 @@
them as filter init params instead of context params.
</para>
<para>
+ You can define multiple filter mappings if you have various different secure and unsecure url patterns.
+ </para>
+ <warning>
+ <para>
+ You must have a filter mapping for <literal>/saml</literal>
+ </para>
+ </warning>
+ <para>
To use this filter, include this maven artifact in your WAR poms
</para>
<programlisting><![CDATA[
diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/keycloaksaml/SamlAdapterTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/keycloaksaml/SamlAdapterTest.java
index c4acbd2..bf7d555 100755
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/keycloaksaml/SamlAdapterTest.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/keycloaksaml/SamlAdapterTest.java
@@ -24,6 +24,7 @@ public class SamlAdapterTest {
ClassLoader classLoader = SamlAdapterTest.class.getClassLoader();
initializeSamlSecuredWar("/keycloak-saml/simple-post", "/sales-post", "post.war", classLoader);
+ initializeSamlSecuredWar("/keycloak-saml/simple-post2", "/sales-post2", "post.war", classLoader);
initializeSamlSecuredWar("/keycloak-saml/simple-post-passive", "/sales-post-passive", "post-passive.war", classLoader);
initializeSamlSecuredWar("/keycloak-saml/signed-post", "/sales-post-sig", "post-sig.war", classLoader);
initializeSamlSecuredWar("/keycloak-saml/signed-post-email", "/sales-post-sig-email", "post-sig-email.war", classLoader);
@@ -76,7 +77,7 @@ public class SamlAdapterTest {
}
- //@Test Doesn't work for Wildfly as the input stream is read by getParameter for SAML POST binding
+ @Test
public void testSavedPostRequest() throws Exception {
testStrategy.testSavedPostRequest();
}
@@ -130,6 +131,11 @@ public class SamlAdapterTest {
}
@Test
+ public void testPostSimpleLoginLogoutIdpInitiatedRedirectTo() {
+ testStrategy.testPostSimpleLoginLogoutIdpInitiatedRedirectTo();
+ }
+
+ @Test
public void testAttributes() throws Exception {
testStrategy.testAttributes();
}
diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/keycloaksaml/SamlAdapterTestStrategy.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/keycloaksaml/SamlAdapterTestStrategy.java
index 43c8189..4229afc 100755
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/keycloaksaml/SamlAdapterTestStrategy.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/keycloaksaml/SamlAdapterTestStrategy.java
@@ -124,7 +124,7 @@ public class SamlAdapterTestStrategy extends ExternalResource {
public void testSavedPostRequest() throws Exception {
// test login to customer-portal which does a bearer request to customer-db
driver.navigate().to(APP_SERVER_BASE_URL + "/input-portal");
- System.out.println("Current url: " + driver.getCurrentUrl());
+ System.err.println("*********** Current url: " + driver.getCurrentUrl());
Assert.assertTrue(driver.getCurrentUrl().startsWith(APP_SERVER_BASE_URL + "/input-portal"));
inputPage.execute("hello");
@@ -160,13 +160,13 @@ public class SamlAdapterTestStrategy extends ExternalResource {
Response response = client.target(APP_SERVER_BASE_URL + "/employee-sig/").request().get();
response.close();
SAML2ErrorResponseBuilder builder = new SAML2ErrorResponseBuilder()
- .destination(APP_SERVER_BASE_URL + "/employee-sig/")
+ .destination(APP_SERVER_BASE_URL + "/employee-sig/saml")
.issuer(AUTH_SERVER_URL + "/realms/demo")
.status(JBossSAMLURIConstants.STATUS_REQUEST_DENIED.get());
BaseSAML2BindingBuilder binding = new BaseSAML2BindingBuilder()
.relayState(null);
Document document = builder.buildDocument();
- URI uri = binding.redirectBinding(document).generateURI(APP_SERVER_BASE_URL + "/employee-sig/", false);
+ URI uri = binding.redirectBinding(document).generateURI(APP_SERVER_BASE_URL + "/employee-sig/saml", false);
response = client.target(uri).request().get();
String errorPage = response.readEntity(String.class);
response.close();
@@ -195,7 +195,7 @@ public class SamlAdapterTestStrategy extends ExternalResource {
// first request on passive app - no login page shown, user not logged in as we are in passive mode.
// Shown page depends on used authentication mechanism, some may return forbidden error, some return requested page with anonymous user (not logged in)
driver.navigate().to(APP_SERVER_BASE_URL + "/sales-post-passive/");
- assertEquals(APP_SERVER_BASE_URL + "/sales-post-passive/", driver.getCurrentUrl());
+ assertEquals(APP_SERVER_BASE_URL + "/sales-post-passive/saml", driver.getCurrentUrl());
System.out.println(driver.getPageSource());
if (forbiddenIfNotauthenticated) {
Assert.assertTrue(driver.getPageSource().contains("HTTP status code: 403"));
@@ -219,7 +219,7 @@ public class SamlAdapterTestStrategy extends ExternalResource {
// refresh passive app page, not logged in again as we are in passive mode
driver.navigate().to(APP_SERVER_BASE_URL + "/sales-post-passive/");
- assertEquals(APP_SERVER_BASE_URL + "/sales-post-passive/", driver.getCurrentUrl());
+ assertEquals(APP_SERVER_BASE_URL + "/sales-post-passive/saml", driver.getCurrentUrl());
Assert.assertFalse(driver.getPageSource().contains("bburke"));
}
@@ -235,13 +235,23 @@ public class SamlAdapterTestStrategy extends ExternalResource {
public void testPostSimpleLoginLogoutIdpInitiated() {
driver.navigate().to(AUTH_SERVER_URL + "/realms/demo/protocol/saml/clients/sales-post");
loginPage.login("bburke", "password");
- assertEquals(driver.getCurrentUrl(), APP_SERVER_BASE_URL + "/sales-post/");
+ Assert.assertTrue(driver.getCurrentUrl().startsWith(APP_SERVER_BASE_URL + "/sales-post"));
System.out.println(driver.getPageSource());
Assert.assertTrue(driver.getPageSource().contains("bburke"));
driver.navigate().to(APP_SERVER_BASE_URL + "/sales-post?GLO=true");
checkLoggedOut(APP_SERVER_BASE_URL + "/sales-post/", true);
}
+ public void testPostSimpleLoginLogoutIdpInitiatedRedirectTo() {
+ driver.navigate().to(AUTH_SERVER_URL + "/realms/demo/protocol/saml/clients/sales-post2");
+ loginPage.login("bburke", "password");
+ assertEquals(driver.getCurrentUrl(), APP_SERVER_BASE_URL + "/sales-post2/foo");
+ System.out.println(driver.getPageSource());
+ Assert.assertTrue(driver.getPageSource().contains("bburke"));
+ driver.navigate().to(APP_SERVER_BASE_URL + "/sales-post2?GLO=true");
+ checkLoggedOut(APP_SERVER_BASE_URL + "/sales-post2/", true);
+ }
+
public void testPostSignedLoginLogout() {
driver.navigate().to(APP_SERVER_BASE_URL + "/sales-post-sig/");
assertAtLoginPagePostBinding();
@@ -486,7 +496,7 @@ public class SamlAdapterTestStrategy extends ExternalResource {
driver.navigate().to(APP_SERVER_BASE_URL + "/bad-realm-sales-post-sig/");
assertAtLoginPagePostBinding();
loginPage.login("bburke", "password");
- assertEquals(driver.getCurrentUrl(), APP_SERVER_BASE_URL + "/bad-realm-sales-post-sig/");
+ assertEquals(driver.getCurrentUrl(), APP_SERVER_BASE_URL + "/bad-realm-sales-post-sig/saml");
System.out.println(driver.getPageSource());
Assert.assertNotNull(ErrorServlet.authError);
SamlAuthenticationError error = (SamlAuthenticationError)ErrorServlet.authError;
diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/keycloaksaml/SendUsernameServlet.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/keycloaksaml/SendUsernameServlet.java
index f3a14f4..1457594 100755
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/keycloaksaml/SendUsernameServlet.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/keycloaksaml/SendUsernameServlet.java
@@ -38,7 +38,7 @@ public class SendUsernameServlet extends HttpServlet {
OutputStream stream = resp.getOutputStream();
Principal principal = req.getUserPrincipal();
stream.write("request-path: ".getBytes());
- stream.write(req.getPathInfo().getBytes());
+ if (req.getPathInfo() != null) stream.write(req.getPathInfo().getBytes());
stream.write("\n".getBytes());
stream.write("principal=".getBytes());
if (principal == null) {
diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/samlfilter/SamlAdapterTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/samlfilter/SamlAdapterTest.java
index d0c5d21..727aa91 100755
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/samlfilter/SamlAdapterTest.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/samlfilter/SamlAdapterTest.java
@@ -24,6 +24,7 @@ public class SamlAdapterTest {
ClassLoader classLoader = SamlAdapterTest.class.getClassLoader();
initializeSamlSecuredWar("/keycloak-saml/simple-post", "/sales-post", "post.war", classLoader);
+ initializeSamlSecuredWar("/keycloak-saml/simple-post2", "/sales-post2", "post.war", classLoader);
initializeSamlSecuredWar("/keycloak-saml/simple-post-passive", "/sales-post-passive", "post-passive.war", classLoader);
initializeSamlSecuredWar("/keycloak-saml/signed-post", "/sales-post-sig", "post-sig.war", classLoader);
initializeSamlSecuredWar("/keycloak-saml/signed-post-email", "/sales-post-sig-email", "post-sig-email.war", classLoader);
@@ -73,6 +74,12 @@ public class SamlAdapterTest {
}
@Test
+ public void testPostSimpleLoginLogoutIdpInitiatedRedirectTo() {
+ testStrategy.testPostSimpleLoginLogoutIdpInitiatedRedirectTo();
+ }
+
+
+ @Test
public void testMetadataPostSignedLoginLogout() throws Exception {
testStrategy.testMetadataPostSignedLoginLogout();
}
diff --git a/testsuite/integration/src/test/resources/keycloak-saml/simple-post2/WEB-INF/keycloak-saml.xml b/testsuite/integration/src/test/resources/keycloak-saml/simple-post2/WEB-INF/keycloak-saml.xml
new file mode 100755
index 0000000..c7c95e9
--- /dev/null
+++ b/testsuite/integration/src/test/resources/keycloak-saml/simple-post2/WEB-INF/keycloak-saml.xml
@@ -0,0 +1,24 @@
+<keycloak-saml-adapter>
+ <SP entityID="http://localhost:8081/sales-post2/"
+ sslPolicy="EXTERNAL"
+ nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
+ logoutPage="/logout.jsp"
+ forceAuthentication="false">
+ <PrincipalNameMapping policy="FROM_NAME_ID"/>
+ <RoleIdentifiers>
+ <Attribute name="Role"/>
+ </RoleIdentifiers>
+ <IDP entityID="idp">
+ <SingleSignOnService requestBinding="POST"
+ bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+ />
+
+ <SingleLogoutService
+ requestBinding="POST"
+ responseBinding="POST"
+ postBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+ redirectBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+ />
+ </IDP>
+ </SP>
+</keycloak-saml-adapter>
\ No newline at end of file
diff --git a/testsuite/integration/src/test/resources/keycloak-saml/sp-metadata.xml b/testsuite/integration/src/test/resources/keycloak-saml/sp-metadata.xml
index 9b8b899..a8884f4 100755
--- a/testsuite/integration/src/test/resources/keycloak-saml/sp-metadata.xml
+++ b/testsuite/integration/src/test/resources/keycloak-saml/sp-metadata.xml
@@ -7,9 +7,9 @@
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol http://schemas.xmlsoap.org/ws/2003/07/secext">
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient
</NameIDFormat>
- <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8081/sales-metadata/"/>
+ <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8081/sales-metadata/saml"/>
<AssertionConsumerService
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8081/sales-metadata/"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8081/sales-metadata/saml"
index="1" isDefault="true" />
<KeyDescriptor use="signing">
<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
diff --git a/testsuite/integration/src/test/resources/keycloak-saml/testsaml.json b/testsuite/integration/src/test/resources/keycloak-saml/testsaml.json
index 4df617d..92ddf1a 100755
--- a/testsuite/integration/src/test/resources/keycloak-saml/testsaml.json
+++ b/testsuite/integration/src/test/resources/keycloak-saml/testsaml.json
@@ -78,14 +78,31 @@
],
"attributes": {
"saml.authnstatement": "true",
- "saml_assertion_consumer_url_post": "http://localhost:8081/sales-post/",
- "saml_assertion_consumer_url_redirect": "http://localhost:8081/sales-post/",
- "saml_single_logout_service_url_post": "http://localhost:8081/sales-post/",
- "saml_single_logout_service_url_redirect": "http://localhost:8081/sales-post/",
+ "saml_assertion_consumer_url_post": "http://localhost:8081/sales-post/saml",
+ "saml_assertion_consumer_url_redirect": "http://localhost:8081/sales-post/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8081/sales-post/saml",
+ "saml_single_logout_service_url_redirect": "http://localhost:8081/sales-post/saml",
"saml_idp_initiated_sso_url_name": "sales-post"
}
},
{
+ "name": "http://localhost:8081/sales-post2/",
+ "enabled": true,
+ "fullScopeAllowed": true,
+ "protocol": "saml",
+ "baseUrl": "http://localhost:8081/sales-post2",
+ "redirectUris": [
+ "http://localhost:8081/sales-post2/*"
+ ],
+ "attributes": {
+ "saml.authnstatement": "true",
+ "saml_assertion_consumer_url_post": "http://localhost:8081/sales-post2/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8081/sales-post2/saml",
+ "saml_idp_initiated_sso_url_name": "sales-post2",
+ "saml_idp_initiated_sso_relay_state": "redirectTo=/foo"
+ }
+ },
+ {
"name": "http://localhost:8081/input-portal/",
"enabled": true,
"fullScopeAllowed": true,
@@ -96,10 +113,10 @@
],
"attributes": {
"saml.authnstatement": "true",
- "saml_assertion_consumer_url_post": "http://localhost:8081/input-portal/",
- "saml_assertion_consumer_url_redirect": "http://localhost:8081/input-portal/",
- "saml_single_logout_service_url_post": "http://localhost:8081/input-portal/",
- "saml_single_logout_service_url_redirect": "http://localhost:8081/input-portal/"
+ "saml_assertion_consumer_url_post": "http://localhost:8081/input-portal/saml",
+ "saml_assertion_consumer_url_redirect": "http://localhost:8081/input-portal/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8081/input-portal/saml",
+ "saml_single_logout_service_url_redirect": "http://localhost:8081/input-portal/saml"
}
},
{
@@ -113,10 +130,10 @@
],
"attributes": {
"saml.authnstatement": "true",
- "saml_assertion_consumer_url_post": "http://localhost:8081/sales-post-passive/",
- "saml_assertion_consumer_url_redirect": "http://localhost:8081/sales-post-passive/",
- "saml_single_logout_service_url_post": "http://localhost:8081/sales-post-passive/",
- "saml_single_logout_service_url_redirect": "http://localhost:8081/sales-post-passive/",
+ "saml_assertion_consumer_url_post": "http://localhost:8081/sales-post-passive/saml",
+ "saml_assertion_consumer_url_redirect": "http://localhost:8081/sales-post-passive/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8081/sales-post-passive/saml",
+ "saml_single_logout_service_url_redirect": "http://localhost:8081/sales-post-passive/saml",
"saml_idp_initiated_sso_url_name": "sales-post-passive"
}
},
@@ -130,10 +147,10 @@
"http://localhost:8081/sales-post-sig/*"
],
"attributes": {
- "saml_assertion_consumer_url_post": "http://localhost:8081/sales-post-sig/",
- "saml_assertion_consumer_url_redirect": "http://localhost:8081/sales-post-sig/",
- "saml_single_logout_service_url_post": "http://localhost:8081/sales-post-sig/",
- "saml_single_logout_service_url_redirect": "http://localhost:8081/sales-post-sig/",
+ "saml_assertion_consumer_url_post": "http://localhost:8081/sales-post-sig/saml",
+ "saml_assertion_consumer_url_redirect": "http://localhost:8081/sales-post-sig/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8081/sales-post-sig/saml",
+ "saml_single_logout_service_url_redirect": "http://localhost:8081/sales-post-sig/saml",
"saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA256",
"saml.client.signature": "true",
@@ -152,10 +169,10 @@
"http://localhost:8081/sales-post-sig-transient/*"
],
"attributes": {
- "saml_assertion_consumer_url_post": "http://localhost:8081/sales-post-sig-transient/",
- "saml_assertion_consumer_url_redirect": "http://localhost:8081/sales-post-sig-transient/",
- "saml_single_logout_service_url_post": "http://localhost:8081/sales-post-sig-transient/",
- "saml_single_logout_service_url_redirect": "http://localhost:8081/sales-post-sig-transient/",
+ "saml_assertion_consumer_url_post": "http://localhost:8081/sales-post-sig-transient/saml",
+ "saml_assertion_consumer_url_redirect": "http://localhost:8081/sales-post-sig-transient/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8081/sales-post-sig-transient/saml",
+ "saml_single_logout_service_url_redirect": "http://localhost:8081/sales-post-sig-transient/saml",
"saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA256",
"saml.client.signature": "true",
@@ -173,10 +190,10 @@
"http://localhost:8081/sales-post-sig-persistent/*"
],
"attributes": {
- "saml_assertion_consumer_url_post": "http://localhost:8081/sales-post-sig-persistent/",
- "saml_assertion_consumer_url_redirect": "http://localhost:8081/sales-post-sig-persistent/",
- "saml_single_logout_service_url_post": "http://localhost:8081/sales-post-sig-persistent/",
- "saml_single_logout_service_url_redirect": "http://localhost:8081/sales-post-sig-persistent/",
+ "saml_assertion_consumer_url_post": "http://localhost:8081/sales-post-sig-persistent/saml",
+ "saml_assertion_consumer_url_redirect": "http://localhost:8081/sales-post-sig-persistent/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8081/sales-post-sig-persistent/saml",
+ "saml_single_logout_service_url_redirect": "http://localhost:8081/sales-post-sig-persistent/saml",
"saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA256",
"saml.client.signature": "true",
@@ -197,10 +214,10 @@
"attributes": {
"saml_force_name_id_format": "true",
"saml_name_id_format": "email",
- "saml_assertion_consumer_url_post": "http://localhost:8081/sales-post-sig-email/",
- "saml_assertion_consumer_url_redirect": "http://localhost:8081/sales-post-sig-email/",
- "saml_single_logout_service_url_post": "http://localhost:8081/sales-post-sig-email/",
- "saml_single_logout_service_url_redirect": "http://localhost:8081/sales-post-sig-email/",
+ "saml_assertion_consumer_url_post": "http://localhost:8081/sales-post-sig-email/saml",
+ "saml_assertion_consumer_url_redirect": "http://localhost:8081/sales-post-sig-email/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8081/sales-post-sig-email/saml",
+ "saml_single_logout_service_url_redirect": "http://localhost:8081/sales-post-sig-email/saml",
"saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA256",
"saml.client.signature": "true",
@@ -214,7 +231,7 @@
"protocol": "saml",
"fullScopeAllowed": true,
"baseUrl": "http://localhost:8081/bad-realm-sales-post-sig/",
- "adminUrl": "http://localhost:8081/bad-realm-sales-post-sig/",
+ "adminUrl": "http://localhost:8081/bad-realm-sales-post-sig/saml",
"redirectUris": [
"http://localhost:8081/bad-realm-sales-post-sig/*"
],
@@ -231,7 +248,7 @@
"protocol": "saml",
"fullScopeAllowed": true,
"baseUrl": "http://localhost:8081/bad-client-sales-post-sig/",
- "adminUrl": "http://localhost:8081/bad-client-sales-post-sig/",
+ "adminUrl": "http://localhost:8081/bad-client-sales-post-sig/saml",
"redirectUris": [
"http://localhost:8081/bad-client-sales-post-sig/*"
],
@@ -252,10 +269,10 @@
"http://localhost:8081/sales-post-enc/*"
],
"attributes": {
- "saml_assertion_consumer_url_post": "http://localhost:8081/sales-post-enc/",
- "saml_assertion_consumer_url_redirect": "http://localhost:8081/sales-post-enc/",
- "saml_single_logout_service_url_post": "http://localhost:8081/sales-post-enc/",
- "saml_single_logout_service_url_redirect": "http://localhost:8081/sales-post-enc/",
+ "saml_assertion_consumer_url_post": "http://localhost:8081/sales-post-enc/saml",
+ "saml_assertion_consumer_url_redirect": "http://localhost:8081/sales-post-enc/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8081/sales-post-enc/saml",
+ "saml_single_logout_service_url_redirect": "http://localhost:8081/sales-post-enc/saml",
"saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA512",
"saml.client.signature": "true",
@@ -274,7 +291,7 @@
"redirectUris": [
"http://localhost:8081/employee-sig/*"
],
- "adminUrl": "http://localhost:8081/employee-sig/",
+ "adminUrl": "http://localhost:8081/employee-sig/saml",
"attributes": {
"saml.server.signature": "true",
"saml.client.signature": "true",
@@ -288,7 +305,7 @@
"enabled": true,
"protocol": "saml",
"fullScopeAllowed": true,
- "baseUrl": "http://localhost:8081/employee/",
+ "baseUrl": "http://localhost:8081/employee/saml",
"redirectUris": [
"http://localhost:8081/employee/*"
],
@@ -342,7 +359,7 @@
"redirectUris": [
"http://localhost:8081/employee2/*"
],
- "adminUrl": "http://localhost:8081/employee2/",
+ "adminUrl": "http://localhost:8081/employee2/saml",
"attributes": {
"saml.authnstatement": "true"
},
@@ -394,10 +411,10 @@
"http://localhost:8081/employee-sig-front/*"
],
"attributes": {
- "saml_assertion_consumer_url_post": "http://localhost:8081/employee-sig-front/",
- "saml_assertion_consumer_url_redirect": "http://localhost:8081/employee-sig-front/",
- "saml_single_logout_service_url_post": "http://localhost:8081/employee-sig-front/",
- "saml_single_logout_service_url_redirect": "http://localhost:8081/employee-sig-front/",
+ "saml_assertion_consumer_url_post": "http://localhost:8081/employee-sig-front/saml",
+ "saml_assertion_consumer_url_redirect": "http://localhost:8081/employee-sig-front/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8081/employee-sig-front/saml",
+ "saml_single_logout_service_url_redirect": "http://localhost:8081/employee-sig-front/saml",
"saml.server.signature": "true",
"saml.client.signature": "true",
"saml.signature.algorithm": "RSA_SHA1",
diff --git a/testsuite/jetty/jetty81/src/test/java/org/keycloak/testsuite/JettySamlTest.java b/testsuite/jetty/jetty81/src/test/java/org/keycloak/testsuite/JettySamlTest.java
index 40edb45..732017f 100755
--- a/testsuite/jetty/jetty81/src/test/java/org/keycloak/testsuite/JettySamlTest.java
+++ b/testsuite/jetty/jetty81/src/test/java/org/keycloak/testsuite/JettySamlTest.java
@@ -70,6 +70,8 @@ public class JettySamlTest {
File base = new File(dir.getFile()).getParentFile();
//list.add(new WebAppContext(new File(base, "customer-portal").toString(), "/customer-portal"));
list.add(new WebAppContext(new File(base, "simple-post").toString(), "/sales-post"));
+ list.add(new WebAppContext(new File(base, "simple-post2").toString(), "/sales-post2"));
+ list.add(new WebAppContext(new File(base, "simple-input").toString(), "/input-portal"));
list.add(new WebAppContext(new File(base, "signed-post").toString(), "/sales-post-sig"));
list.add(new WebAppContext(new File(base, "signed-post-email").toString(), "/sales-post-sig-email"));
list.add(new WebAppContext(new File(base, "signed-post-transient").toString(), "/sales-post-sig-transient"));
@@ -104,6 +106,16 @@ public class JettySamlTest {
}
@Test
+ public void testSavedPostRequest() throws Exception {
+ testStrategy.testSavedPostRequest();
+ }
+ @Test
+ public void testPostSimpleLoginLogoutIdpInitiatedRedirectTo() {
+ testStrategy.testPostSimpleLoginLogoutIdpInitiatedRedirectTo();
+ }
+
+
+ @Test
public void testErrorHandling() throws Exception {
testStrategy.testErrorHandling();
}
diff --git a/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/simple-input/WEB-INF/jetty-web.xml b/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/simple-input/WEB-INF/jetty-web.xml
new file mode 100755
index 0000000..4ff86d4
--- /dev/null
+++ b/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/simple-input/WEB-INF/jetty-web.xml
@@ -0,0 +1,29 @@
+<?xml version="1.0"?>
+<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd">
+<Configure class="org.eclipse.jetty.webapp.WebAppContext">
+ <Get name="securityHandler">
+ <Set name="authenticator">
+ <New class="org.keycloak.adapters.saml.jetty.KeycloakSamlAuthenticator">
+ <!--
+ <Set name="adapterConfig">
+ <New class="org.keycloak.representations.adapters.config.AdapterConfig">
+ <Set name="realm">tomcat</Set>
+ <Set name="resource">customer-portal</Set>
+ <Set name="authServerUrl">http://localhost:8081/auth</Set>
+ <Set name="sslRequired">external</Set>
+ <Set name="credentials">
+ <Map>
+ <Entry>
+ <Item>secret</Item>
+ <Item>password</Item>
+ </Entry>
+ </Map>
+ </Set>
+ <Set name="realmKey">MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB</Set>
+ </New>
+ </Set>
+ -->
+ </New>
+ </Set>
+ </Get>
+</Configure>
\ No newline at end of file
diff --git a/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/simple-input/WEB-INF/keycloak-saml.xml b/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/simple-input/WEB-INF/keycloak-saml.xml
new file mode 100755
index 0000000..9fbc22b
--- /dev/null
+++ b/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/simple-input/WEB-INF/keycloak-saml.xml
@@ -0,0 +1,24 @@
+<keycloak-saml-adapter>
+ <SP entityID="http://localhost:8082/input-portal/"
+ sslPolicy="EXTERNAL"
+ nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
+ logoutPage="/logout.jsp"
+ forceAuthentication="false">
+ <PrincipalNameMapping policy="FROM_NAME_ID"/>
+ <RoleIdentifiers>
+ <Attribute name="Role"/>
+ </RoleIdentifiers>
+ <IDP entityID="idp">
+ <SingleSignOnService requestBinding="POST"
+ bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+ />
+
+ <SingleLogoutService
+ requestBinding="POST"
+ responseBinding="POST"
+ postBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+ redirectBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+ />
+ </IDP>
+ </SP>
+</keycloak-saml-adapter>
\ No newline at end of file
diff --git a/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/simple-input/WEB-INF/web.xml b/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/simple-input/WEB-INF/web.xml
new file mode 100755
index 0000000..318bf65
--- /dev/null
+++ b/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/simple-input/WEB-INF/web.xml
@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<web-app xmlns="http://java.sun.com/xml/ns/javaee"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
+ version="3.0">
+
+ <module-name>adapter-test</module-name>
+
+ <servlet>
+ <servlet-name>SendUsernameServlet</servlet-name>
+ <servlet-class>org.keycloak.testsuite.keycloaksaml.InputServlet</servlet-class>
+ </servlet>
+ <servlet-mapping>
+ <servlet-name>SendUsernameServlet</servlet-name>
+ <url-pattern>/*</url-pattern>
+ </servlet-mapping>
+
+ <security-constraint>
+ <web-resource-collection>
+ <web-resource-name>Users</web-resource-name>
+ <url-pattern>/secured/*</url-pattern>
+ </web-resource-collection>
+ <auth-constraint>
+ <role-name>manager</role-name>
+ </auth-constraint>
+ </security-constraint>
+
+ <login-config>
+ <auth-method>BASIC</auth-method>
+ <realm-name>demo</realm-name>
+ <form-login-config>
+ <form-login-page>/error.html</form-login-page>
+ <form-error-page>/error.html</form-error-page>
+ </form-login-config>
+ </login-config>
+
+ <security-role>
+ <role-name>manager</role-name>
+ </security-role>
+ <security-role>
+ <role-name>el-jefe</role-name>
+ </security-role>
+</web-app>
diff --git a/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/simple-post2/WEB-INF/jetty-web.xml b/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/simple-post2/WEB-INF/jetty-web.xml
new file mode 100755
index 0000000..4ff86d4
--- /dev/null
+++ b/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/simple-post2/WEB-INF/jetty-web.xml
@@ -0,0 +1,29 @@
+<?xml version="1.0"?>
+<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd">
+<Configure class="org.eclipse.jetty.webapp.WebAppContext">
+ <Get name="securityHandler">
+ <Set name="authenticator">
+ <New class="org.keycloak.adapters.saml.jetty.KeycloakSamlAuthenticator">
+ <!--
+ <Set name="adapterConfig">
+ <New class="org.keycloak.representations.adapters.config.AdapterConfig">
+ <Set name="realm">tomcat</Set>
+ <Set name="resource">customer-portal</Set>
+ <Set name="authServerUrl">http://localhost:8081/auth</Set>
+ <Set name="sslRequired">external</Set>
+ <Set name="credentials">
+ <Map>
+ <Entry>
+ <Item>secret</Item>
+ <Item>password</Item>
+ </Entry>
+ </Map>
+ </Set>
+ <Set name="realmKey">MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB</Set>
+ </New>
+ </Set>
+ -->
+ </New>
+ </Set>
+ </Get>
+</Configure>
\ No newline at end of file
diff --git a/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/simple-post2/WEB-INF/keycloak-saml.xml b/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/simple-post2/WEB-INF/keycloak-saml.xml
new file mode 100755
index 0000000..4644d6c
--- /dev/null
+++ b/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/simple-post2/WEB-INF/keycloak-saml.xml
@@ -0,0 +1,24 @@
+<keycloak-saml-adapter>
+ <SP entityID="http://localhost:8082/sales-post2/"
+ sslPolicy="EXTERNAL"
+ nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
+ logoutPage="/logout.jsp"
+ forceAuthentication="false">
+ <PrincipalNameMapping policy="FROM_NAME_ID"/>
+ <RoleIdentifiers>
+ <Attribute name="Role"/>
+ </RoleIdentifiers>
+ <IDP entityID="idp">
+ <SingleSignOnService requestBinding="POST"
+ bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+ />
+
+ <SingleLogoutService
+ requestBinding="POST"
+ responseBinding="POST"
+ postBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+ redirectBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+ />
+ </IDP>
+ </SP>
+</keycloak-saml-adapter>
\ No newline at end of file
diff --git a/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/simple-post2/WEB-INF/web.xml b/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/simple-post2/WEB-INF/web.xml
new file mode 100755
index 0000000..86db4a4
--- /dev/null
+++ b/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/simple-post2/WEB-INF/web.xml
@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<web-app xmlns="http://java.sun.com/xml/ns/javaee"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
+ version="3.0">
+
+ <module-name>adapter-test</module-name>
+
+ <servlet>
+ <servlet-name>SendUsernameServlet</servlet-name>
+ <servlet-class>org.keycloak.testsuite.keycloaksaml.SendUsernameServlet</servlet-class>
+ </servlet>
+ <servlet-mapping>
+ <servlet-name>SendUsernameServlet</servlet-name>
+ <url-pattern>/*</url-pattern>
+ </servlet-mapping>
+
+ <security-constraint>
+ <web-resource-collection>
+ <web-resource-name>Users</web-resource-name>
+ <url-pattern>/*</url-pattern>
+ </web-resource-collection>
+ <auth-constraint>
+ <role-name>manager</role-name>
+ </auth-constraint>
+ </security-constraint>
+
+ <login-config>
+ <auth-method>BASIC</auth-method>
+ <realm-name>demo</realm-name>
+ <form-login-config>
+ <form-login-page>/error.html</form-login-page>
+ <form-error-page>/error.html</form-error-page>
+ </form-login-config>
+ </login-config>
+
+ <security-role>
+ <role-name>manager</role-name>
+ </security-role>
+ <security-role>
+ <role-name>el-jefe</role-name>
+ </security-role>
+</web-app>
diff --git a/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/sp-metadata.xml b/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/sp-metadata.xml
index 8f143de..5eac687 100755
--- a/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/sp-metadata.xml
+++ b/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/sp-metadata.xml
@@ -7,9 +7,9 @@
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol http://schemas.xmlsoap.org/ws/2003/07/secext">
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient
</NameIDFormat>
- <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/"/>
+ <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/saml"/>
<AssertionConsumerService
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/saml"
index="1" isDefault="true" />
<KeyDescriptor use="signing">
<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
diff --git a/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/testsaml.json b/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/testsaml.json
index 04c5dcd..71cde71 100755
--- a/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/testsaml.json
+++ b/testsuite/jetty/jetty81/src/test/resources/keycloak-saml/testsaml.json
@@ -78,14 +78,46 @@
],
"attributes": {
"saml.authnstatement": "true",
- "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post/",
- "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post/",
- "saml_single_logout_service_url_post": "http://localhost:8082/sales-post/",
- "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post/",
+ "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post/saml",
+ "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8082/sales-post/saml",
+ "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post/saml",
"saml_idp_initiated_sso_url_name": "sales-post"
}
},
{
+ "name": "http://localhost:8082/sales-post2/",
+ "enabled": true,
+ "fullScopeAllowed": true,
+ "protocol": "saml",
+ "baseUrl": "http://localhost:8082/sales-post2",
+ "redirectUris": [
+ "http://localhost:8082/sales-post2/*"
+ ],
+ "attributes": {
+ "saml.authnstatement": "true",
+ "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post2/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8082/sales-post2/saml",
+ "saml_idp_initiated_sso_url_name": "sales-post2",
+ "saml_idp_initiated_sso_relay_state": "redirectTo=/foo"
+ }
+ },
+ {
+ "name": "http://localhost:8082/input-portal/",
+ "enabled": true,
+ "fullScopeAllowed": true,
+ "protocol": "saml",
+ "baseUrl": "http://localhost:8082/input-portal/",
+ "redirectUris": [
+ "http://localhost:8082/input-portal/*"
+ ],
+ "attributes": {
+ "saml.authnstatement": "true",
+ "saml_assertion_consumer_url_post": "http://localhost:8082/input-portal/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8082/input-portal/saml"
+ }
+ },
+ {
"name": "http://localhost:8082/sales-post-sig/",
"enabled": true,
"protocol": "saml",
@@ -95,10 +127,10 @@
"http://localhost:8082/sales-post-sig/*"
],
"attributes": {
- "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig/",
- "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig/",
- "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig/",
- "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig/",
+ "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig/saml",
+ "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig/saml",
+ "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig/saml",
"saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA256",
"saml.client.signature": "true",
@@ -112,15 +144,15 @@
"protocol": "saml",
"fullScopeAllowed": true,
"baseUrl": "http://localhost:8082/sales-post-sig-transient",
- "adminUrl": "http://localhost:8082/sales-post-sig-transient",
+ "adminUrl": "http://localhost:8082/sales-post-sig-transient/saml",
"redirectUris": [
"http://localhost:8082/sales-post-sig-transient/*"
],
"attributes": {
- "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-transient/",
- "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-transient/",
- "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-transient/",
- "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-transient/",
+ "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-transient/saml",
+ "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-transient/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-transient/saml",
+ "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-transient/saml",
"saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA256",
"saml.client.signature": "true",
@@ -138,10 +170,10 @@
"http://localhost:8082/sales-post-sig-persistent/*"
],
"attributes": {
- "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-persistent/",
- "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-persistent/",
- "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-persistent/",
- "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-persistent/",
+ "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-persistent/saml",
+ "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-persistent/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-persistent/saml",
+ "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-persistent/saml",
"saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA256",
"saml.client.signature": "true",
@@ -155,17 +187,17 @@
"protocol": "saml",
"fullScopeAllowed": true,
"baseUrl": "http://localhost:8082/sales-post-sig-email",
- "adminUrl": "http://localhost:8082/sales-post-sig-email",
+ "adminUrl": "http://localhost:8082/sales-post-sig-email/saml",
"redirectUris": [
"http://localhost:8082/sales-post-sig-email/*"
],
"attributes": {
"saml_force_name_id_format": "true",
"saml_name_id_format": "email",
- "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-email/",
- "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-email/",
- "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-email/",
- "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-email/",
+ "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-email/saml",
+ "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-email/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-email/saml",
+ "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-email/saml",
"saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA256",
"saml.client.signature": "true",
@@ -179,7 +211,7 @@
"protocol": "saml",
"fullScopeAllowed": true,
"baseUrl": "http://localhost:8082/bad-realm-sales-post-sig/",
- "adminUrl": "http://localhost:8082/bad-realm-sales-post-sig/",
+ "adminUrl": "http://localhost:8082/bad-realm-sales-post-sig/saml",
"redirectUris": [
"http://localhost:8082/bad-realm-sales-post-sig/*"
],
@@ -196,7 +228,7 @@
"protocol": "saml",
"fullScopeAllowed": true,
"baseUrl": "http://localhost:8082/bad-client-sales-post-sig/",
- "adminUrl": "http://localhost:8082/bad-client-sales-post-sig/",
+ "adminUrl": "http://localhost:8082/bad-client-sales-post-sig/saml",
"redirectUris": [
"http://localhost:8082/bad-client-sales-post-sig/*"
],
@@ -217,10 +249,10 @@
"http://localhost:8082/sales-post-enc/*"
],
"attributes": {
- "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-enc/",
- "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-enc/",
- "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-enc/",
- "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-enc/",
+ "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-enc/saml",
+ "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-enc/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-enc/saml",
+ "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-enc/saml",
"saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA512",
"saml.client.signature": "true",
@@ -239,7 +271,7 @@
"redirectUris": [
"http://localhost:8082/employee-sig/*"
],
- "adminUrl": "http://localhost:8082/employee-sig/",
+ "adminUrl": "http://localhost:8082/employee-sig/saml",
"attributes": {
"saml.server.signature": "true",
"saml.client.signature": "true",
@@ -257,7 +289,7 @@
"redirectUris": [
"http://localhost:8082/employee/*"
],
- "adminUrl": "http://localhost:8082/employee/",
+ "adminUrl": "http://localhost:8082/employee/saml",
"attributes": {
"saml.authnstatement": "true"
},
@@ -307,7 +339,7 @@
"redirectUris": [
"http://localhost:8082/employee2/*"
],
- "adminUrl": "http://localhost:8082/employee2/",
+ "adminUrl": "http://localhost:8082/employee2/saml",
"attributes": {
"saml.authnstatement": "true"
},
@@ -359,10 +391,10 @@
"http://localhost:8082/employee-sig-front/*"
],
"attributes": {
- "saml_assertion_consumer_url_post": "http://localhost:8082/employee-sig-front/",
- "saml_assertion_consumer_url_redirect": "http://localhost:8082/employee-sig-front/",
- "saml_single_logout_service_url_post": "http://localhost:8082/employee-sig-front/",
- "saml_single_logout_service_url_redirect": "http://localhost:8082/employee-sig-front/",
+ "saml_assertion_consumer_url_post": "http://localhost:8082/employee-sig-front/saml",
+ "saml_assertion_consumer_url_redirect": "http://localhost:8082/employee-sig-front/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8082/employee-sig-front/saml",
+ "saml_single_logout_service_url_redirect": "http://localhost:8082/employee-sig-front/saml",
"saml.server.signature": "true",
"saml.client.signature": "true",
"saml.signature.algorithm": "RSA_SHA1",
diff --git a/testsuite/jetty/jetty91/src/test/java/org/keycloak/testsuite/JettySamlTest.java b/testsuite/jetty/jetty91/src/test/java/org/keycloak/testsuite/JettySamlTest.java
index 40edb45..732017f 100755
--- a/testsuite/jetty/jetty91/src/test/java/org/keycloak/testsuite/JettySamlTest.java
+++ b/testsuite/jetty/jetty91/src/test/java/org/keycloak/testsuite/JettySamlTest.java
@@ -70,6 +70,8 @@ public class JettySamlTest {
File base = new File(dir.getFile()).getParentFile();
//list.add(new WebAppContext(new File(base, "customer-portal").toString(), "/customer-portal"));
list.add(new WebAppContext(new File(base, "simple-post").toString(), "/sales-post"));
+ list.add(new WebAppContext(new File(base, "simple-post2").toString(), "/sales-post2"));
+ list.add(new WebAppContext(new File(base, "simple-input").toString(), "/input-portal"));
list.add(new WebAppContext(new File(base, "signed-post").toString(), "/sales-post-sig"));
list.add(new WebAppContext(new File(base, "signed-post-email").toString(), "/sales-post-sig-email"));
list.add(new WebAppContext(new File(base, "signed-post-transient").toString(), "/sales-post-sig-transient"));
@@ -104,6 +106,16 @@ public class JettySamlTest {
}
@Test
+ public void testSavedPostRequest() throws Exception {
+ testStrategy.testSavedPostRequest();
+ }
+ @Test
+ public void testPostSimpleLoginLogoutIdpInitiatedRedirectTo() {
+ testStrategy.testPostSimpleLoginLogoutIdpInitiatedRedirectTo();
+ }
+
+
+ @Test
public void testErrorHandling() throws Exception {
testStrategy.testErrorHandling();
}
diff --git a/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/simple-input/WEB-INF/jetty-web.xml b/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/simple-input/WEB-INF/jetty-web.xml
new file mode 100755
index 0000000..4ff86d4
--- /dev/null
+++ b/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/simple-input/WEB-INF/jetty-web.xml
@@ -0,0 +1,29 @@
+<?xml version="1.0"?>
+<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd">
+<Configure class="org.eclipse.jetty.webapp.WebAppContext">
+ <Get name="securityHandler">
+ <Set name="authenticator">
+ <New class="org.keycloak.adapters.saml.jetty.KeycloakSamlAuthenticator">
+ <!--
+ <Set name="adapterConfig">
+ <New class="org.keycloak.representations.adapters.config.AdapterConfig">
+ <Set name="realm">tomcat</Set>
+ <Set name="resource">customer-portal</Set>
+ <Set name="authServerUrl">http://localhost:8081/auth</Set>
+ <Set name="sslRequired">external</Set>
+ <Set name="credentials">
+ <Map>
+ <Entry>
+ <Item>secret</Item>
+ <Item>password</Item>
+ </Entry>
+ </Map>
+ </Set>
+ <Set name="realmKey">MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB</Set>
+ </New>
+ </Set>
+ -->
+ </New>
+ </Set>
+ </Get>
+</Configure>
\ No newline at end of file
diff --git a/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/simple-input/WEB-INF/keycloak-saml.xml b/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/simple-input/WEB-INF/keycloak-saml.xml
new file mode 100755
index 0000000..9fbc22b
--- /dev/null
+++ b/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/simple-input/WEB-INF/keycloak-saml.xml
@@ -0,0 +1,24 @@
+<keycloak-saml-adapter>
+ <SP entityID="http://localhost:8082/input-portal/"
+ sslPolicy="EXTERNAL"
+ nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
+ logoutPage="/logout.jsp"
+ forceAuthentication="false">
+ <PrincipalNameMapping policy="FROM_NAME_ID"/>
+ <RoleIdentifiers>
+ <Attribute name="Role"/>
+ </RoleIdentifiers>
+ <IDP entityID="idp">
+ <SingleSignOnService requestBinding="POST"
+ bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+ />
+
+ <SingleLogoutService
+ requestBinding="POST"
+ responseBinding="POST"
+ postBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+ redirectBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+ />
+ </IDP>
+ </SP>
+</keycloak-saml-adapter>
\ No newline at end of file
diff --git a/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/simple-input/WEB-INF/web.xml b/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/simple-input/WEB-INF/web.xml
new file mode 100755
index 0000000..318bf65
--- /dev/null
+++ b/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/simple-input/WEB-INF/web.xml
@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<web-app xmlns="http://java.sun.com/xml/ns/javaee"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
+ version="3.0">
+
+ <module-name>adapter-test</module-name>
+
+ <servlet>
+ <servlet-name>SendUsernameServlet</servlet-name>
+ <servlet-class>org.keycloak.testsuite.keycloaksaml.InputServlet</servlet-class>
+ </servlet>
+ <servlet-mapping>
+ <servlet-name>SendUsernameServlet</servlet-name>
+ <url-pattern>/*</url-pattern>
+ </servlet-mapping>
+
+ <security-constraint>
+ <web-resource-collection>
+ <web-resource-name>Users</web-resource-name>
+ <url-pattern>/secured/*</url-pattern>
+ </web-resource-collection>
+ <auth-constraint>
+ <role-name>manager</role-name>
+ </auth-constraint>
+ </security-constraint>
+
+ <login-config>
+ <auth-method>BASIC</auth-method>
+ <realm-name>demo</realm-name>
+ <form-login-config>
+ <form-login-page>/error.html</form-login-page>
+ <form-error-page>/error.html</form-error-page>
+ </form-login-config>
+ </login-config>
+
+ <security-role>
+ <role-name>manager</role-name>
+ </security-role>
+ <security-role>
+ <role-name>el-jefe</role-name>
+ </security-role>
+</web-app>
diff --git a/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/simple-post2/WEB-INF/jetty-web.xml b/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/simple-post2/WEB-INF/jetty-web.xml
new file mode 100755
index 0000000..4ff86d4
--- /dev/null
+++ b/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/simple-post2/WEB-INF/jetty-web.xml
@@ -0,0 +1,29 @@
+<?xml version="1.0"?>
+<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd">
+<Configure class="org.eclipse.jetty.webapp.WebAppContext">
+ <Get name="securityHandler">
+ <Set name="authenticator">
+ <New class="org.keycloak.adapters.saml.jetty.KeycloakSamlAuthenticator">
+ <!--
+ <Set name="adapterConfig">
+ <New class="org.keycloak.representations.adapters.config.AdapterConfig">
+ <Set name="realm">tomcat</Set>
+ <Set name="resource">customer-portal</Set>
+ <Set name="authServerUrl">http://localhost:8081/auth</Set>
+ <Set name="sslRequired">external</Set>
+ <Set name="credentials">
+ <Map>
+ <Entry>
+ <Item>secret</Item>
+ <Item>password</Item>
+ </Entry>
+ </Map>
+ </Set>
+ <Set name="realmKey">MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB</Set>
+ </New>
+ </Set>
+ -->
+ </New>
+ </Set>
+ </Get>
+</Configure>
\ No newline at end of file
diff --git a/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/simple-post2/WEB-INF/keycloak-saml.xml b/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/simple-post2/WEB-INF/keycloak-saml.xml
new file mode 100755
index 0000000..4644d6c
--- /dev/null
+++ b/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/simple-post2/WEB-INF/keycloak-saml.xml
@@ -0,0 +1,24 @@
+<keycloak-saml-adapter>
+ <SP entityID="http://localhost:8082/sales-post2/"
+ sslPolicy="EXTERNAL"
+ nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
+ logoutPage="/logout.jsp"
+ forceAuthentication="false">
+ <PrincipalNameMapping policy="FROM_NAME_ID"/>
+ <RoleIdentifiers>
+ <Attribute name="Role"/>
+ </RoleIdentifiers>
+ <IDP entityID="idp">
+ <SingleSignOnService requestBinding="POST"
+ bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+ />
+
+ <SingleLogoutService
+ requestBinding="POST"
+ responseBinding="POST"
+ postBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+ redirectBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+ />
+ </IDP>
+ </SP>
+</keycloak-saml-adapter>
\ No newline at end of file
diff --git a/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/simple-post2/WEB-INF/web.xml b/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/simple-post2/WEB-INF/web.xml
new file mode 100755
index 0000000..86db4a4
--- /dev/null
+++ b/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/simple-post2/WEB-INF/web.xml
@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<web-app xmlns="http://java.sun.com/xml/ns/javaee"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
+ version="3.0">
+
+ <module-name>adapter-test</module-name>
+
+ <servlet>
+ <servlet-name>SendUsernameServlet</servlet-name>
+ <servlet-class>org.keycloak.testsuite.keycloaksaml.SendUsernameServlet</servlet-class>
+ </servlet>
+ <servlet-mapping>
+ <servlet-name>SendUsernameServlet</servlet-name>
+ <url-pattern>/*</url-pattern>
+ </servlet-mapping>
+
+ <security-constraint>
+ <web-resource-collection>
+ <web-resource-name>Users</web-resource-name>
+ <url-pattern>/*</url-pattern>
+ </web-resource-collection>
+ <auth-constraint>
+ <role-name>manager</role-name>
+ </auth-constraint>
+ </security-constraint>
+
+ <login-config>
+ <auth-method>BASIC</auth-method>
+ <realm-name>demo</realm-name>
+ <form-login-config>
+ <form-login-page>/error.html</form-login-page>
+ <form-error-page>/error.html</form-error-page>
+ </form-login-config>
+ </login-config>
+
+ <security-role>
+ <role-name>manager</role-name>
+ </security-role>
+ <security-role>
+ <role-name>el-jefe</role-name>
+ </security-role>
+</web-app>
diff --git a/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/sp-metadata.xml b/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/sp-metadata.xml
index 8f143de..5eac687 100755
--- a/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/sp-metadata.xml
+++ b/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/sp-metadata.xml
@@ -7,9 +7,9 @@
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol http://schemas.xmlsoap.org/ws/2003/07/secext">
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient
</NameIDFormat>
- <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/"/>
+ <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/saml"/>
<AssertionConsumerService
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/saml"
index="1" isDefault="true" />
<KeyDescriptor use="signing">
<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
diff --git a/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/testsaml.json b/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/testsaml.json
index 04c5dcd..71cde71 100755
--- a/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/testsaml.json
+++ b/testsuite/jetty/jetty91/src/test/resources/keycloak-saml/testsaml.json
@@ -78,14 +78,46 @@
],
"attributes": {
"saml.authnstatement": "true",
- "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post/",
- "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post/",
- "saml_single_logout_service_url_post": "http://localhost:8082/sales-post/",
- "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post/",
+ "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post/saml",
+ "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8082/sales-post/saml",
+ "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post/saml",
"saml_idp_initiated_sso_url_name": "sales-post"
}
},
{
+ "name": "http://localhost:8082/sales-post2/",
+ "enabled": true,
+ "fullScopeAllowed": true,
+ "protocol": "saml",
+ "baseUrl": "http://localhost:8082/sales-post2",
+ "redirectUris": [
+ "http://localhost:8082/sales-post2/*"
+ ],
+ "attributes": {
+ "saml.authnstatement": "true",
+ "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post2/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8082/sales-post2/saml",
+ "saml_idp_initiated_sso_url_name": "sales-post2",
+ "saml_idp_initiated_sso_relay_state": "redirectTo=/foo"
+ }
+ },
+ {
+ "name": "http://localhost:8082/input-portal/",
+ "enabled": true,
+ "fullScopeAllowed": true,
+ "protocol": "saml",
+ "baseUrl": "http://localhost:8082/input-portal/",
+ "redirectUris": [
+ "http://localhost:8082/input-portal/*"
+ ],
+ "attributes": {
+ "saml.authnstatement": "true",
+ "saml_assertion_consumer_url_post": "http://localhost:8082/input-portal/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8082/input-portal/saml"
+ }
+ },
+ {
"name": "http://localhost:8082/sales-post-sig/",
"enabled": true,
"protocol": "saml",
@@ -95,10 +127,10 @@
"http://localhost:8082/sales-post-sig/*"
],
"attributes": {
- "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig/",
- "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig/",
- "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig/",
- "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig/",
+ "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig/saml",
+ "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig/saml",
+ "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig/saml",
"saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA256",
"saml.client.signature": "true",
@@ -112,15 +144,15 @@
"protocol": "saml",
"fullScopeAllowed": true,
"baseUrl": "http://localhost:8082/sales-post-sig-transient",
- "adminUrl": "http://localhost:8082/sales-post-sig-transient",
+ "adminUrl": "http://localhost:8082/sales-post-sig-transient/saml",
"redirectUris": [
"http://localhost:8082/sales-post-sig-transient/*"
],
"attributes": {
- "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-transient/",
- "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-transient/",
- "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-transient/",
- "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-transient/",
+ "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-transient/saml",
+ "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-transient/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-transient/saml",
+ "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-transient/saml",
"saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA256",
"saml.client.signature": "true",
@@ -138,10 +170,10 @@
"http://localhost:8082/sales-post-sig-persistent/*"
],
"attributes": {
- "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-persistent/",
- "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-persistent/",
- "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-persistent/",
- "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-persistent/",
+ "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-persistent/saml",
+ "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-persistent/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-persistent/saml",
+ "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-persistent/saml",
"saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA256",
"saml.client.signature": "true",
@@ -155,17 +187,17 @@
"protocol": "saml",
"fullScopeAllowed": true,
"baseUrl": "http://localhost:8082/sales-post-sig-email",
- "adminUrl": "http://localhost:8082/sales-post-sig-email",
+ "adminUrl": "http://localhost:8082/sales-post-sig-email/saml",
"redirectUris": [
"http://localhost:8082/sales-post-sig-email/*"
],
"attributes": {
"saml_force_name_id_format": "true",
"saml_name_id_format": "email",
- "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-email/",
- "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-email/",
- "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-email/",
- "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-email/",
+ "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-email/saml",
+ "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-email/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-email/saml",
+ "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-email/saml",
"saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA256",
"saml.client.signature": "true",
@@ -179,7 +211,7 @@
"protocol": "saml",
"fullScopeAllowed": true,
"baseUrl": "http://localhost:8082/bad-realm-sales-post-sig/",
- "adminUrl": "http://localhost:8082/bad-realm-sales-post-sig/",
+ "adminUrl": "http://localhost:8082/bad-realm-sales-post-sig/saml",
"redirectUris": [
"http://localhost:8082/bad-realm-sales-post-sig/*"
],
@@ -196,7 +228,7 @@
"protocol": "saml",
"fullScopeAllowed": true,
"baseUrl": "http://localhost:8082/bad-client-sales-post-sig/",
- "adminUrl": "http://localhost:8082/bad-client-sales-post-sig/",
+ "adminUrl": "http://localhost:8082/bad-client-sales-post-sig/saml",
"redirectUris": [
"http://localhost:8082/bad-client-sales-post-sig/*"
],
@@ -217,10 +249,10 @@
"http://localhost:8082/sales-post-enc/*"
],
"attributes": {
- "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-enc/",
- "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-enc/",
- "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-enc/",
- "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-enc/",
+ "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-enc/saml",
+ "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-enc/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-enc/saml",
+ "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-enc/saml",
"saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA512",
"saml.client.signature": "true",
@@ -239,7 +271,7 @@
"redirectUris": [
"http://localhost:8082/employee-sig/*"
],
- "adminUrl": "http://localhost:8082/employee-sig/",
+ "adminUrl": "http://localhost:8082/employee-sig/saml",
"attributes": {
"saml.server.signature": "true",
"saml.client.signature": "true",
@@ -257,7 +289,7 @@
"redirectUris": [
"http://localhost:8082/employee/*"
],
- "adminUrl": "http://localhost:8082/employee/",
+ "adminUrl": "http://localhost:8082/employee/saml",
"attributes": {
"saml.authnstatement": "true"
},
@@ -307,7 +339,7 @@
"redirectUris": [
"http://localhost:8082/employee2/*"
],
- "adminUrl": "http://localhost:8082/employee2/",
+ "adminUrl": "http://localhost:8082/employee2/saml",
"attributes": {
"saml.authnstatement": "true"
},
@@ -359,10 +391,10 @@
"http://localhost:8082/employee-sig-front/*"
],
"attributes": {
- "saml_assertion_consumer_url_post": "http://localhost:8082/employee-sig-front/",
- "saml_assertion_consumer_url_redirect": "http://localhost:8082/employee-sig-front/",
- "saml_single_logout_service_url_post": "http://localhost:8082/employee-sig-front/",
- "saml_single_logout_service_url_redirect": "http://localhost:8082/employee-sig-front/",
+ "saml_assertion_consumer_url_post": "http://localhost:8082/employee-sig-front/saml",
+ "saml_assertion_consumer_url_redirect": "http://localhost:8082/employee-sig-front/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8082/employee-sig-front/saml",
+ "saml_single_logout_service_url_redirect": "http://localhost:8082/employee-sig-front/saml",
"saml.server.signature": "true",
"saml.client.signature": "true",
"saml.signature.algorithm": "RSA_SHA1",
diff --git a/testsuite/jetty/jetty92/src/test/java/org/keycloak/testsuite/JettySamlTest.java b/testsuite/jetty/jetty92/src/test/java/org/keycloak/testsuite/JettySamlTest.java
index cd3c11a..957512d 100755
--- a/testsuite/jetty/jetty92/src/test/java/org/keycloak/testsuite/JettySamlTest.java
+++ b/testsuite/jetty/jetty92/src/test/java/org/keycloak/testsuite/JettySamlTest.java
@@ -70,6 +70,8 @@ public class JettySamlTest {
File base = new File(dir.getFile()).getParentFile();
//list.add(new WebAppContext(new File(base, "customer-portal").toString(), "/customer-portal"));
list.add(new WebAppContext(new File(base, "simple-post").toString(), "/sales-post"));
+ list.add(new WebAppContext(new File(base, "simple-post2").toString(), "/sales-post2"));
+ list.add(new WebAppContext(new File(base, "simple-input").toString(), "/input-portal"));
list.add(new WebAppContext(new File(base, "signed-post").toString(), "/sales-post-sig"));
list.add(new WebAppContext(new File(base, "signed-post-email").toString(), "/sales-post-sig-email"));
list.add(new WebAppContext(new File(base, "signed-post-transient").toString(), "/sales-post-sig-transient"));
@@ -104,6 +106,16 @@ public class JettySamlTest {
}
@Test
+ public void testSavedPostRequest() throws Exception {
+ testStrategy.testSavedPostRequest();
+ }
+ @Test
+ public void testPostSimpleLoginLogoutIdpInitiatedRedirectTo() {
+ testStrategy.testPostSimpleLoginLogoutIdpInitiatedRedirectTo();
+ }
+
+
+ @Test
public void testErrorHandling() throws Exception {
testStrategy.testErrorHandling();
}
diff --git a/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/simple-input/WEB-INF/jetty-web.xml b/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/simple-input/WEB-INF/jetty-web.xml
new file mode 100755
index 0000000..4ff86d4
--- /dev/null
+++ b/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/simple-input/WEB-INF/jetty-web.xml
@@ -0,0 +1,29 @@
+<?xml version="1.0"?>
+<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd">
+<Configure class="org.eclipse.jetty.webapp.WebAppContext">
+ <Get name="securityHandler">
+ <Set name="authenticator">
+ <New class="org.keycloak.adapters.saml.jetty.KeycloakSamlAuthenticator">
+ <!--
+ <Set name="adapterConfig">
+ <New class="org.keycloak.representations.adapters.config.AdapterConfig">
+ <Set name="realm">tomcat</Set>
+ <Set name="resource">customer-portal</Set>
+ <Set name="authServerUrl">http://localhost:8081/auth</Set>
+ <Set name="sslRequired">external</Set>
+ <Set name="credentials">
+ <Map>
+ <Entry>
+ <Item>secret</Item>
+ <Item>password</Item>
+ </Entry>
+ </Map>
+ </Set>
+ <Set name="realmKey">MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB</Set>
+ </New>
+ </Set>
+ -->
+ </New>
+ </Set>
+ </Get>
+</Configure>
\ No newline at end of file
diff --git a/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/simple-input/WEB-INF/keycloak-saml.xml b/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/simple-input/WEB-INF/keycloak-saml.xml
new file mode 100755
index 0000000..9fbc22b
--- /dev/null
+++ b/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/simple-input/WEB-INF/keycloak-saml.xml
@@ -0,0 +1,24 @@
+<keycloak-saml-adapter>
+ <SP entityID="http://localhost:8082/input-portal/"
+ sslPolicy="EXTERNAL"
+ nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
+ logoutPage="/logout.jsp"
+ forceAuthentication="false">
+ <PrincipalNameMapping policy="FROM_NAME_ID"/>
+ <RoleIdentifiers>
+ <Attribute name="Role"/>
+ </RoleIdentifiers>
+ <IDP entityID="idp">
+ <SingleSignOnService requestBinding="POST"
+ bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+ />
+
+ <SingleLogoutService
+ requestBinding="POST"
+ responseBinding="POST"
+ postBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+ redirectBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+ />
+ </IDP>
+ </SP>
+</keycloak-saml-adapter>
\ No newline at end of file
diff --git a/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/simple-input/WEB-INF/web.xml b/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/simple-input/WEB-INF/web.xml
new file mode 100755
index 0000000..318bf65
--- /dev/null
+++ b/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/simple-input/WEB-INF/web.xml
@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<web-app xmlns="http://java.sun.com/xml/ns/javaee"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
+ version="3.0">
+
+ <module-name>adapter-test</module-name>
+
+ <servlet>
+ <servlet-name>SendUsernameServlet</servlet-name>
+ <servlet-class>org.keycloak.testsuite.keycloaksaml.InputServlet</servlet-class>
+ </servlet>
+ <servlet-mapping>
+ <servlet-name>SendUsernameServlet</servlet-name>
+ <url-pattern>/*</url-pattern>
+ </servlet-mapping>
+
+ <security-constraint>
+ <web-resource-collection>
+ <web-resource-name>Users</web-resource-name>
+ <url-pattern>/secured/*</url-pattern>
+ </web-resource-collection>
+ <auth-constraint>
+ <role-name>manager</role-name>
+ </auth-constraint>
+ </security-constraint>
+
+ <login-config>
+ <auth-method>BASIC</auth-method>
+ <realm-name>demo</realm-name>
+ <form-login-config>
+ <form-login-page>/error.html</form-login-page>
+ <form-error-page>/error.html</form-error-page>
+ </form-login-config>
+ </login-config>
+
+ <security-role>
+ <role-name>manager</role-name>
+ </security-role>
+ <security-role>
+ <role-name>el-jefe</role-name>
+ </security-role>
+</web-app>
diff --git a/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/simple-post2/WEB-INF/jetty-web.xml b/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/simple-post2/WEB-INF/jetty-web.xml
new file mode 100755
index 0000000..4ff86d4
--- /dev/null
+++ b/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/simple-post2/WEB-INF/jetty-web.xml
@@ -0,0 +1,29 @@
+<?xml version="1.0"?>
+<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd">
+<Configure class="org.eclipse.jetty.webapp.WebAppContext">
+ <Get name="securityHandler">
+ <Set name="authenticator">
+ <New class="org.keycloak.adapters.saml.jetty.KeycloakSamlAuthenticator">
+ <!--
+ <Set name="adapterConfig">
+ <New class="org.keycloak.representations.adapters.config.AdapterConfig">
+ <Set name="realm">tomcat</Set>
+ <Set name="resource">customer-portal</Set>
+ <Set name="authServerUrl">http://localhost:8081/auth</Set>
+ <Set name="sslRequired">external</Set>
+ <Set name="credentials">
+ <Map>
+ <Entry>
+ <Item>secret</Item>
+ <Item>password</Item>
+ </Entry>
+ </Map>
+ </Set>
+ <Set name="realmKey">MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB</Set>
+ </New>
+ </Set>
+ -->
+ </New>
+ </Set>
+ </Get>
+</Configure>
\ No newline at end of file
diff --git a/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/simple-post2/WEB-INF/keycloak-saml.xml b/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/simple-post2/WEB-INF/keycloak-saml.xml
new file mode 100755
index 0000000..4644d6c
--- /dev/null
+++ b/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/simple-post2/WEB-INF/keycloak-saml.xml
@@ -0,0 +1,24 @@
+<keycloak-saml-adapter>
+ <SP entityID="http://localhost:8082/sales-post2/"
+ sslPolicy="EXTERNAL"
+ nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
+ logoutPage="/logout.jsp"
+ forceAuthentication="false">
+ <PrincipalNameMapping policy="FROM_NAME_ID"/>
+ <RoleIdentifiers>
+ <Attribute name="Role"/>
+ </RoleIdentifiers>
+ <IDP entityID="idp">
+ <SingleSignOnService requestBinding="POST"
+ bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+ />
+
+ <SingleLogoutService
+ requestBinding="POST"
+ responseBinding="POST"
+ postBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+ redirectBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+ />
+ </IDP>
+ </SP>
+</keycloak-saml-adapter>
\ No newline at end of file
diff --git a/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/simple-post2/WEB-INF/web.xml b/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/simple-post2/WEB-INF/web.xml
new file mode 100755
index 0000000..86db4a4
--- /dev/null
+++ b/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/simple-post2/WEB-INF/web.xml
@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<web-app xmlns="http://java.sun.com/xml/ns/javaee"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
+ version="3.0">
+
+ <module-name>adapter-test</module-name>
+
+ <servlet>
+ <servlet-name>SendUsernameServlet</servlet-name>
+ <servlet-class>org.keycloak.testsuite.keycloaksaml.SendUsernameServlet</servlet-class>
+ </servlet>
+ <servlet-mapping>
+ <servlet-name>SendUsernameServlet</servlet-name>
+ <url-pattern>/*</url-pattern>
+ </servlet-mapping>
+
+ <security-constraint>
+ <web-resource-collection>
+ <web-resource-name>Users</web-resource-name>
+ <url-pattern>/*</url-pattern>
+ </web-resource-collection>
+ <auth-constraint>
+ <role-name>manager</role-name>
+ </auth-constraint>
+ </security-constraint>
+
+ <login-config>
+ <auth-method>BASIC</auth-method>
+ <realm-name>demo</realm-name>
+ <form-login-config>
+ <form-login-page>/error.html</form-login-page>
+ <form-error-page>/error.html</form-error-page>
+ </form-login-config>
+ </login-config>
+
+ <security-role>
+ <role-name>manager</role-name>
+ </security-role>
+ <security-role>
+ <role-name>el-jefe</role-name>
+ </security-role>
+</web-app>
diff --git a/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/sp-metadata.xml b/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/sp-metadata.xml
index 8f143de..5eac687 100755
--- a/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/sp-metadata.xml
+++ b/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/sp-metadata.xml
@@ -7,9 +7,9 @@
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol http://schemas.xmlsoap.org/ws/2003/07/secext">
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient
</NameIDFormat>
- <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/"/>
+ <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/saml"/>
<AssertionConsumerService
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/saml"
index="1" isDefault="true" />
<KeyDescriptor use="signing">
<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
diff --git a/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/testsaml.json b/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/testsaml.json
index 04c5dcd..71cde71 100755
--- a/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/testsaml.json
+++ b/testsuite/jetty/jetty92/src/test/resources/keycloak-saml/testsaml.json
@@ -78,14 +78,46 @@
],
"attributes": {
"saml.authnstatement": "true",
- "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post/",
- "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post/",
- "saml_single_logout_service_url_post": "http://localhost:8082/sales-post/",
- "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post/",
+ "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post/saml",
+ "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8082/sales-post/saml",
+ "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post/saml",
"saml_idp_initiated_sso_url_name": "sales-post"
}
},
{
+ "name": "http://localhost:8082/sales-post2/",
+ "enabled": true,
+ "fullScopeAllowed": true,
+ "protocol": "saml",
+ "baseUrl": "http://localhost:8082/sales-post2",
+ "redirectUris": [
+ "http://localhost:8082/sales-post2/*"
+ ],
+ "attributes": {
+ "saml.authnstatement": "true",
+ "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post2/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8082/sales-post2/saml",
+ "saml_idp_initiated_sso_url_name": "sales-post2",
+ "saml_idp_initiated_sso_relay_state": "redirectTo=/foo"
+ }
+ },
+ {
+ "name": "http://localhost:8082/input-portal/",
+ "enabled": true,
+ "fullScopeAllowed": true,
+ "protocol": "saml",
+ "baseUrl": "http://localhost:8082/input-portal/",
+ "redirectUris": [
+ "http://localhost:8082/input-portal/*"
+ ],
+ "attributes": {
+ "saml.authnstatement": "true",
+ "saml_assertion_consumer_url_post": "http://localhost:8082/input-portal/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8082/input-portal/saml"
+ }
+ },
+ {
"name": "http://localhost:8082/sales-post-sig/",
"enabled": true,
"protocol": "saml",
@@ -95,10 +127,10 @@
"http://localhost:8082/sales-post-sig/*"
],
"attributes": {
- "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig/",
- "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig/",
- "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig/",
- "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig/",
+ "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig/saml",
+ "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig/saml",
+ "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig/saml",
"saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA256",
"saml.client.signature": "true",
@@ -112,15 +144,15 @@
"protocol": "saml",
"fullScopeAllowed": true,
"baseUrl": "http://localhost:8082/sales-post-sig-transient",
- "adminUrl": "http://localhost:8082/sales-post-sig-transient",
+ "adminUrl": "http://localhost:8082/sales-post-sig-transient/saml",
"redirectUris": [
"http://localhost:8082/sales-post-sig-transient/*"
],
"attributes": {
- "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-transient/",
- "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-transient/",
- "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-transient/",
- "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-transient/",
+ "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-transient/saml",
+ "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-transient/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-transient/saml",
+ "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-transient/saml",
"saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA256",
"saml.client.signature": "true",
@@ -138,10 +170,10 @@
"http://localhost:8082/sales-post-sig-persistent/*"
],
"attributes": {
- "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-persistent/",
- "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-persistent/",
- "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-persistent/",
- "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-persistent/",
+ "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-persistent/saml",
+ "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-persistent/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-persistent/saml",
+ "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-persistent/saml",
"saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA256",
"saml.client.signature": "true",
@@ -155,17 +187,17 @@
"protocol": "saml",
"fullScopeAllowed": true,
"baseUrl": "http://localhost:8082/sales-post-sig-email",
- "adminUrl": "http://localhost:8082/sales-post-sig-email",
+ "adminUrl": "http://localhost:8082/sales-post-sig-email/saml",
"redirectUris": [
"http://localhost:8082/sales-post-sig-email/*"
],
"attributes": {
"saml_force_name_id_format": "true",
"saml_name_id_format": "email",
- "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-email/",
- "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-email/",
- "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-email/",
- "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-email/",
+ "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-email/saml",
+ "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-email/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-email/saml",
+ "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-email/saml",
"saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA256",
"saml.client.signature": "true",
@@ -179,7 +211,7 @@
"protocol": "saml",
"fullScopeAllowed": true,
"baseUrl": "http://localhost:8082/bad-realm-sales-post-sig/",
- "adminUrl": "http://localhost:8082/bad-realm-sales-post-sig/",
+ "adminUrl": "http://localhost:8082/bad-realm-sales-post-sig/saml",
"redirectUris": [
"http://localhost:8082/bad-realm-sales-post-sig/*"
],
@@ -196,7 +228,7 @@
"protocol": "saml",
"fullScopeAllowed": true,
"baseUrl": "http://localhost:8082/bad-client-sales-post-sig/",
- "adminUrl": "http://localhost:8082/bad-client-sales-post-sig/",
+ "adminUrl": "http://localhost:8082/bad-client-sales-post-sig/saml",
"redirectUris": [
"http://localhost:8082/bad-client-sales-post-sig/*"
],
@@ -217,10 +249,10 @@
"http://localhost:8082/sales-post-enc/*"
],
"attributes": {
- "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-enc/",
- "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-enc/",
- "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-enc/",
- "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-enc/",
+ "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-enc/saml",
+ "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-enc/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-enc/saml",
+ "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-enc/saml",
"saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA512",
"saml.client.signature": "true",
@@ -239,7 +271,7 @@
"redirectUris": [
"http://localhost:8082/employee-sig/*"
],
- "adminUrl": "http://localhost:8082/employee-sig/",
+ "adminUrl": "http://localhost:8082/employee-sig/saml",
"attributes": {
"saml.server.signature": "true",
"saml.client.signature": "true",
@@ -257,7 +289,7 @@
"redirectUris": [
"http://localhost:8082/employee/*"
],
- "adminUrl": "http://localhost:8082/employee/",
+ "adminUrl": "http://localhost:8082/employee/saml",
"attributes": {
"saml.authnstatement": "true"
},
@@ -307,7 +339,7 @@
"redirectUris": [
"http://localhost:8082/employee2/*"
],
- "adminUrl": "http://localhost:8082/employee2/",
+ "adminUrl": "http://localhost:8082/employee2/saml",
"attributes": {
"saml.authnstatement": "true"
},
@@ -359,10 +391,10 @@
"http://localhost:8082/employee-sig-front/*"
],
"attributes": {
- "saml_assertion_consumer_url_post": "http://localhost:8082/employee-sig-front/",
- "saml_assertion_consumer_url_redirect": "http://localhost:8082/employee-sig-front/",
- "saml_single_logout_service_url_post": "http://localhost:8082/employee-sig-front/",
- "saml_single_logout_service_url_redirect": "http://localhost:8082/employee-sig-front/",
+ "saml_assertion_consumer_url_post": "http://localhost:8082/employee-sig-front/saml",
+ "saml_assertion_consumer_url_redirect": "http://localhost:8082/employee-sig-front/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8082/employee-sig-front/saml",
+ "saml_single_logout_service_url_redirect": "http://localhost:8082/employee-sig-front/saml",
"saml.server.signature": "true",
"saml.client.signature": "true",
"saml.signature.algorithm": "RSA_SHA1",
diff --git a/testsuite/tomcat6/src/test/java/org/keycloak/testsuite/TomcatSamlTest.java b/testsuite/tomcat6/src/test/java/org/keycloak/testsuite/TomcatSamlTest.java
index 0e6973a..5a214a9 100755
--- a/testsuite/tomcat6/src/test/java/org/keycloak/testsuite/TomcatSamlTest.java
+++ b/testsuite/tomcat6/src/test/java/org/keycloak/testsuite/TomcatSamlTest.java
@@ -61,6 +61,8 @@ public class TomcatSamlTest {
System.setProperty("app.server.base.url", "http://localhost:8082");
System.setProperty("my.host.name", "localhost");
tomcat.deploySaml("/sales-post", "simple-post");
+ tomcat.deploySaml("/sales-post2", "simple-post2");
+ tomcat.deploySaml("/input-portal", "simple-input");
tomcat.deploySaml("/sales-post-sig", "signed-post");
tomcat.deploySaml("/sales-post-sig-email", "signed-post-email");
tomcat.deploySaml("/sales-post-sig-transient", "signed-post-transient");
@@ -88,6 +90,16 @@ public class TomcatSamlTest {
public SamlAdapterTestStrategy testStrategy = new SamlAdapterTestStrategy("http://localhost:8081/auth", "http://localhost:8082", keycloakRule);
@Test
+ public void testSavedPostRequest() throws Exception {
+ testStrategy.testSavedPostRequest();
+ }
+ @Test
+ public void testPostSimpleLoginLogoutIdpInitiatedRedirectTo() {
+ testStrategy.testPostSimpleLoginLogoutIdpInitiatedRedirectTo();
+ }
+
+
+ @Test
public void testPostSimpleLoginLogout() {
testStrategy.testPostSimpleLoginLogout();
}
diff --git a/testsuite/tomcat6/src/test/resources/keycloak-saml/simple-input/WEB-INF/keycloak-saml.xml b/testsuite/tomcat6/src/test/resources/keycloak-saml/simple-input/WEB-INF/keycloak-saml.xml
new file mode 100755
index 0000000..9fbc22b
--- /dev/null
+++ b/testsuite/tomcat6/src/test/resources/keycloak-saml/simple-input/WEB-INF/keycloak-saml.xml
@@ -0,0 +1,24 @@
+<keycloak-saml-adapter>
+ <SP entityID="http://localhost:8082/input-portal/"
+ sslPolicy="EXTERNAL"
+ nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
+ logoutPage="/logout.jsp"
+ forceAuthentication="false">
+ <PrincipalNameMapping policy="FROM_NAME_ID"/>
+ <RoleIdentifiers>
+ <Attribute name="Role"/>
+ </RoleIdentifiers>
+ <IDP entityID="idp">
+ <SingleSignOnService requestBinding="POST"
+ bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+ />
+
+ <SingleLogoutService
+ requestBinding="POST"
+ responseBinding="POST"
+ postBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+ redirectBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+ />
+ </IDP>
+ </SP>
+</keycloak-saml-adapter>
\ No newline at end of file
diff --git a/testsuite/tomcat6/src/test/resources/keycloak-saml/simple-input/WEB-INF/web.xml b/testsuite/tomcat6/src/test/resources/keycloak-saml/simple-input/WEB-INF/web.xml
new file mode 100755
index 0000000..318bf65
--- /dev/null
+++ b/testsuite/tomcat6/src/test/resources/keycloak-saml/simple-input/WEB-INF/web.xml
@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<web-app xmlns="http://java.sun.com/xml/ns/javaee"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
+ version="3.0">
+
+ <module-name>adapter-test</module-name>
+
+ <servlet>
+ <servlet-name>SendUsernameServlet</servlet-name>
+ <servlet-class>org.keycloak.testsuite.keycloaksaml.InputServlet</servlet-class>
+ </servlet>
+ <servlet-mapping>
+ <servlet-name>SendUsernameServlet</servlet-name>
+ <url-pattern>/*</url-pattern>
+ </servlet-mapping>
+
+ <security-constraint>
+ <web-resource-collection>
+ <web-resource-name>Users</web-resource-name>
+ <url-pattern>/secured/*</url-pattern>
+ </web-resource-collection>
+ <auth-constraint>
+ <role-name>manager</role-name>
+ </auth-constraint>
+ </security-constraint>
+
+ <login-config>
+ <auth-method>BASIC</auth-method>
+ <realm-name>demo</realm-name>
+ <form-login-config>
+ <form-login-page>/error.html</form-login-page>
+ <form-error-page>/error.html</form-error-page>
+ </form-login-config>
+ </login-config>
+
+ <security-role>
+ <role-name>manager</role-name>
+ </security-role>
+ <security-role>
+ <role-name>el-jefe</role-name>
+ </security-role>
+</web-app>
diff --git a/testsuite/tomcat6/src/test/resources/keycloak-saml/simple-post2/WEB-INF/keycloak-saml.xml b/testsuite/tomcat6/src/test/resources/keycloak-saml/simple-post2/WEB-INF/keycloak-saml.xml
new file mode 100755
index 0000000..4644d6c
--- /dev/null
+++ b/testsuite/tomcat6/src/test/resources/keycloak-saml/simple-post2/WEB-INF/keycloak-saml.xml
@@ -0,0 +1,24 @@
+<keycloak-saml-adapter>
+ <SP entityID="http://localhost:8082/sales-post2/"
+ sslPolicy="EXTERNAL"
+ nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
+ logoutPage="/logout.jsp"
+ forceAuthentication="false">
+ <PrincipalNameMapping policy="FROM_NAME_ID"/>
+ <RoleIdentifiers>
+ <Attribute name="Role"/>
+ </RoleIdentifiers>
+ <IDP entityID="idp">
+ <SingleSignOnService requestBinding="POST"
+ bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+ />
+
+ <SingleLogoutService
+ requestBinding="POST"
+ responseBinding="POST"
+ postBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+ redirectBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+ />
+ </IDP>
+ </SP>
+</keycloak-saml-adapter>
\ No newline at end of file
diff --git a/testsuite/tomcat6/src/test/resources/keycloak-saml/simple-post2/WEB-INF/web.xml b/testsuite/tomcat6/src/test/resources/keycloak-saml/simple-post2/WEB-INF/web.xml
new file mode 100755
index 0000000..86db4a4
--- /dev/null
+++ b/testsuite/tomcat6/src/test/resources/keycloak-saml/simple-post2/WEB-INF/web.xml
@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<web-app xmlns="http://java.sun.com/xml/ns/javaee"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
+ version="3.0">
+
+ <module-name>adapter-test</module-name>
+
+ <servlet>
+ <servlet-name>SendUsernameServlet</servlet-name>
+ <servlet-class>org.keycloak.testsuite.keycloaksaml.SendUsernameServlet</servlet-class>
+ </servlet>
+ <servlet-mapping>
+ <servlet-name>SendUsernameServlet</servlet-name>
+ <url-pattern>/*</url-pattern>
+ </servlet-mapping>
+
+ <security-constraint>
+ <web-resource-collection>
+ <web-resource-name>Users</web-resource-name>
+ <url-pattern>/*</url-pattern>
+ </web-resource-collection>
+ <auth-constraint>
+ <role-name>manager</role-name>
+ </auth-constraint>
+ </security-constraint>
+
+ <login-config>
+ <auth-method>BASIC</auth-method>
+ <realm-name>demo</realm-name>
+ <form-login-config>
+ <form-login-page>/error.html</form-login-page>
+ <form-error-page>/error.html</form-error-page>
+ </form-login-config>
+ </login-config>
+
+ <security-role>
+ <role-name>manager</role-name>
+ </security-role>
+ <security-role>
+ <role-name>el-jefe</role-name>
+ </security-role>
+</web-app>
diff --git a/testsuite/tomcat6/src/test/resources/keycloak-saml/sp-metadata.xml b/testsuite/tomcat6/src/test/resources/keycloak-saml/sp-metadata.xml
index 8f143de..5eac687 100755
--- a/testsuite/tomcat6/src/test/resources/keycloak-saml/sp-metadata.xml
+++ b/testsuite/tomcat6/src/test/resources/keycloak-saml/sp-metadata.xml
@@ -7,9 +7,9 @@
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol http://schemas.xmlsoap.org/ws/2003/07/secext">
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient
</NameIDFormat>
- <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/"/>
+ <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/saml"/>
<AssertionConsumerService
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/saml"
index="1" isDefault="true" />
<KeyDescriptor use="signing">
<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
diff --git a/testsuite/tomcat6/src/test/resources/keycloak-saml/testsaml.json b/testsuite/tomcat6/src/test/resources/keycloak-saml/testsaml.json
index 04c5dcd..71cde71 100755
--- a/testsuite/tomcat6/src/test/resources/keycloak-saml/testsaml.json
+++ b/testsuite/tomcat6/src/test/resources/keycloak-saml/testsaml.json
@@ -78,14 +78,46 @@
],
"attributes": {
"saml.authnstatement": "true",
- "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post/",
- "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post/",
- "saml_single_logout_service_url_post": "http://localhost:8082/sales-post/",
- "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post/",
+ "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post/saml",
+ "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8082/sales-post/saml",
+ "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post/saml",
"saml_idp_initiated_sso_url_name": "sales-post"
}
},
{
+ "name": "http://localhost:8082/sales-post2/",
+ "enabled": true,
+ "fullScopeAllowed": true,
+ "protocol": "saml",
+ "baseUrl": "http://localhost:8082/sales-post2",
+ "redirectUris": [
+ "http://localhost:8082/sales-post2/*"
+ ],
+ "attributes": {
+ "saml.authnstatement": "true",
+ "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post2/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8082/sales-post2/saml",
+ "saml_idp_initiated_sso_url_name": "sales-post2",
+ "saml_idp_initiated_sso_relay_state": "redirectTo=/foo"
+ }
+ },
+ {
+ "name": "http://localhost:8082/input-portal/",
+ "enabled": true,
+ "fullScopeAllowed": true,
+ "protocol": "saml",
+ "baseUrl": "http://localhost:8082/input-portal/",
+ "redirectUris": [
+ "http://localhost:8082/input-portal/*"
+ ],
+ "attributes": {
+ "saml.authnstatement": "true",
+ "saml_assertion_consumer_url_post": "http://localhost:8082/input-portal/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8082/input-portal/saml"
+ }
+ },
+ {
"name": "http://localhost:8082/sales-post-sig/",
"enabled": true,
"protocol": "saml",
@@ -95,10 +127,10 @@
"http://localhost:8082/sales-post-sig/*"
],
"attributes": {
- "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig/",
- "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig/",
- "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig/",
- "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig/",
+ "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig/saml",
+ "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig/saml",
+ "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig/saml",
"saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA256",
"saml.client.signature": "true",
@@ -112,15 +144,15 @@
"protocol": "saml",
"fullScopeAllowed": true,
"baseUrl": "http://localhost:8082/sales-post-sig-transient",
- "adminUrl": "http://localhost:8082/sales-post-sig-transient",
+ "adminUrl": "http://localhost:8082/sales-post-sig-transient/saml",
"redirectUris": [
"http://localhost:8082/sales-post-sig-transient/*"
],
"attributes": {
- "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-transient/",
- "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-transient/",
- "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-transient/",
- "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-transient/",
+ "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-transient/saml",
+ "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-transient/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-transient/saml",
+ "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-transient/saml",
"saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA256",
"saml.client.signature": "true",
@@ -138,10 +170,10 @@
"http://localhost:8082/sales-post-sig-persistent/*"
],
"attributes": {
- "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-persistent/",
- "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-persistent/",
- "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-persistent/",
- "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-persistent/",
+ "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-persistent/saml",
+ "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-persistent/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-persistent/saml",
+ "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-persistent/saml",
"saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA256",
"saml.client.signature": "true",
@@ -155,17 +187,17 @@
"protocol": "saml",
"fullScopeAllowed": true,
"baseUrl": "http://localhost:8082/sales-post-sig-email",
- "adminUrl": "http://localhost:8082/sales-post-sig-email",
+ "adminUrl": "http://localhost:8082/sales-post-sig-email/saml",
"redirectUris": [
"http://localhost:8082/sales-post-sig-email/*"
],
"attributes": {
"saml_force_name_id_format": "true",
"saml_name_id_format": "email",
- "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-email/",
- "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-email/",
- "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-email/",
- "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-email/",
+ "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-email/saml",
+ "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-email/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-email/saml",
+ "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-email/saml",
"saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA256",
"saml.client.signature": "true",
@@ -179,7 +211,7 @@
"protocol": "saml",
"fullScopeAllowed": true,
"baseUrl": "http://localhost:8082/bad-realm-sales-post-sig/",
- "adminUrl": "http://localhost:8082/bad-realm-sales-post-sig/",
+ "adminUrl": "http://localhost:8082/bad-realm-sales-post-sig/saml",
"redirectUris": [
"http://localhost:8082/bad-realm-sales-post-sig/*"
],
@@ -196,7 +228,7 @@
"protocol": "saml",
"fullScopeAllowed": true,
"baseUrl": "http://localhost:8082/bad-client-sales-post-sig/",
- "adminUrl": "http://localhost:8082/bad-client-sales-post-sig/",
+ "adminUrl": "http://localhost:8082/bad-client-sales-post-sig/saml",
"redirectUris": [
"http://localhost:8082/bad-client-sales-post-sig/*"
],
@@ -217,10 +249,10 @@
"http://localhost:8082/sales-post-enc/*"
],
"attributes": {
- "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-enc/",
- "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-enc/",
- "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-enc/",
- "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-enc/",
+ "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-enc/saml",
+ "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-enc/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-enc/saml",
+ "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-enc/saml",
"saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA512",
"saml.client.signature": "true",
@@ -239,7 +271,7 @@
"redirectUris": [
"http://localhost:8082/employee-sig/*"
],
- "adminUrl": "http://localhost:8082/employee-sig/",
+ "adminUrl": "http://localhost:8082/employee-sig/saml",
"attributes": {
"saml.server.signature": "true",
"saml.client.signature": "true",
@@ -257,7 +289,7 @@
"redirectUris": [
"http://localhost:8082/employee/*"
],
- "adminUrl": "http://localhost:8082/employee/",
+ "adminUrl": "http://localhost:8082/employee/saml",
"attributes": {
"saml.authnstatement": "true"
},
@@ -307,7 +339,7 @@
"redirectUris": [
"http://localhost:8082/employee2/*"
],
- "adminUrl": "http://localhost:8082/employee2/",
+ "adminUrl": "http://localhost:8082/employee2/saml",
"attributes": {
"saml.authnstatement": "true"
},
@@ -359,10 +391,10 @@
"http://localhost:8082/employee-sig-front/*"
],
"attributes": {
- "saml_assertion_consumer_url_post": "http://localhost:8082/employee-sig-front/",
- "saml_assertion_consumer_url_redirect": "http://localhost:8082/employee-sig-front/",
- "saml_single_logout_service_url_post": "http://localhost:8082/employee-sig-front/",
- "saml_single_logout_service_url_redirect": "http://localhost:8082/employee-sig-front/",
+ "saml_assertion_consumer_url_post": "http://localhost:8082/employee-sig-front/saml",
+ "saml_assertion_consumer_url_redirect": "http://localhost:8082/employee-sig-front/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8082/employee-sig-front/saml",
+ "saml_single_logout_service_url_redirect": "http://localhost:8082/employee-sig-front/saml",
"saml.server.signature": "true",
"saml.client.signature": "true",
"saml.signature.algorithm": "RSA_SHA1",
diff --git a/testsuite/tomcat7/src/test/java/org/keycloak/testsuite/TomcatSamlTest.java b/testsuite/tomcat7/src/test/java/org/keycloak/testsuite/TomcatSamlTest.java
index 2483333..f07882d 100755
--- a/testsuite/tomcat7/src/test/java/org/keycloak/testsuite/TomcatSamlTest.java
+++ b/testsuite/tomcat7/src/test/java/org/keycloak/testsuite/TomcatSamlTest.java
@@ -78,6 +78,8 @@ public class TomcatSamlTest {
tomcat.addWebapp("/bad-client-sales-post-sig", new File(base, "bad-client-signed-post").toString());
tomcat.addWebapp("/bad-realm-sales-post-sig", new File(base, "bad-realm-signed-post").toString());
tomcat.addWebapp("/sales-post-enc", new File(base, "encrypted-post").toString());
+ tomcat.addWebapp("/sales-post2", new File(base, "simple-post2").toString());
+ tomcat.addWebapp("/input-portal", new File(base, "simple-input").toString());
SamlAdapterTestStrategy.uploadSP("http://localhost:8081/auth");
@@ -90,6 +92,14 @@ public class TomcatSamlTest {
tomcat.stop();
tomcat.destroy();
}
+ @Test
+ public void testSavedPostRequest() throws Exception {
+ testStrategy.testSavedPostRequest();
+ }
+ @Test
+ public void testPostSimpleLoginLogoutIdpInitiatedRedirectTo() {
+ testStrategy.testPostSimpleLoginLogoutIdpInitiatedRedirectTo();
+ }
@Test
diff --git a/testsuite/tomcat7/src/test/resources/keycloak-saml/simple-input/META-INF/context.xml b/testsuite/tomcat7/src/test/resources/keycloak-saml/simple-input/META-INF/context.xml
new file mode 100755
index 0000000..d16faaf
--- /dev/null
+++ b/testsuite/tomcat7/src/test/resources/keycloak-saml/simple-input/META-INF/context.xml
@@ -0,0 +1,3 @@
+<Context path="/customer-portal">
+ <Valve className="org.keycloak.adapters.saml.tomcat.SamlAuthenticatorValve"/>
+</Context>
\ No newline at end of file
diff --git a/testsuite/tomcat7/src/test/resources/keycloak-saml/simple-input/WEB-INF/keycloak-saml.xml b/testsuite/tomcat7/src/test/resources/keycloak-saml/simple-input/WEB-INF/keycloak-saml.xml
new file mode 100755
index 0000000..9fbc22b
--- /dev/null
+++ b/testsuite/tomcat7/src/test/resources/keycloak-saml/simple-input/WEB-INF/keycloak-saml.xml
@@ -0,0 +1,24 @@
+<keycloak-saml-adapter>
+ <SP entityID="http://localhost:8082/input-portal/"
+ sslPolicy="EXTERNAL"
+ nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
+ logoutPage="/logout.jsp"
+ forceAuthentication="false">
+ <PrincipalNameMapping policy="FROM_NAME_ID"/>
+ <RoleIdentifiers>
+ <Attribute name="Role"/>
+ </RoleIdentifiers>
+ <IDP entityID="idp">
+ <SingleSignOnService requestBinding="POST"
+ bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+ />
+
+ <SingleLogoutService
+ requestBinding="POST"
+ responseBinding="POST"
+ postBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+ redirectBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+ />
+ </IDP>
+ </SP>
+</keycloak-saml-adapter>
\ No newline at end of file
diff --git a/testsuite/tomcat7/src/test/resources/keycloak-saml/simple-input/WEB-INF/web.xml b/testsuite/tomcat7/src/test/resources/keycloak-saml/simple-input/WEB-INF/web.xml
new file mode 100755
index 0000000..318bf65
--- /dev/null
+++ b/testsuite/tomcat7/src/test/resources/keycloak-saml/simple-input/WEB-INF/web.xml
@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<web-app xmlns="http://java.sun.com/xml/ns/javaee"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
+ version="3.0">
+
+ <module-name>adapter-test</module-name>
+
+ <servlet>
+ <servlet-name>SendUsernameServlet</servlet-name>
+ <servlet-class>org.keycloak.testsuite.keycloaksaml.InputServlet</servlet-class>
+ </servlet>
+ <servlet-mapping>
+ <servlet-name>SendUsernameServlet</servlet-name>
+ <url-pattern>/*</url-pattern>
+ </servlet-mapping>
+
+ <security-constraint>
+ <web-resource-collection>
+ <web-resource-name>Users</web-resource-name>
+ <url-pattern>/secured/*</url-pattern>
+ </web-resource-collection>
+ <auth-constraint>
+ <role-name>manager</role-name>
+ </auth-constraint>
+ </security-constraint>
+
+ <login-config>
+ <auth-method>BASIC</auth-method>
+ <realm-name>demo</realm-name>
+ <form-login-config>
+ <form-login-page>/error.html</form-login-page>
+ <form-error-page>/error.html</form-error-page>
+ </form-login-config>
+ </login-config>
+
+ <security-role>
+ <role-name>manager</role-name>
+ </security-role>
+ <security-role>
+ <role-name>el-jefe</role-name>
+ </security-role>
+</web-app>
diff --git a/testsuite/tomcat7/src/test/resources/keycloak-saml/simple-post2/META-INF/context.xml b/testsuite/tomcat7/src/test/resources/keycloak-saml/simple-post2/META-INF/context.xml
new file mode 100755
index 0000000..d16faaf
--- /dev/null
+++ b/testsuite/tomcat7/src/test/resources/keycloak-saml/simple-post2/META-INF/context.xml
@@ -0,0 +1,3 @@
+<Context path="/customer-portal">
+ <Valve className="org.keycloak.adapters.saml.tomcat.SamlAuthenticatorValve"/>
+</Context>
\ No newline at end of file
diff --git a/testsuite/tomcat7/src/test/resources/keycloak-saml/simple-post2/WEB-INF/keycloak-saml.xml b/testsuite/tomcat7/src/test/resources/keycloak-saml/simple-post2/WEB-INF/keycloak-saml.xml
new file mode 100755
index 0000000..4644d6c
--- /dev/null
+++ b/testsuite/tomcat7/src/test/resources/keycloak-saml/simple-post2/WEB-INF/keycloak-saml.xml
@@ -0,0 +1,24 @@
+<keycloak-saml-adapter>
+ <SP entityID="http://localhost:8082/sales-post2/"
+ sslPolicy="EXTERNAL"
+ nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
+ logoutPage="/logout.jsp"
+ forceAuthentication="false">
+ <PrincipalNameMapping policy="FROM_NAME_ID"/>
+ <RoleIdentifiers>
+ <Attribute name="Role"/>
+ </RoleIdentifiers>
+ <IDP entityID="idp">
+ <SingleSignOnService requestBinding="POST"
+ bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+ />
+
+ <SingleLogoutService
+ requestBinding="POST"
+ responseBinding="POST"
+ postBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+ redirectBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+ />
+ </IDP>
+ </SP>
+</keycloak-saml-adapter>
\ No newline at end of file
diff --git a/testsuite/tomcat7/src/test/resources/keycloak-saml/simple-post2/WEB-INF/web.xml b/testsuite/tomcat7/src/test/resources/keycloak-saml/simple-post2/WEB-INF/web.xml
new file mode 100755
index 0000000..86db4a4
--- /dev/null
+++ b/testsuite/tomcat7/src/test/resources/keycloak-saml/simple-post2/WEB-INF/web.xml
@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<web-app xmlns="http://java.sun.com/xml/ns/javaee"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
+ version="3.0">
+
+ <module-name>adapter-test</module-name>
+
+ <servlet>
+ <servlet-name>SendUsernameServlet</servlet-name>
+ <servlet-class>org.keycloak.testsuite.keycloaksaml.SendUsernameServlet</servlet-class>
+ </servlet>
+ <servlet-mapping>
+ <servlet-name>SendUsernameServlet</servlet-name>
+ <url-pattern>/*</url-pattern>
+ </servlet-mapping>
+
+ <security-constraint>
+ <web-resource-collection>
+ <web-resource-name>Users</web-resource-name>
+ <url-pattern>/*</url-pattern>
+ </web-resource-collection>
+ <auth-constraint>
+ <role-name>manager</role-name>
+ </auth-constraint>
+ </security-constraint>
+
+ <login-config>
+ <auth-method>BASIC</auth-method>
+ <realm-name>demo</realm-name>
+ <form-login-config>
+ <form-login-page>/error.html</form-login-page>
+ <form-error-page>/error.html</form-error-page>
+ </form-login-config>
+ </login-config>
+
+ <security-role>
+ <role-name>manager</role-name>
+ </security-role>
+ <security-role>
+ <role-name>el-jefe</role-name>
+ </security-role>
+</web-app>
diff --git a/testsuite/tomcat7/src/test/resources/keycloak-saml/sp-metadata.xml b/testsuite/tomcat7/src/test/resources/keycloak-saml/sp-metadata.xml
index 8f143de..5eac687 100755
--- a/testsuite/tomcat7/src/test/resources/keycloak-saml/sp-metadata.xml
+++ b/testsuite/tomcat7/src/test/resources/keycloak-saml/sp-metadata.xml
@@ -7,9 +7,9 @@
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol http://schemas.xmlsoap.org/ws/2003/07/secext">
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient
</NameIDFormat>
- <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/"/>
+ <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/saml"/>
<AssertionConsumerService
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/saml"
index="1" isDefault="true" />
<KeyDescriptor use="signing">
<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
diff --git a/testsuite/tomcat7/src/test/resources/keycloak-saml/testsaml.json b/testsuite/tomcat7/src/test/resources/keycloak-saml/testsaml.json
index 04c5dcd..71cde71 100755
--- a/testsuite/tomcat7/src/test/resources/keycloak-saml/testsaml.json
+++ b/testsuite/tomcat7/src/test/resources/keycloak-saml/testsaml.json
@@ -78,14 +78,46 @@
],
"attributes": {
"saml.authnstatement": "true",
- "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post/",
- "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post/",
- "saml_single_logout_service_url_post": "http://localhost:8082/sales-post/",
- "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post/",
+ "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post/saml",
+ "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8082/sales-post/saml",
+ "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post/saml",
"saml_idp_initiated_sso_url_name": "sales-post"
}
},
{
+ "name": "http://localhost:8082/sales-post2/",
+ "enabled": true,
+ "fullScopeAllowed": true,
+ "protocol": "saml",
+ "baseUrl": "http://localhost:8082/sales-post2",
+ "redirectUris": [
+ "http://localhost:8082/sales-post2/*"
+ ],
+ "attributes": {
+ "saml.authnstatement": "true",
+ "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post2/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8082/sales-post2/saml",
+ "saml_idp_initiated_sso_url_name": "sales-post2",
+ "saml_idp_initiated_sso_relay_state": "redirectTo=/foo"
+ }
+ },
+ {
+ "name": "http://localhost:8082/input-portal/",
+ "enabled": true,
+ "fullScopeAllowed": true,
+ "protocol": "saml",
+ "baseUrl": "http://localhost:8082/input-portal/",
+ "redirectUris": [
+ "http://localhost:8082/input-portal/*"
+ ],
+ "attributes": {
+ "saml.authnstatement": "true",
+ "saml_assertion_consumer_url_post": "http://localhost:8082/input-portal/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8082/input-portal/saml"
+ }
+ },
+ {
"name": "http://localhost:8082/sales-post-sig/",
"enabled": true,
"protocol": "saml",
@@ -95,10 +127,10 @@
"http://localhost:8082/sales-post-sig/*"
],
"attributes": {
- "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig/",
- "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig/",
- "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig/",
- "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig/",
+ "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig/saml",
+ "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig/saml",
+ "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig/saml",
"saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA256",
"saml.client.signature": "true",
@@ -112,15 +144,15 @@
"protocol": "saml",
"fullScopeAllowed": true,
"baseUrl": "http://localhost:8082/sales-post-sig-transient",
- "adminUrl": "http://localhost:8082/sales-post-sig-transient",
+ "adminUrl": "http://localhost:8082/sales-post-sig-transient/saml",
"redirectUris": [
"http://localhost:8082/sales-post-sig-transient/*"
],
"attributes": {
- "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-transient/",
- "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-transient/",
- "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-transient/",
- "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-transient/",
+ "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-transient/saml",
+ "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-transient/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-transient/saml",
+ "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-transient/saml",
"saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA256",
"saml.client.signature": "true",
@@ -138,10 +170,10 @@
"http://localhost:8082/sales-post-sig-persistent/*"
],
"attributes": {
- "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-persistent/",
- "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-persistent/",
- "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-persistent/",
- "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-persistent/",
+ "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-persistent/saml",
+ "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-persistent/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-persistent/saml",
+ "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-persistent/saml",
"saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA256",
"saml.client.signature": "true",
@@ -155,17 +187,17 @@
"protocol": "saml",
"fullScopeAllowed": true,
"baseUrl": "http://localhost:8082/sales-post-sig-email",
- "adminUrl": "http://localhost:8082/sales-post-sig-email",
+ "adminUrl": "http://localhost:8082/sales-post-sig-email/saml",
"redirectUris": [
"http://localhost:8082/sales-post-sig-email/*"
],
"attributes": {
"saml_force_name_id_format": "true",
"saml_name_id_format": "email",
- "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-email/",
- "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-email/",
- "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-email/",
- "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-email/",
+ "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-email/saml",
+ "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-email/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-email/saml",
+ "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-email/saml",
"saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA256",
"saml.client.signature": "true",
@@ -179,7 +211,7 @@
"protocol": "saml",
"fullScopeAllowed": true,
"baseUrl": "http://localhost:8082/bad-realm-sales-post-sig/",
- "adminUrl": "http://localhost:8082/bad-realm-sales-post-sig/",
+ "adminUrl": "http://localhost:8082/bad-realm-sales-post-sig/saml",
"redirectUris": [
"http://localhost:8082/bad-realm-sales-post-sig/*"
],
@@ -196,7 +228,7 @@
"protocol": "saml",
"fullScopeAllowed": true,
"baseUrl": "http://localhost:8082/bad-client-sales-post-sig/",
- "adminUrl": "http://localhost:8082/bad-client-sales-post-sig/",
+ "adminUrl": "http://localhost:8082/bad-client-sales-post-sig/saml",
"redirectUris": [
"http://localhost:8082/bad-client-sales-post-sig/*"
],
@@ -217,10 +249,10 @@
"http://localhost:8082/sales-post-enc/*"
],
"attributes": {
- "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-enc/",
- "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-enc/",
- "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-enc/",
- "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-enc/",
+ "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-enc/saml",
+ "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-enc/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-enc/saml",
+ "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-enc/saml",
"saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA512",
"saml.client.signature": "true",
@@ -239,7 +271,7 @@
"redirectUris": [
"http://localhost:8082/employee-sig/*"
],
- "adminUrl": "http://localhost:8082/employee-sig/",
+ "adminUrl": "http://localhost:8082/employee-sig/saml",
"attributes": {
"saml.server.signature": "true",
"saml.client.signature": "true",
@@ -257,7 +289,7 @@
"redirectUris": [
"http://localhost:8082/employee/*"
],
- "adminUrl": "http://localhost:8082/employee/",
+ "adminUrl": "http://localhost:8082/employee/saml",
"attributes": {
"saml.authnstatement": "true"
},
@@ -307,7 +339,7 @@
"redirectUris": [
"http://localhost:8082/employee2/*"
],
- "adminUrl": "http://localhost:8082/employee2/",
+ "adminUrl": "http://localhost:8082/employee2/saml",
"attributes": {
"saml.authnstatement": "true"
},
@@ -359,10 +391,10 @@
"http://localhost:8082/employee-sig-front/*"
],
"attributes": {
- "saml_assertion_consumer_url_post": "http://localhost:8082/employee-sig-front/",
- "saml_assertion_consumer_url_redirect": "http://localhost:8082/employee-sig-front/",
- "saml_single_logout_service_url_post": "http://localhost:8082/employee-sig-front/",
- "saml_single_logout_service_url_redirect": "http://localhost:8082/employee-sig-front/",
+ "saml_assertion_consumer_url_post": "http://localhost:8082/employee-sig-front/saml",
+ "saml_assertion_consumer_url_redirect": "http://localhost:8082/employee-sig-front/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8082/employee-sig-front/saml",
+ "saml_single_logout_service_url_redirect": "http://localhost:8082/employee-sig-front/saml",
"saml.server.signature": "true",
"saml.client.signature": "true",
"saml.signature.algorithm": "RSA_SHA1",
diff --git a/testsuite/tomcat8/src/test/java/org/keycloak/testsuite/TomcatSamlTest.java b/testsuite/tomcat8/src/test/java/org/keycloak/testsuite/TomcatSamlTest.java
index dd5509f..7a93432 100755
--- a/testsuite/tomcat8/src/test/java/org/keycloak/testsuite/TomcatSamlTest.java
+++ b/testsuite/tomcat8/src/test/java/org/keycloak/testsuite/TomcatSamlTest.java
@@ -64,6 +64,8 @@ public class TomcatSamlTest {
URL dir = TomcatSamlTest.class.getResource("/keycloak-saml/testsaml.json");
File base = new File(dir.getFile()).getParentFile();
tomcat.addWebapp("/sales-post", new File(base, "simple-post").toString());
+ tomcat.addWebapp("/sales-post2", new File(base, "simple-post2").toString());
+ tomcat.addWebapp("/input-portal", new File(base, "simple-input").toString());
tomcat.addWebapp("/sales-post-sig", new File(base, "signed-post").toString());
tomcat.addWebapp("/sales-post-sig-email", new File(base, "signed-post-email").toString());
tomcat.addWebapp("/sales-post-sig-transient", new File(base, "signed-post-transient").toString());
@@ -92,6 +94,16 @@ public class TomcatSamlTest {
public SamlAdapterTestStrategy testStrategy = new SamlAdapterTestStrategy("http://localhost:8081/auth", "http://localhost:8082", keycloakRule);
@Test
+ public void testSavedPostRequest() throws Exception {
+ testStrategy.testSavedPostRequest();
+ }
+ @Test
+ public void testPostSimpleLoginLogoutIdpInitiatedRedirectTo() {
+ testStrategy.testPostSimpleLoginLogoutIdpInitiatedRedirectTo();
+ }
+
+
+ @Test
public void testErrorHandling() throws Exception {
testStrategy.testErrorHandling();
}
diff --git a/testsuite/tomcat8/src/test/resources/keycloak-saml/simple-input/META-INF/context.xml b/testsuite/tomcat8/src/test/resources/keycloak-saml/simple-input/META-INF/context.xml
new file mode 100755
index 0000000..d16faaf
--- /dev/null
+++ b/testsuite/tomcat8/src/test/resources/keycloak-saml/simple-input/META-INF/context.xml
@@ -0,0 +1,3 @@
+<Context path="/customer-portal">
+ <Valve className="org.keycloak.adapters.saml.tomcat.SamlAuthenticatorValve"/>
+</Context>
\ No newline at end of file
diff --git a/testsuite/tomcat8/src/test/resources/keycloak-saml/simple-input/WEB-INF/keycloak-saml.xml b/testsuite/tomcat8/src/test/resources/keycloak-saml/simple-input/WEB-INF/keycloak-saml.xml
new file mode 100755
index 0000000..9fbc22b
--- /dev/null
+++ b/testsuite/tomcat8/src/test/resources/keycloak-saml/simple-input/WEB-INF/keycloak-saml.xml
@@ -0,0 +1,24 @@
+<keycloak-saml-adapter>
+ <SP entityID="http://localhost:8082/input-portal/"
+ sslPolicy="EXTERNAL"
+ nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
+ logoutPage="/logout.jsp"
+ forceAuthentication="false">
+ <PrincipalNameMapping policy="FROM_NAME_ID"/>
+ <RoleIdentifiers>
+ <Attribute name="Role"/>
+ </RoleIdentifiers>
+ <IDP entityID="idp">
+ <SingleSignOnService requestBinding="POST"
+ bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+ />
+
+ <SingleLogoutService
+ requestBinding="POST"
+ responseBinding="POST"
+ postBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+ redirectBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+ />
+ </IDP>
+ </SP>
+</keycloak-saml-adapter>
\ No newline at end of file
diff --git a/testsuite/tomcat8/src/test/resources/keycloak-saml/simple-input/WEB-INF/web.xml b/testsuite/tomcat8/src/test/resources/keycloak-saml/simple-input/WEB-INF/web.xml
new file mode 100755
index 0000000..318bf65
--- /dev/null
+++ b/testsuite/tomcat8/src/test/resources/keycloak-saml/simple-input/WEB-INF/web.xml
@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<web-app xmlns="http://java.sun.com/xml/ns/javaee"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
+ version="3.0">
+
+ <module-name>adapter-test</module-name>
+
+ <servlet>
+ <servlet-name>SendUsernameServlet</servlet-name>
+ <servlet-class>org.keycloak.testsuite.keycloaksaml.InputServlet</servlet-class>
+ </servlet>
+ <servlet-mapping>
+ <servlet-name>SendUsernameServlet</servlet-name>
+ <url-pattern>/*</url-pattern>
+ </servlet-mapping>
+
+ <security-constraint>
+ <web-resource-collection>
+ <web-resource-name>Users</web-resource-name>
+ <url-pattern>/secured/*</url-pattern>
+ </web-resource-collection>
+ <auth-constraint>
+ <role-name>manager</role-name>
+ </auth-constraint>
+ </security-constraint>
+
+ <login-config>
+ <auth-method>BASIC</auth-method>
+ <realm-name>demo</realm-name>
+ <form-login-config>
+ <form-login-page>/error.html</form-login-page>
+ <form-error-page>/error.html</form-error-page>
+ </form-login-config>
+ </login-config>
+
+ <security-role>
+ <role-name>manager</role-name>
+ </security-role>
+ <security-role>
+ <role-name>el-jefe</role-name>
+ </security-role>
+</web-app>
diff --git a/testsuite/tomcat8/src/test/resources/keycloak-saml/simple-post2/META-INF/context.xml b/testsuite/tomcat8/src/test/resources/keycloak-saml/simple-post2/META-INF/context.xml
new file mode 100755
index 0000000..d16faaf
--- /dev/null
+++ b/testsuite/tomcat8/src/test/resources/keycloak-saml/simple-post2/META-INF/context.xml
@@ -0,0 +1,3 @@
+<Context path="/customer-portal">
+ <Valve className="org.keycloak.adapters.saml.tomcat.SamlAuthenticatorValve"/>
+</Context>
\ No newline at end of file
diff --git a/testsuite/tomcat8/src/test/resources/keycloak-saml/simple-post2/WEB-INF/keycloak-saml.xml b/testsuite/tomcat8/src/test/resources/keycloak-saml/simple-post2/WEB-INF/keycloak-saml.xml
new file mode 100755
index 0000000..4644d6c
--- /dev/null
+++ b/testsuite/tomcat8/src/test/resources/keycloak-saml/simple-post2/WEB-INF/keycloak-saml.xml
@@ -0,0 +1,24 @@
+<keycloak-saml-adapter>
+ <SP entityID="http://localhost:8082/sales-post2/"
+ sslPolicy="EXTERNAL"
+ nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
+ logoutPage="/logout.jsp"
+ forceAuthentication="false">
+ <PrincipalNameMapping policy="FROM_NAME_ID"/>
+ <RoleIdentifiers>
+ <Attribute name="Role"/>
+ </RoleIdentifiers>
+ <IDP entityID="idp">
+ <SingleSignOnService requestBinding="POST"
+ bindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+ />
+
+ <SingleLogoutService
+ requestBinding="POST"
+ responseBinding="POST"
+ postBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+ redirectBindingUrl="http://localhost:8081/auth/realms/demo/protocol/saml"
+ />
+ </IDP>
+ </SP>
+</keycloak-saml-adapter>
\ No newline at end of file
diff --git a/testsuite/tomcat8/src/test/resources/keycloak-saml/simple-post2/WEB-INF/web.xml b/testsuite/tomcat8/src/test/resources/keycloak-saml/simple-post2/WEB-INF/web.xml
new file mode 100755
index 0000000..86db4a4
--- /dev/null
+++ b/testsuite/tomcat8/src/test/resources/keycloak-saml/simple-post2/WEB-INF/web.xml
@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<web-app xmlns="http://java.sun.com/xml/ns/javaee"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
+ version="3.0">
+
+ <module-name>adapter-test</module-name>
+
+ <servlet>
+ <servlet-name>SendUsernameServlet</servlet-name>
+ <servlet-class>org.keycloak.testsuite.keycloaksaml.SendUsernameServlet</servlet-class>
+ </servlet>
+ <servlet-mapping>
+ <servlet-name>SendUsernameServlet</servlet-name>
+ <url-pattern>/*</url-pattern>
+ </servlet-mapping>
+
+ <security-constraint>
+ <web-resource-collection>
+ <web-resource-name>Users</web-resource-name>
+ <url-pattern>/*</url-pattern>
+ </web-resource-collection>
+ <auth-constraint>
+ <role-name>manager</role-name>
+ </auth-constraint>
+ </security-constraint>
+
+ <login-config>
+ <auth-method>BASIC</auth-method>
+ <realm-name>demo</realm-name>
+ <form-login-config>
+ <form-login-page>/error.html</form-login-page>
+ <form-error-page>/error.html</form-error-page>
+ </form-login-config>
+ </login-config>
+
+ <security-role>
+ <role-name>manager</role-name>
+ </security-role>
+ <security-role>
+ <role-name>el-jefe</role-name>
+ </security-role>
+</web-app>
diff --git a/testsuite/tomcat8/src/test/resources/keycloak-saml/sp-metadata.xml b/testsuite/tomcat8/src/test/resources/keycloak-saml/sp-metadata.xml
index 8f143de..5eac687 100755
--- a/testsuite/tomcat8/src/test/resources/keycloak-saml/sp-metadata.xml
+++ b/testsuite/tomcat8/src/test/resources/keycloak-saml/sp-metadata.xml
@@ -7,9 +7,9 @@
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol http://schemas.xmlsoap.org/ws/2003/07/secext">
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient
</NameIDFormat>
- <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/"/>
+ <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/saml"/>
<AssertionConsumerService
- Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8082/sales-metadata/saml"
index="1" isDefault="true" />
<KeyDescriptor use="signing">
<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
diff --git a/testsuite/tomcat8/src/test/resources/keycloak-saml/testsaml.json b/testsuite/tomcat8/src/test/resources/keycloak-saml/testsaml.json
index 04c5dcd..71cde71 100755
--- a/testsuite/tomcat8/src/test/resources/keycloak-saml/testsaml.json
+++ b/testsuite/tomcat8/src/test/resources/keycloak-saml/testsaml.json
@@ -78,14 +78,46 @@
],
"attributes": {
"saml.authnstatement": "true",
- "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post/",
- "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post/",
- "saml_single_logout_service_url_post": "http://localhost:8082/sales-post/",
- "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post/",
+ "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post/saml",
+ "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8082/sales-post/saml",
+ "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post/saml",
"saml_idp_initiated_sso_url_name": "sales-post"
}
},
{
+ "name": "http://localhost:8082/sales-post2/",
+ "enabled": true,
+ "fullScopeAllowed": true,
+ "protocol": "saml",
+ "baseUrl": "http://localhost:8082/sales-post2",
+ "redirectUris": [
+ "http://localhost:8082/sales-post2/*"
+ ],
+ "attributes": {
+ "saml.authnstatement": "true",
+ "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post2/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8082/sales-post2/saml",
+ "saml_idp_initiated_sso_url_name": "sales-post2",
+ "saml_idp_initiated_sso_relay_state": "redirectTo=/foo"
+ }
+ },
+ {
+ "name": "http://localhost:8082/input-portal/",
+ "enabled": true,
+ "fullScopeAllowed": true,
+ "protocol": "saml",
+ "baseUrl": "http://localhost:8082/input-portal/",
+ "redirectUris": [
+ "http://localhost:8082/input-portal/*"
+ ],
+ "attributes": {
+ "saml.authnstatement": "true",
+ "saml_assertion_consumer_url_post": "http://localhost:8082/input-portal/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8082/input-portal/saml"
+ }
+ },
+ {
"name": "http://localhost:8082/sales-post-sig/",
"enabled": true,
"protocol": "saml",
@@ -95,10 +127,10 @@
"http://localhost:8082/sales-post-sig/*"
],
"attributes": {
- "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig/",
- "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig/",
- "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig/",
- "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig/",
+ "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig/saml",
+ "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig/saml",
+ "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig/saml",
"saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA256",
"saml.client.signature": "true",
@@ -112,15 +144,15 @@
"protocol": "saml",
"fullScopeAllowed": true,
"baseUrl": "http://localhost:8082/sales-post-sig-transient",
- "adminUrl": "http://localhost:8082/sales-post-sig-transient",
+ "adminUrl": "http://localhost:8082/sales-post-sig-transient/saml",
"redirectUris": [
"http://localhost:8082/sales-post-sig-transient/*"
],
"attributes": {
- "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-transient/",
- "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-transient/",
- "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-transient/",
- "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-transient/",
+ "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-transient/saml",
+ "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-transient/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-transient/saml",
+ "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-transient/saml",
"saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA256",
"saml.client.signature": "true",
@@ -138,10 +170,10 @@
"http://localhost:8082/sales-post-sig-persistent/*"
],
"attributes": {
- "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-persistent/",
- "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-persistent/",
- "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-persistent/",
- "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-persistent/",
+ "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-persistent/saml",
+ "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-persistent/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-persistent/saml",
+ "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-persistent/saml",
"saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA256",
"saml.client.signature": "true",
@@ -155,17 +187,17 @@
"protocol": "saml",
"fullScopeAllowed": true,
"baseUrl": "http://localhost:8082/sales-post-sig-email",
- "adminUrl": "http://localhost:8082/sales-post-sig-email",
+ "adminUrl": "http://localhost:8082/sales-post-sig-email/saml",
"redirectUris": [
"http://localhost:8082/sales-post-sig-email/*"
],
"attributes": {
"saml_force_name_id_format": "true",
"saml_name_id_format": "email",
- "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-email/",
- "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-email/",
- "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-email/",
- "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-email/",
+ "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-sig-email/saml",
+ "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-sig-email/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-sig-email/saml",
+ "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-sig-email/saml",
"saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA256",
"saml.client.signature": "true",
@@ -179,7 +211,7 @@
"protocol": "saml",
"fullScopeAllowed": true,
"baseUrl": "http://localhost:8082/bad-realm-sales-post-sig/",
- "adminUrl": "http://localhost:8082/bad-realm-sales-post-sig/",
+ "adminUrl": "http://localhost:8082/bad-realm-sales-post-sig/saml",
"redirectUris": [
"http://localhost:8082/bad-realm-sales-post-sig/*"
],
@@ -196,7 +228,7 @@
"protocol": "saml",
"fullScopeAllowed": true,
"baseUrl": "http://localhost:8082/bad-client-sales-post-sig/",
- "adminUrl": "http://localhost:8082/bad-client-sales-post-sig/",
+ "adminUrl": "http://localhost:8082/bad-client-sales-post-sig/saml",
"redirectUris": [
"http://localhost:8082/bad-client-sales-post-sig/*"
],
@@ -217,10 +249,10 @@
"http://localhost:8082/sales-post-enc/*"
],
"attributes": {
- "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-enc/",
- "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-enc/",
- "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-enc/",
- "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-enc/",
+ "saml_assertion_consumer_url_post": "http://localhost:8082/sales-post-enc/saml",
+ "saml_assertion_consumer_url_redirect": "http://localhost:8082/sales-post-enc/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8082/sales-post-enc/saml",
+ "saml_single_logout_service_url_redirect": "http://localhost:8082/sales-post-enc/saml",
"saml.server.signature": "true",
"saml.signature.algorithm": "RSA_SHA512",
"saml.client.signature": "true",
@@ -239,7 +271,7 @@
"redirectUris": [
"http://localhost:8082/employee-sig/*"
],
- "adminUrl": "http://localhost:8082/employee-sig/",
+ "adminUrl": "http://localhost:8082/employee-sig/saml",
"attributes": {
"saml.server.signature": "true",
"saml.client.signature": "true",
@@ -257,7 +289,7 @@
"redirectUris": [
"http://localhost:8082/employee/*"
],
- "adminUrl": "http://localhost:8082/employee/",
+ "adminUrl": "http://localhost:8082/employee/saml",
"attributes": {
"saml.authnstatement": "true"
},
@@ -307,7 +339,7 @@
"redirectUris": [
"http://localhost:8082/employee2/*"
],
- "adminUrl": "http://localhost:8082/employee2/",
+ "adminUrl": "http://localhost:8082/employee2/saml",
"attributes": {
"saml.authnstatement": "true"
},
@@ -359,10 +391,10 @@
"http://localhost:8082/employee-sig-front/*"
],
"attributes": {
- "saml_assertion_consumer_url_post": "http://localhost:8082/employee-sig-front/",
- "saml_assertion_consumer_url_redirect": "http://localhost:8082/employee-sig-front/",
- "saml_single_logout_service_url_post": "http://localhost:8082/employee-sig-front/",
- "saml_single_logout_service_url_redirect": "http://localhost:8082/employee-sig-front/",
+ "saml_assertion_consumer_url_post": "http://localhost:8082/employee-sig-front/saml",
+ "saml_assertion_consumer_url_redirect": "http://localhost:8082/employee-sig-front/saml",
+ "saml_single_logout_service_url_post": "http://localhost:8082/employee-sig-front/saml",
+ "saml_single_logout_service_url_redirect": "http://localhost:8082/employee-sig-front/saml",
"saml.server.signature": "true",
"saml.client.signature": "true",
"saml.signature.algorithm": "RSA_SHA1",