diff --git a/distribution/appliance-dist/assembly.xml b/distribution/appliance-dist/assembly.xml index 228f0b95a83..73f33c7daf5 100755 --- a/distribution/appliance-dist/assembly.xml +++ b/distribution/appliance-dist/assembly.xml @@ -21,6 +21,7 @@ **/*.sh welcome-content/* + **/modules/system/layers/base/org/picketlink/** @@ -31,6 +32,13 @@ 0755 + + ${project.build.directory}/unpacked/modules + keycloak/modules/system/layers/base + + org/picketlink/** + + ${project.build.directory}/unpacked/deployments keycloak/standalone/deployments diff --git a/distribution/appliance-dist/pom.xml b/distribution/appliance-dist/pom.xml index 9382e850ba8..c75c5fc3304 100755 --- a/distribution/appliance-dist/pom.xml +++ b/distribution/appliance-dist/pom.xml @@ -90,6 +90,13 @@ ${project.build.directory}/unpacked/js-adapter *.js + + org.keycloak + keycloak-jboss-modules + ${project.version} + zip + ${project.build.directory}/unpacked/modules + **/welcome-content/* diff --git a/distribution/appliance-dist/src/main/xslt/standalone.xsl b/distribution/appliance-dist/src/main/xslt/standalone.xsl index 64fda3328a8..7b8ba53ed60 100755 --- a/distribution/appliance-dist/src/main/xslt/standalone.xsl +++ b/distribution/appliance-dist/src/main/xslt/standalone.xsl @@ -46,6 +46,11 @@ + + + + + diff --git a/distribution/as7-adapter-zip/assembly.xml b/distribution/as7-adapter-zip/assembly.xml index 6a507fdf995..120549aa0fb 100755 --- a/distribution/as7-adapter-zip/assembly.xml +++ b/distribution/as7-adapter-zip/assembly.xml @@ -10,6 +10,7 @@ ${project.build.directory}/unpacked + org/picketlink/** org/keycloak/keycloak-undertow-adapter/** org/keycloak/keycloak-wildfly-subsystem/** org/keycloak/keycloak-wildfly-adapter/** diff --git a/distribution/eap6-adapter-zip/assembly.xml b/distribution/eap6-adapter-zip/assembly.xml index d3d334ac02c..d3ac9a46d38 100755 --- a/distribution/eap6-adapter-zip/assembly.xml +++ b/distribution/eap6-adapter-zip/assembly.xml @@ -10,8 +10,10 @@ ${project.build.directory}/unpacked + org/picketlink/** org/keycloak/keycloak-undertow-adapter/** org/keycloak/keycloak-wildfly-subsystem/** + org/keycloak/keycloak-wildfly-adapter/** modules/system/layers/base diff --git a/distribution/examples-docs-zip/build.xml b/distribution/examples-docs-zip/build.xml index 65dd8e20672..3e4f1dcf52b 100755 --- a/distribution/examples-docs-zip/build.xml +++ b/distribution/examples-docs-zip/build.xml @@ -26,6 +26,14 @@ + + + + + + + + diff --git a/distribution/modules/build.xml b/distribution/modules/build.xml index 85034757369..7495cdc077e 100755 --- a/distribution/modules/build.xml +++ b/distribution/modules/build.xml @@ -81,6 +81,35 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/distribution/modules/pom.xml b/distribution/modules/pom.xml index 800a182d675..6d8a003b675 100755 --- a/distribution/modules/pom.xml +++ b/distribution/modules/pom.xml @@ -83,6 +83,42 @@ org.bouncycastle bcprov-jdk16 + + org.picketlink + picketlink-common + + + org.picketlink + picketlink-idm-api + + + org.picketlink + picketlink-idm-impl + + + org.picketlink + picketlink-federation + + + org.picketlink + picketlink-wildlfy-common + + + org.picketlink + picketlink-idm-simple-schema + + + org.picketlink + picketlink-config + + + org.picketlink + picketlink-api + + + org.picketlink + picketlink-impl + diff --git a/distribution/modules/src/main/resources/modules/org/picketlink/common/main/module.xml b/distribution/modules/src/main/resources/modules/org/picketlink/common/main/module.xml new file mode 100755 index 00000000000..6602ccfbc9e --- /dev/null +++ b/distribution/modules/src/main/resources/modules/org/picketlink/common/main/module.xml @@ -0,0 +1,30 @@ + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/distribution/modules/src/main/resources/modules/org/picketlink/config/main/module.xml b/distribution/modules/src/main/resources/modules/org/picketlink/config/main/module.xml new file mode 100755 index 00000000000..9afbd36cf72 --- /dev/null +++ b/distribution/modules/src/main/resources/modules/org/picketlink/config/main/module.xml @@ -0,0 +1,28 @@ + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/distribution/modules/src/main/resources/modules/org/picketlink/core/api/main/module.xml b/distribution/modules/src/main/resources/modules/org/picketlink/core/api/main/module.xml new file mode 100755 index 00000000000..eb6241774cc --- /dev/null +++ b/distribution/modules/src/main/resources/modules/org/picketlink/core/api/main/module.xml @@ -0,0 +1,32 @@ + + + + + + + + + + + + + + + + + + + diff --git a/distribution/modules/src/main/resources/modules/org/picketlink/core/main/module.xml b/distribution/modules/src/main/resources/modules/org/picketlink/core/main/module.xml new file mode 100755 index 00000000000..c9aad28ea1f --- /dev/null +++ b/distribution/modules/src/main/resources/modules/org/picketlink/core/main/module.xml @@ -0,0 +1,34 @@ + + + + + + + + + + + + + + + + + + + + + diff --git a/distribution/modules/src/main/resources/modules/org/picketlink/federation/bindings/main/module.xml b/distribution/modules/src/main/resources/modules/org/picketlink/federation/bindings/main/module.xml new file mode 100755 index 00000000000..ed09b9e6fe5 --- /dev/null +++ b/distribution/modules/src/main/resources/modules/org/picketlink/federation/bindings/main/module.xml @@ -0,0 +1,53 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/distribution/modules/src/main/resources/modules/org/picketlink/federation/main/module.xml b/distribution/modules/src/main/resources/modules/org/picketlink/federation/main/module.xml new file mode 100755 index 00000000000..dac4638269b --- /dev/null +++ b/distribution/modules/src/main/resources/modules/org/picketlink/federation/main/module.xml @@ -0,0 +1,56 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/distribution/modules/src/main/resources/modules/org/picketlink/idm/api/main/module.xml b/distribution/modules/src/main/resources/modules/org/picketlink/idm/api/main/module.xml new file mode 100755 index 00000000000..9c840ba9b19 --- /dev/null +++ b/distribution/modules/src/main/resources/modules/org/picketlink/idm/api/main/module.xml @@ -0,0 +1,30 @@ + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/distribution/modules/src/main/resources/modules/org/picketlink/idm/main/module.xml b/distribution/modules/src/main/resources/modules/org/picketlink/idm/main/module.xml new file mode 100755 index 00000000000..97a8a80ab78 --- /dev/null +++ b/distribution/modules/src/main/resources/modules/org/picketlink/idm/main/module.xml @@ -0,0 +1,34 @@ + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/distribution/modules/src/main/resources/modules/org/picketlink/idm/schema/main/module.xml b/distribution/modules/src/main/resources/modules/org/picketlink/idm/schema/main/module.xml new file mode 100755 index 00000000000..a9bfe968164 --- /dev/null +++ b/distribution/modules/src/main/resources/modules/org/picketlink/idm/schema/main/module.xml @@ -0,0 +1,32 @@ + + + + + + + + + + + + + + + + + + + diff --git a/distribution/modules/src/main/resources/modules/org/picketlink/main/module.xml b/distribution/modules/src/main/resources/modules/org/picketlink/main/module.xml new file mode 100644 index 00000000000..2418940a90f --- /dev/null +++ b/distribution/modules/src/main/resources/modules/org/picketlink/main/module.xml @@ -0,0 +1,27 @@ + + + + + + + + + + + + + + \ No newline at end of file diff --git a/distribution/wildfly-adapter-zip/assembly.xml b/distribution/wildfly-adapter-zip/assembly.xml index 76d1f183e48..82a8fb98f36 100755 --- a/distribution/wildfly-adapter-zip/assembly.xml +++ b/distribution/wildfly-adapter-zip/assembly.xml @@ -13,6 +13,7 @@ org/keycloak/keycloak-as7-adapter/** org/keycloak/keycloak-as7-subsystem/** org/bouncycastle/** + org/picketlink/** modules/system/layers/base diff --git a/examples/saml/pom.xml b/examples/saml/pom.xml new file mode 100755 index 00000000000..e8be627a685 --- /dev/null +++ b/examples/saml/pom.xml @@ -0,0 +1,34 @@ + + + examples-pom + org.keycloak + 1.1.0-Alpha1-SNAPSHOT + ../pom.xml + + Provider Examples + + 4.0.0 + + examples-saml-pom + pom + + + + + org.apache.maven.plugins + maven-deploy-plugin + + true + + + + + + post-basic + post-with-signature + post-with-encryption + redirect-basic + redirect-with-signature + + diff --git a/examples/saml/post-basic/README.md b/examples/saml/post-basic/README.md new file mode 100755 index 00000000000..70934a71058 --- /dev/null +++ b/examples/saml/post-basic/README.md @@ -0,0 +1,273 @@ +picketlink-federation-saml-sp-post-basic: PicketLink Service Provider With a Basic Configuration using SAML HTTP POST Binding +=============================== +Author: Pedro Igor +Level: Intermediate +Technologies: PicketLink Federation, SAML v2.0 +Summary: Basic example that demonstrates how to setup an application as a SAML v2.0 Service Provider using SAML HTTP POST Binding. +Source: + + +What is it? +----------- + +This example demonstrates Keycloak SAML 2.0 support in conjunction with a servlet secured by Picketlink's SAML SP client. + + +Make sure you've set up the Keycloak Server +-------------------------------------- +The Keycloak Appliance Distribution comes with a preconfigured Keycloak server (based on Wildfly). You can use it out of +the box to run these demos. So, if you're using this, you can head to Step 2. + +Alternatively, you can install the Keycloak Server onto any JBoss AS 7.1.1, EAP 6.x, or Wildfly 8.x server, but there is +a few steps you must follow. + +Obtain latest keycloak-war-dist-all.zip. This distro is used to install Keycloak onto an existing JBoss installation. +This installs the server. + + $ cd ${wildfly.jboss.home}/standalone + $ cp -r ${keycloak-war-dist-all}/deployments . + +To be able to run the demos you also need to install the Keycloak client adapter. For Wildfly: + + $ cd ${wildfly.home} + $ unzip ${keycloak-war-dist-all}/adapters/keycloak-wildfly-adapter-dist.zip + +For JBoss EAP 6.x + + $ cd ${eap.home} + $ unzip ${keycloak-war-dist-all}/adapters/keycloak-eap6-adapter-dist.zip + +For JBoss AS 7.1.1: + + $ cd ${as7.home} + $ unzip ${keycloak-war-dist-all}/adapters/keycloak-as7-adapter-dist.zip + +Unzipping the adapter ZIP only installs the JAR files. You must also add the Keycloak Subsystem to the server's +configuration (standalone/configuration/standalone.xml). + +For Wildfly: + + + + + + ... + + + + + ... + + +For JBoss 7.1.1 and EAP 6.x: + + + + + + ... + + + + + ... + + + +Boot Keycloak Server +--------------------------------------- +Where you go to start up the Keycloak Server depends on which distro you installed. + +From appliance: + +``` +$ cd keycloak/bin +$ ./standalone.sh +``` + + +From existing Wildfly/EAP6/AS7 distro + +``` +$ cd ${wildfly.jboss.home}/bin +$ ./standalone.sh +``` + + +Import the Test Realm +--------------------------------------- +Next thing you have to do is import the test realm for the demo. Clicking on the below link will bring you to the +create realm page in the Admin UI. The username/password is admin/admin to login in. Keycloak will ask you to +create a new admin password before you can go to the create realm page. + +[http://localhost:8080/auth/admin/master/console/#/create/realm](http://localhost:8080/auth/admin/master/console/#/create/realm) + +Import the testsaml.json file that is in the saml/ example directory. + + + +Install Picketlink Modules into App server +------------------------------------------ + +If you are running this example with the Keycloak application distribution, you can skip this step. + +You may have to upgrade your picketlink modules in your JBoss EAP or Wildfly distribution. See Picketlink docs for more details. + +Create the Security Domain for JBoss EAP +--------------- +If you are running this example with the Keycloak application distribution, you can skip this step. + + +These steps assume you are running the server in standalone mode and using the default standalone.xml supplied with the distribution. + +You configure the security domain by running JBoss CLI commands. For your convenience, this quickstart batches the commands into a `configure-security-domain-eap.cli` script provided in the root directory of this quickstart. + +1. Before you begin, back up your server configuration file + * If it is running, stop the JBoss server. + * Backup the file: `JBOSS_HOME/standalone/configuration/standalone.xml` + * After you have completed testing this quickstart, you can replace this file to restore the server to its original configuration. + +2. Start the JBoss server by typing the following: + + For Linux: JBOSS_HOME/bin/standalone.sh + For Windows: JBOSS_HOME\bin\standalone.bat +3. Review the `configure-security-domain-eap.cli` file in the root of this quickstart directory. This script adds the `sp` domain to the `security` subsystem in the server configuration and configures authentication access. Comments in the script describe the purpose of each block of commands. + +4. Open a new command prompt, navigate to the root directory of this quickstart, and run the following command, replacing JBOSS_HOME with the path to your server: + + JBOSS_HOME/bin/jboss-cli.sh --connect --file=configure-security-domain-eap.cli + +You should see the following result when you run the script: + + The batch executed successfully + { + "outcome" => "success", + } + + +Create the Security Domain for WildFly +--------------- +If you are running this example with the Keycloak application distribution, you can skip this step. + +These steps assume you are running the server in standalone mode and using the default standalone.xml supplied with the distribution. + +You configure the security domain by running JBoss CLI commands. For your convenience, this quickstart batches the commands into a `configure-security-domain-wildfly.cli` script provided in the root directory of this quickstart. + +1. Before you begin, back up your server configuration file + * If it is running, stop the JBoss server. + * Backup the file: `JBOSS_HOME/standalone/configuration/standalone.xml` + * After you have completed testing this quickstart, you can replace this file to restore the server to its original configuration. + +2. Start the JBoss server by typing the following: + + For Linux: JBOSS_HOME/bin/standalone.sh + For Windows: JBOSS_HOME\bin\standalone.bat +3. Review the `configure-security-domain-wildfly.cli` file in the root of this quickstart directory. This script adds the `sp` domain to the `security` subsystem in the server configuration and configures authentication access. Comments in the script describe the purpose of each block of commands. + +4. Open a new command prompt, navigate to the root directory of this quickstart, and run the following command, replacing JBOSS_HOME with the path to your server: + + JBOSS_HOME/bin/jboss-cli.sh --connect --file=configure-security-domain-wildfly.cli + +You should see the following result when you run the script: + + The batch executed successfully + { + "outcome" => "success", + } + + + +Review the Modified Server Configuration for EAP +----------------------------------- +If you are running this example with the Keycloak application distribution, you can skip this step. + +If you want to review and understand newly added XML configuration, stop the JBoss server and open the `JBOSS_HOME/standalone/configuration/standalone.xml` file. + +The following `sp` security-domain was added to the `security` subsystem. + + + + + + + +The configuration above defines a security-domain which will be used by the SP to authenticate users based on a SAML Assertion previously issued by a Identity Provider. + +Review the Modified Server Configuration for WildFly +----------------------------------- +If you are running this example with the Keycloak application distribution, you can skip this step. + +If you are using Wildfly, the security-domain should have the following configuration: + + + + + + + + +SAML SP-Initiated Single Sign-On +----------------------------------- + +The SAML v2.0 specification defines a specific SSO mode called *SP-Initiated SSO*. In this mode, the SSO flow starts at the Service Provider side. +Please, take a look at the following documentation for more details: + +1. [SAML v2.0 SP-Initiated SSO](https://docs.jboss.org/author/display/PLINK/SP-Initiated+SSO) + + +Start JBoss Enterprise Application Platform 6 or WildFly with the Web Profile +------------------------- + +1. Open a command line and navigate to the root of the JBoss server directory. +2. The following shows the command line to start the server with the web profile: + + For Linux: JBOSS_HOME/bin/standalone.sh + For Windows: JBOSS_HOME\bin\standalone.bat + + +Build and Deploy the Quickstart +------------------------- + +_NOTE: The following build command assumes you have configured your Maven user settings. If you have not, you must include Maven setting arguments on the command line. See [Build and Deploy the Quickstarts](../README.md#build-and-deploy-the-quickstarts) for complete instructions and additional options._ + +1. Make sure you have started the JBoss Server as described above. +2. Open a command line and navigate to the root directory of this quickstart. +3. Type this command to build and deploy the archive: + + For EAP 6: mvn clean package jboss-as:deploy + For WildFly: mvn -Pwildfly clean package wildfly:deploy + +4. This will deploy `target/picketlink-federation-saml-sp-post-basic.war` to the running instance of the server. + + +Access the application +--------------------- + +The application will be running at the following URL: . + +*Note: A Service Provider alone is not very useful without an Identity Provider to authenticate users and issue SAML Assertions. Once you get this application deployed, please take a look at [About the PicketLink Federation Quickstarts](../README.md#about-the-picketlink-federation-quickstarts).* + + +Undeploy the Archive +-------------------- + +1. Make sure you have started the JBoss Server as described above. +2. Open a command line and navigate to the root directory of this quickstart. +3. When you are finished testing, type this command to undeploy the archive: + + For EAP 6: mvn jboss-as:undeploy + For WildFly: mvn -Pwildfly wildfly:undeploy + + +Run the Quickstart in JBoss Developer Studio or Eclipse +------------------------------------- +You can also start the server and deploy the quickstarts from Eclipse using JBoss tools. For more information, see [Use JBoss Developer Studio or Eclipse to Run the Quickstarts](../README.md#use-jboss-developer-studio-or-eclipse-to-run-the-quickstarts) + + +Debug the Application +------------------------------------ + +If you want to debug the source code or look at the Javadocs of any library in the project, run either of the following commands to pull them into your local repository. The IDE should then detect them. + + mvn dependency:sources + mvn dependency:resolve -Dclassifier=javadoc \ No newline at end of file diff --git a/examples/saml/post-basic/conf/jboss-eap/META-INF/jboss-deployment-structure.xml b/examples/saml/post-basic/conf/jboss-eap/META-INF/jboss-deployment-structure.xml new file mode 100644 index 00000000000..7b07a0210b8 --- /dev/null +++ b/examples/saml/post-basic/conf/jboss-eap/META-INF/jboss-deployment-structure.xml @@ -0,0 +1,10 @@ + + + + + + + + + diff --git a/examples/saml/post-basic/conf/jboss-eap/WEB-INF/jboss-web.xml b/examples/saml/post-basic/conf/jboss-eap/WEB-INF/jboss-web.xml new file mode 100644 index 00000000000..c461ff2267a --- /dev/null +++ b/examples/saml/post-basic/conf/jboss-eap/WEB-INF/jboss-web.xml @@ -0,0 +1,16 @@ + + + + sp + + + sales-post + + + + org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator + + diff --git a/examples/saml/post-basic/conf/wildfly/META-INF/jboss-deployment-structure.xml b/examples/saml/post-basic/conf/wildfly/META-INF/jboss-deployment-structure.xml new file mode 100644 index 00000000000..7b07a0210b8 --- /dev/null +++ b/examples/saml/post-basic/conf/wildfly/META-INF/jboss-deployment-structure.xml @@ -0,0 +1,10 @@ + + + + + + + + + diff --git a/examples/saml/post-basic/conf/wildfly/WEB-INF/classes/META-INF/services/io.undertow.servlet.ServletExtension b/examples/saml/post-basic/conf/wildfly/WEB-INF/classes/META-INF/services/io.undertow.servlet.ServletExtension new file mode 100644 index 00000000000..ffaf42ca712 --- /dev/null +++ b/examples/saml/post-basic/conf/wildfly/WEB-INF/classes/META-INF/services/io.undertow.servlet.ServletExtension @@ -0,0 +1 @@ +org.picketlink.identity.federation.bindings.wildfly.sp.SPServletExtension \ No newline at end of file diff --git a/examples/saml/post-basic/conf/wildfly/WEB-INF/jboss-web.xml b/examples/saml/post-basic/conf/wildfly/WEB-INF/jboss-web.xml new file mode 100644 index 00000000000..e11a2b4e6e9 --- /dev/null +++ b/examples/saml/post-basic/conf/wildfly/WEB-INF/jboss-web.xml @@ -0,0 +1,10 @@ + + + + sp + + + sales-post + diff --git a/examples/saml/post-basic/configure-security-domain-eap.cli b/examples/saml/post-basic/configure-security-domain-eap.cli new file mode 100644 index 00000000000..9f9777c4cbb --- /dev/null +++ b/examples/saml/post-basic/configure-security-domain-eap.cli @@ -0,0 +1,16 @@ +# Batch script to add and configure the quickstart-domain security domain in the JBoss server + +# Start batching commands +batch + +# Add and configure the security domain, then add the PicketLink SAML2LoginModule. Which wil be used to extract user's information from the SAML Assertion and authenticate the user. +/subsystem=security/security-domain=sp:add(cache-type=default) +/subsystem=security/security-domain=sp/authentication=classic:add +/subsystem=security/security-domain=sp/authentication=classic/login-module=org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule:add(code=org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule,flag=required) + +# Run the batch commands +run-batch + +# Reload the server configuration +:reload + diff --git a/examples/saml/post-basic/configure-security-domain-wildfly.cli b/examples/saml/post-basic/configure-security-domain-wildfly.cli new file mode 100644 index 00000000000..6b65d5e94fc --- /dev/null +++ b/examples/saml/post-basic/configure-security-domain-wildfly.cli @@ -0,0 +1,16 @@ +# Batch script to add and configure the quickstart-domain security domain in the JBoss server + +# Start batching commands +batch + +# Add and configure the security domain, then add the PicketLink SAML2LoginModule. Which wil be used to extract user's information from the SAML Assertion and authenticate the user. +/subsystem=security/security-domain=sp:add(cache-type=default) +/subsystem=security/security-domain=sp/authentication=classic:add +/subsystem=security/security-domain=sp/authentication=classic/login-module=org.picketlink.identity.federation.bindings.wildfly.SAML2LoginModule:add(code=org.picketlink.identity.federation.bindings.wildfly.SAML2LoginModule,flag=required) + +# Run the batch commands +run-batch + +# Reload the server configuration +:reload + diff --git a/examples/saml/post-basic/pom.xml b/examples/saml/post-basic/pom.xml new file mode 100644 index 00000000000..07762a89106 --- /dev/null +++ b/examples/saml/post-basic/pom.xml @@ -0,0 +1,99 @@ + + 4.0.0 + + org.picketlink.quickstarts + picketlink-federation-saml-sp-post-basic + 2.7.0.Beta2 + + war + + PicketLink Quickstart: picketlink-federation-saml-sp-post-basic + PicketLink Quickstart: PicketLink Service Provider With a Basic Configuration using SAML HTTP POST Binding + + http://www.picketlink.org + + + + Apache License, Version 2.0 + repo + http://www.apache.org/licenses/LICENSE-2.0.html + + + + + + 7.4.Final + + + 1.0.1.Final + + + 2.7.0.Beta2 + + + jboss-eap + + + 2.1.1 + + + 3.1 + 1.6 + 1.6 + + + + + ${project.artifactId} + + + maven-war-plugin + ${version.war.plugin} + + + false + + + ${target.container} + + + ${basedir}/conf/${target.container} + + + + + + + org.jboss.as.plugins + jboss-as-maven-plugin + ${version.jboss.maven.plugin} + + ${project.build.finalName}-${target.container}.${project.packaging} + + + + + + + + wildfly + + wildfly + + + + + org.wildfly.plugins + wildfly-maven-plugin + ${version.wildfly.maven.plugin} + + ${project.build.finalName}-${target.container}.${project.packaging} + + + + + + + + \ No newline at end of file diff --git a/examples/saml/post-basic/remove-security-domain.cli b/examples/saml/post-basic/remove-security-domain.cli new file mode 100644 index 00000000000..9487613e2ca --- /dev/null +++ b/examples/saml/post-basic/remove-security-domain.cli @@ -0,0 +1,13 @@ +# Batch script to remove the quickstart-domain security domain from the JBoss server + +# Start batching commands +batch + +# Remove the security domain +/subsystem=security/security-domain=sp:remove + +# Run the batch commands +run-batch + +# Reload the server configuration +:reload \ No newline at end of file diff --git a/examples/saml/post-basic/src/main/webapp/WEB-INF/picketlink.xml b/examples/saml/post-basic/src/main/webapp/WEB-INF/picketlink.xml new file mode 100755 index 00000000000..269f4d3df2b --- /dev/null +++ b/examples/saml/post-basic/src/main/webapp/WEB-INF/picketlink.xml @@ -0,0 +1,20 @@ + + + ${idp.url::http://localhost:8080/auth/realms/saml-demo/protocol/saml} + ${sales-post.url::http://localhost:8080/sales-post/} + + localhost,jboss.com,jboss.org,amazonaws.com + + + + + + + + + \ No newline at end of file diff --git a/examples/saml/post-basic/src/main/webapp/WEB-INF/web.xml b/examples/saml/post-basic/src/main/webapp/WEB-INF/web.xml new file mode 100644 index 00000000000..1bb001cd4a7 --- /dev/null +++ b/examples/saml/post-basic/src/main/webapp/WEB-INF/web.xml @@ -0,0 +1,52 @@ + + + + PicketLink Sales Service Provider + + PicketLink Service Provider With a Basic Configuration using SAML HTTP POST Binding + + + + + SALES Application + /* + + + manager + + + + + + + freezone + /freezone/* + + + images + /images/* + + + css + /css/* + + + + + + FORM + Tomcat SALES Application + + /jsp/login.jsp + /jsp/loginerror.jsp + + + + + + The role that is required to log in to the Manager Application + manager + + diff --git a/examples/saml/post-basic/src/main/webapp/css/idp.css b/examples/saml/post-basic/src/main/webapp/css/idp.css new file mode 100644 index 00000000000..afb49ea9429 --- /dev/null +++ b/examples/saml/post-basic/src/main/webapp/css/idp.css @@ -0,0 +1,78 @@ +/* + ~ JBoss, Home of Professional Open Source. + ~ Copyright (c) 2011, Red Hat, Inc., and individual contributors + ~ as indicated by the @author tags. See the copyright.txt file in the + ~ distribution for a full listing of individual contributors. + ~ + ~ This is free software; you can redistribute it and/or modify it + ~ under the terms of the GNU Lesser General Public License as + ~ published by the Free Software Foundation; either version 2.1 of + ~ the License, or (at your option) any later version. + ~ + ~ This software is distributed in the hope that it will be useful, + ~ but WITHOUT ANY WARRANTY; without even the implied warranty of + ~ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + ~ Lesser General Public License for more details. + ~ + ~ You should have received a copy of the GNU Lesser General Public + ~ License along with this software; if not, write to the Free + ~ Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA + ~ 02110-1301 USA, or see the FSF site: http://www.fsf.org. +*/ +body { + background: url(images/rh_bg.png) repeat-x scroll 0 0 #F3F3F3; + color: #555555; + font: 12px/1.4 "Lucida Sans Unicode", "Lucida Grande", sans-serif; +} + +.loginBox { + position:absolute; + top: 50%; + left: 50%; + width:30em; + height:3em; + margin-top: -9em; /*set to a negative number 1/2 of your height*/ + margin-left: -15em; /*set to a negative number 1/2 of your width*/ + border: 1px solid #ccc; + background-color: #f3f3f3; +} + +.wrapper { + margin-left: auto; + margin-right: auto; + width: 50em; + text-align: left; +} + +a { + text-decoration: none; + color: #5e8a9a; +} + +h1 { + padding-top: 20px; + color: #7b1e1e; +} + +a:hover { + text-decoration: underline; + color: #8ec6d9; +} + +.content { + margin-left: 230px; +} + +.dualbrand { + padding-top: 20px; +} + +.as7 { + float: left; + margin-left: 10px; +} + +.note { + font-size: 8pt; + color: #aaaaaa; +} \ No newline at end of file diff --git a/examples/saml/post-basic/src/main/webapp/error.jsp b/examples/saml/post-basic/src/main/webapp/error.jsp new file mode 100644 index 00000000000..7a78c2fefc4 --- /dev/null +++ b/examples/saml/post-basic/src/main/webapp/error.jsp @@ -0,0 +1,43 @@ + + + + + +PicketLink Example Application + + + + + + +
+
+

+ The Service Provider could not process the request. +

+
+
+ + \ No newline at end of file diff --git a/examples/saml/post-basic/src/main/webapp/favicon.ico b/examples/saml/post-basic/src/main/webapp/favicon.ico new file mode 100644 index 00000000000..c31d0fa862a Binary files /dev/null and b/examples/saml/post-basic/src/main/webapp/favicon.ico differ diff --git a/examples/saml/post-basic/src/main/webapp/images/bkg.gif b/examples/saml/post-basic/src/main/webapp/images/bkg.gif new file mode 100644 index 00000000000..523877c0874 Binary files /dev/null and b/examples/saml/post-basic/src/main/webapp/images/bkg.gif differ diff --git a/examples/saml/post-basic/src/main/webapp/images/picketlink-banner-1180px.png b/examples/saml/post-basic/src/main/webapp/images/picketlink-banner-1180px.png new file mode 100644 index 00000000000..2509ff4480f Binary files /dev/null and b/examples/saml/post-basic/src/main/webapp/images/picketlink-banner-1180px.png differ diff --git a/examples/saml/post-basic/src/main/webapp/images/rh_bg.png b/examples/saml/post-basic/src/main/webapp/images/rh_bg.png new file mode 100644 index 00000000000..b0e6a006d01 Binary files /dev/null and b/examples/saml/post-basic/src/main/webapp/images/rh_bg.png differ diff --git a/examples/saml/post-basic/src/main/webapp/index.jsp b/examples/saml/post-basic/src/main/webapp/index.jsp new file mode 100644 index 00000000000..199bdb0ee0c --- /dev/null +++ b/examples/saml/post-basic/src/main/webapp/index.jsp @@ -0,0 +1,14 @@ +
+

SalesTool

+
+Welcome to the Sales Tool, <%=request.getUserPrincipal().getName()%> + +
+Here is your sales chart: +
+ + +
+Click to LogOut + +
diff --git a/examples/saml/post-basic/src/main/webapp/logout.jsp b/examples/saml/post-basic/src/main/webapp/logout.jsp new file mode 100644 index 00000000000..05ef7d35969 --- /dev/null +++ b/examples/saml/post-basic/src/main/webapp/logout.jsp @@ -0,0 +1,44 @@ + + + + + +PicketLink Example Application + + + + + + + +
+
+

+ Logout in progress. You will be redirected to the Login Page. +

+
+
+ + \ No newline at end of file diff --git a/examples/saml/post-basic/src/main/webapp/piechart.gif b/examples/saml/post-basic/src/main/webapp/piechart.gif new file mode 100644 index 00000000000..57bfe377524 Binary files /dev/null and b/examples/saml/post-basic/src/main/webapp/piechart.gif differ diff --git a/examples/saml/post-with-encryption/README.md b/examples/saml/post-with-encryption/README.md new file mode 100755 index 00000000000..08885157443 --- /dev/null +++ b/examples/saml/post-with-encryption/README.md @@ -0,0 +1,269 @@ +picketlink-federation-saml-sp-with-encryption: PicketLink Service Provider With a Basic Configuration using SAML HTTP POST Binding With Encryption Support +=============================== +Author: Pedro Igor +Level: Intermediate +Technologies: PicketLink Federation, SAML v2.0 +Summary: Basic example that demonstrates how to setup an application as a SAML v2.0 Service Provider using SAML HTTP POST Binding with Signature Support. +Source: + + +What is it? +----------- + +This example demonstrates Keycloak SAML 2.0 support in conjunction with a servlet secured by Picketlink's SAML SP client. + + +Make sure you've set up the Keycloak Server +-------------------------------------- +The Keycloak Appliance Distribution comes with a preconfigured Keycloak server (based on Wildfly). You can use it out of +the box to run these demos. So, if you're using this, you can head to Step 2. + +Alternatively, you can install the Keycloak Server onto any JBoss AS 7.1.1, EAP 6.x, or Wildfly 8.x server, but there is +a few steps you must follow. + +Obtain latest keycloak-war-dist-all.zip. This distro is used to install Keycloak onto an existing JBoss installation. +This installs the server. + + $ cd ${wildfly.jboss.home}/standalone + $ cp -r ${keycloak-war-dist-all}/deployments . + +To be able to run the demos you also need to install the Keycloak client adapter. For Wildfly: + + $ cd ${wildfly.home} + $ unzip ${keycloak-war-dist-all}/adapters/keycloak-wildfly-adapter-dist.zip + +For JBoss EAP 6.x + + $ cd ${eap.home} + $ unzip ${keycloak-war-dist-all}/adapters/keycloak-eap6-adapter-dist.zip + +For JBoss AS 7.1.1: + + $ cd ${as7.home} + $ unzip ${keycloak-war-dist-all}/adapters/keycloak-as7-adapter-dist.zip + +Unzipping the adapter ZIP only installs the JAR files. You must also add the Keycloak Subsystem to the server's +configuration (standalone/configuration/standalone.xml). + +For Wildfly: + + + + + + ... + + + + + ... + + +For JBoss 7.1.1 and EAP 6.x: + + + + + + ... + + + + + ... + + + +Boot Keycloak Server +--------------------------------------- +Where you go to start up the Keycloak Server depends on which distro you installed. + +From appliance: + +``` +$ cd keycloak/bin +$ ./standalone.sh +``` + + +From existing Wildfly/EAP6/AS7 distro + +``` +$ cd ${wildfly.jboss.home}/bin +$ ./standalone.sh +``` + + +Import the Test Realm +--------------------------------------- +Next thing you have to do is import the test realm for the demo. Clicking on the below link will bring you to the +create realm page in the Admin UI. The username/password is admin/admin to login in. Keycloak will ask you to +create a new admin password before you can go to the create realm page. + +[http://localhost:8080/auth/admin/master/console/#/create/realm](http://localhost:8080/auth/admin/master/console/#/create/realm) + +Import the testsaml.json file that is in the saml/ example directory. + +Install Picketlink Modules into App server +------------------------------------------ + +If you are running this example with the Keycloak application distribution, you can skip this step. + +You may have to upgrade your picketlink modules in your JBoss EAP or Wildfly distribution. See Picketlink docs for more details. + +Create the Security Domain for JBoss EAP +--------------- +If you are running this example with the Keycloak application distribution, you can skip this step. + + +These steps assume you are running the server in standalone mode and using the default standalone.xml supplied with the distribution. + +You configure the security domain by running JBoss CLI commands. For your convenience, this quickstart batches the commands into a `configure-security-domain-eap.cli` script provided in the root directory of this quickstart. + +1. Before you begin, back up your server configuration file + * If it is running, stop the JBoss server. + * Backup the file: `JBOSS_HOME/standalone/configuration/standalone.xml` + * After you have completed testing this quickstart, you can replace this file to restore the server to its original configuration. + +2. Start the JBoss server by typing the following: + + For Linux: JBOSS_HOME/bin/standalone.sh + For Windows: JBOSS_HOME\bin\standalone.bat +3. Review the `configure-security-domain-eap.cli` file in the root of this quickstart directory. This script adds the `sp` domain to the `security` subsystem in the server configuration and configures authentication access. Comments in the script describe the purpose of each block of commands. + +4. Open a new command prompt, navigate to the root directory of this quickstart, and run the following command, replacing JBOSS_HOME with the path to your server: + + JBOSS_HOME/bin/jboss-cli.sh --connect --file=configure-security-domain-eap.cli + +You should see the following result when you run the script: + + The batch executed successfully + { + "outcome" => "success", + } + + +Create the Security Domain for WildFly +--------------- +If you are running this example with the Keycloak application distribution, you can skip this step. + +These steps assume you are running the server in standalone mode and using the default standalone.xml supplied with the distribution. + +You configure the security domain by running JBoss CLI commands. For your convenience, this quickstart batches the commands into a `configure-security-domain-wildfly.cli` script provided in the root directory of this quickstart. + +1. Before you begin, back up your server configuration file + * If it is running, stop the JBoss server. + * Backup the file: `JBOSS_HOME/standalone/configuration/standalone.xml` + * After you have completed testing this quickstart, you can replace this file to restore the server to its original configuration. + +2. Start the JBoss server by typing the following: + + For Linux: JBOSS_HOME/bin/standalone.sh + For Windows: JBOSS_HOME\bin\standalone.bat +3. Review the `configure-security-domain-wildfly.cli` file in the root of this quickstart directory. This script adds the `sp` domain to the `security` subsystem in the server configuration and configures authentication access. Comments in the script describe the purpose of each block of commands. + +4. Open a new command prompt, navigate to the root directory of this quickstart, and run the following command, replacing JBOSS_HOME with the path to your server: + + JBOSS_HOME/bin/jboss-cli.sh --connect --file=configure-security-domain-wildfly.cli + +You should see the following result when you run the script: + + The batch executed successfully + { + "outcome" => "success", + } + + + +Review the Modified Server Configuration for EAP +----------------------------------- +If you are running this example with the Keycloak application distribution, you can skip this step. + +If you want to review and understand newly added XML configuration, stop the JBoss server and open the `JBOSS_HOME/standalone/configuration/standalone.xml` file. + +The following `sp` security-domain was added to the `security` subsystem. + + + + + + + +The configuration above defines a security-domain which will be used by the SP to authenticate users based on a SAML Assertion previously issued by a Identity Provider. + +Review the Modified Server Configuration for WildFly +----------------------------------- +If you are running this example with the Keycloak application distribution, you can skip this step. + +If you are using Wildfly, the security-domain should have the following configuration: + + + + + + + +SAML SP-Initiated Single Sign-On +----------------------------------- + +The SAML v2.0 specification defines a specific SSO mode called *SP-Initiated SSO*. In this mode, the SSO flow starts at the Service Provider side. +Please, take a look at the following documentation for more details: + +1. [SAML v2.0 SP-Initiated SSO](https://docs.jboss.org/author/display/PLINK/SP-Initiated+SSO) + + +Start JBoss Enterprise Application Platform 6 or WildFly with the Web Profile +------------------------- + +1. Open a command line and navigate to the root of the JBoss server directory. +2. The following shows the command line to start the server with the web profile: + + For Linux: JBOSS_HOME/bin/standalone.sh + For Windows: JBOSS_HOME\bin\standalone.bat + + +Build and Deploy the Quickstart +------------------------- + +_NOTE: The following build command assumes you have configured your Maven user settings. If you have not, you must include Maven setting arguments on the command line. See [Build and Deploy the Quickstarts](../README.md#build-and-deploy-the-quickstarts) for complete instructions and additional options._ + +1. Make sure you have started the JBoss Server as described above. +2. Open a command line and navigate to the root directory of this quickstart. +3. Type this command to build and deploy the archive: + + For EAP 6: mvn clean package jboss-as:deploy + For WildFly: mvn -Pwildfly clean package wildfly:deploy + +4. This will deploy `target/picketlink-federation-saml-sp-with-encryption.war` to the running instance of the server. + + +Access the application +--------------------- + +The application will be running at the following URL: . + +*Note: A Service Provider alone is not very useful without an Identity Provider to authenticate users and issue SAML Assertions. Once you get this application deployed, please take a look at [About the PicketLink Federation Quickstarts](../README.md#about-the-picketlink-federation-quickstarts).* + +Undeploy the Archive +-------------------- + +1. Make sure you have started the JBoss Server as described above. +2. Open a command line and navigate to the root directory of this quickstart. +3. When you are finished testing, type this command to undeploy the archive: + + For EAP 6: mvn jboss-as:undeploy + For WildFly: mvn -Pwildfly wildfly:undeploy + + +Run the Quickstart in JBoss Developer Studio or Eclipse +------------------------------------- +You can also start the server and deploy the quickstarts from Eclipse using JBoss tools. For more information, see [Use JBoss Developer Studio or Eclipse to Run the Quickstarts](../README.md#use-jboss-developer-studio-or-eclipse-to-run-the-quickstarts) + + +Debug the Application +------------------------------------ + +If you want to debug the source code or look at the Javadocs of any library in the project, run either of the following commands to pull them into your local repository. The IDE should then detect them. + + mvn dependency:sources + mvn dependency:resolve -Dclassifier=javadoc \ No newline at end of file diff --git a/examples/saml/post-with-encryption/conf/jboss-eap/META-INF/jboss-deployment-structure.xml b/examples/saml/post-with-encryption/conf/jboss-eap/META-INF/jboss-deployment-structure.xml new file mode 100644 index 00000000000..7b07a0210b8 --- /dev/null +++ b/examples/saml/post-with-encryption/conf/jboss-eap/META-INF/jboss-deployment-structure.xml @@ -0,0 +1,10 @@ + + + + + + + + + diff --git a/examples/saml/post-with-encryption/conf/jboss-eap/WEB-INF/jboss-web.xml b/examples/saml/post-with-encryption/conf/jboss-eap/WEB-INF/jboss-web.xml new file mode 100644 index 00000000000..8ef85ba321c --- /dev/null +++ b/examples/saml/post-with-encryption/conf/jboss-eap/WEB-INF/jboss-web.xml @@ -0,0 +1,16 @@ + + + + sp + + + sales-post-enc + + + + org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator + + diff --git a/examples/saml/post-with-encryption/conf/wildfly/META-INF/jboss-deployment-structure.xml b/examples/saml/post-with-encryption/conf/wildfly/META-INF/jboss-deployment-structure.xml new file mode 100644 index 00000000000..7b07a0210b8 --- /dev/null +++ b/examples/saml/post-with-encryption/conf/wildfly/META-INF/jboss-deployment-structure.xml @@ -0,0 +1,10 @@ + + + + + + + + + diff --git a/examples/saml/post-with-encryption/conf/wildfly/WEB-INF/classes/META-INF/services/io.undertow.servlet.ServletExtension b/examples/saml/post-with-encryption/conf/wildfly/WEB-INF/classes/META-INF/services/io.undertow.servlet.ServletExtension new file mode 100644 index 00000000000..ffaf42ca712 --- /dev/null +++ b/examples/saml/post-with-encryption/conf/wildfly/WEB-INF/classes/META-INF/services/io.undertow.servlet.ServletExtension @@ -0,0 +1 @@ +org.picketlink.identity.federation.bindings.wildfly.sp.SPServletExtension \ No newline at end of file diff --git a/examples/saml/post-with-encryption/conf/wildfly/WEB-INF/jboss-web.xml b/examples/saml/post-with-encryption/conf/wildfly/WEB-INF/jboss-web.xml new file mode 100644 index 00000000000..cafc722e5d8 --- /dev/null +++ b/examples/saml/post-with-encryption/conf/wildfly/WEB-INF/jboss-web.xml @@ -0,0 +1,10 @@ + + + + sp + + + sales-post-enc + diff --git a/examples/saml/post-with-encryption/configure-security-domain-eap.cli b/examples/saml/post-with-encryption/configure-security-domain-eap.cli new file mode 100644 index 00000000000..9f9777c4cbb --- /dev/null +++ b/examples/saml/post-with-encryption/configure-security-domain-eap.cli @@ -0,0 +1,16 @@ +# Batch script to add and configure the quickstart-domain security domain in the JBoss server + +# Start batching commands +batch + +# Add and configure the security domain, then add the PicketLink SAML2LoginModule. Which wil be used to extract user's information from the SAML Assertion and authenticate the user. +/subsystem=security/security-domain=sp:add(cache-type=default) +/subsystem=security/security-domain=sp/authentication=classic:add +/subsystem=security/security-domain=sp/authentication=classic/login-module=org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule:add(code=org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule,flag=required) + +# Run the batch commands +run-batch + +# Reload the server configuration +:reload + diff --git a/examples/saml/post-with-encryption/configure-security-domain-wildfly.cli b/examples/saml/post-with-encryption/configure-security-domain-wildfly.cli new file mode 100644 index 00000000000..6b65d5e94fc --- /dev/null +++ b/examples/saml/post-with-encryption/configure-security-domain-wildfly.cli @@ -0,0 +1,16 @@ +# Batch script to add and configure the quickstart-domain security domain in the JBoss server + +# Start batching commands +batch + +# Add and configure the security domain, then add the PicketLink SAML2LoginModule. Which wil be used to extract user's information from the SAML Assertion and authenticate the user. +/subsystem=security/security-domain=sp:add(cache-type=default) +/subsystem=security/security-domain=sp/authentication=classic:add +/subsystem=security/security-domain=sp/authentication=classic/login-module=org.picketlink.identity.federation.bindings.wildfly.SAML2LoginModule:add(code=org.picketlink.identity.federation.bindings.wildfly.SAML2LoginModule,flag=required) + +# Run the batch commands +run-batch + +# Reload the server configuration +:reload + diff --git a/examples/saml/post-with-encryption/pom.xml b/examples/saml/post-with-encryption/pom.xml new file mode 100755 index 00000000000..497bea45e1a --- /dev/null +++ b/examples/saml/post-with-encryption/pom.xml @@ -0,0 +1,116 @@ + + 4.0.0 + + org.picketlink.quickstarts + picketlink-federation-saml-sp-with-encryption + 2.7.0.Beta2 + + war + + PicketLink Quickstart: picketlink-federation-saml-sp-with-encryption + PicketLink Quickstart: PicketLink Service Provider With a Basic Configuration using SAML HTTP POST Binding With Encryption Support + + http://www.picketlink.org + + + + Apache License, Version 2.0 + repo + http://www.apache.org/licenses/LICENSE-2.0.html + + + + + + 7.4.Final + + + 1.0.1.Final + + + 2.7.0.Beta2 + + + jboss-eap + + + 2.1.1 + + + 3.1 + 1.6 + 1.6 + + + + + ${project.artifactId} + + + src/main/resources + + + ../post-basic/src/main/resources + + + + + maven-war-plugin + ${version.war.plugin} + + + false + + + ${target.container} + + + + + src/main/webapp + + + ../post-basic/src/main/webapp + + + ${basedir}/conf/${target.container} + + + + + + + org.jboss.as.plugins + jboss-as-maven-plugin + ${version.jboss.maven.plugin} + + ${project.build.finalName}-${target.container}.${project.packaging} + + + + + + + + wildfly + + wildfly + + + + + org.wildfly.plugins + wildfly-maven-plugin + ${version.wildfly.maven.plugin} + + ${project.build.finalName}-${target.container}.${project.packaging} + + + + + + + + \ No newline at end of file diff --git a/examples/saml/post-with-encryption/remove-security-domain.cli b/examples/saml/post-with-encryption/remove-security-domain.cli new file mode 100644 index 00000000000..9487613e2ca --- /dev/null +++ b/examples/saml/post-with-encryption/remove-security-domain.cli @@ -0,0 +1,13 @@ +# Batch script to remove the quickstart-domain security domain from the JBoss server + +# Start batching commands +batch + +# Remove the security domain +/subsystem=security/security-domain=sp:remove + +# Run the batch commands +run-batch + +# Reload the server configuration +:reload \ No newline at end of file diff --git a/examples/saml/post-with-encryption/src/main/resources/keystore.jks b/examples/saml/post-with-encryption/src/main/resources/keystore.jks new file mode 100755 index 00000000000..d70c862adba Binary files /dev/null and b/examples/saml/post-with-encryption/src/main/resources/keystore.jks differ diff --git a/examples/saml/post-with-encryption/src/main/webapp/WEB-INF/picketlink.xml b/examples/saml/post-with-encryption/src/main/webapp/WEB-INF/picketlink.xml new file mode 100755 index 00000000000..3a431b7cdf9 --- /dev/null +++ b/examples/saml/post-with-encryption/src/main/webapp/WEB-INF/picketlink.xml @@ -0,0 +1,31 @@ + + + ${idp-sig.url::http://localhost:8080/auth/realms/saml-demo/protocol/saml} + + ${sales-post-sig.url::http://localhost:8080/sales-post-enc/} + + + + + + + + + + + + + + + + + + + diff --git a/examples/saml/post-with-signature/README.md b/examples/saml/post-with-signature/README.md new file mode 100755 index 00000000000..971e07153a7 --- /dev/null +++ b/examples/saml/post-with-signature/README.md @@ -0,0 +1,270 @@ +picketlink-federation-saml-sp-post-with-signature: PicketLink Service Provider With a Basic Configuration using SAML HTTP POST Binding With Signature Support +=============================== +Author: Pedro Igor +Level: Intermediate +Technologies: PicketLink Federation, SAML v2.0 +Summary: Basic example that demonstrates how to setup an application as a SAML v2.0 Service Provider using SAML HTTP POST Binding with Signature Support. +Source: + + +What is it? +----------- + +This example demonstrates Keycloak SAML 2.0 support in conjunction with a servlet secured by Picketlink's SAML SP client. + + +Make sure you've set up the Keycloak Server +-------------------------------------- +The Keycloak Appliance Distribution comes with a preconfigured Keycloak server (based on Wildfly). You can use it out of +the box to run these demos. So, if you're using this, you can head to Step 2. + +Alternatively, you can install the Keycloak Server onto any JBoss AS 7.1.1, EAP 6.x, or Wildfly 8.x server, but there is +a few steps you must follow. + +Obtain latest keycloak-war-dist-all.zip. This distro is used to install Keycloak onto an existing JBoss installation. +This installs the server. + + $ cd ${wildfly.jboss.home}/standalone + $ cp -r ${keycloak-war-dist-all}/deployments . + +To be able to run the demos you also need to install the Keycloak client adapter. For Wildfly: + + $ cd ${wildfly.home} + $ unzip ${keycloak-war-dist-all}/adapters/keycloak-wildfly-adapter-dist.zip + +For JBoss EAP 6.x + + $ cd ${eap.home} + $ unzip ${keycloak-war-dist-all}/adapters/keycloak-eap6-adapter-dist.zip + +For JBoss AS 7.1.1: + + $ cd ${as7.home} + $ unzip ${keycloak-war-dist-all}/adapters/keycloak-as7-adapter-dist.zip + +Unzipping the adapter ZIP only installs the JAR files. You must also add the Keycloak Subsystem to the server's +configuration (standalone/configuration/standalone.xml). + +For Wildfly: + + + + + + ... + + + + + ... + + +For JBoss 7.1.1 and EAP 6.x: + + + + + + ... + + + + + ... + + + +Boot Keycloak Server +--------------------------------------- +Where you go to start up the Keycloak Server depends on which distro you installed. + +From appliance: + +``` +$ cd keycloak/bin +$ ./standalone.sh +``` + + +From existing Wildfly/EAP6/AS7 distro + +``` +$ cd ${wildfly.jboss.home}/bin +$ ./standalone.sh +``` + + +Import the Test Realm +--------------------------------------- +Next thing you have to do is import the test realm for the demo. Clicking on the below link will bring you to the +create realm page in the Admin UI. The username/password is admin/admin to login in. Keycloak will ask you to +create a new admin password before you can go to the create realm page. + +[http://localhost:8080/auth/admin/master/console/#/create/realm](http://localhost:8080/auth/admin/master/console/#/create/realm) + +Import the testsaml.json file that is in the saml/ example directory. + +Install Picketlink Modules into App server +------------------------------------------ + +If you are running this example with the Keycloak application distribution, you can skip this step. + +You may have to upgrade your picketlink modules in your JBoss EAP or Wildfly distribution. See Picketlink docs for more details. + +Create the Security Domain for JBoss EAP +--------------- +If you are running this example with the Keycloak application distribution, you can skip this step. + + +These steps assume you are running the server in standalone mode and using the default standalone.xml supplied with the distribution. + +You configure the security domain by running JBoss CLI commands. For your convenience, this quickstart batches the commands into a `configure-security-domain-eap.cli` script provided in the root directory of this quickstart. + +1. Before you begin, back up your server configuration file + * If it is running, stop the JBoss server. + * Backup the file: `JBOSS_HOME/standalone/configuration/standalone.xml` + * After you have completed testing this quickstart, you can replace this file to restore the server to its original configuration. + +2. Start the JBoss server by typing the following: + + For Linux: JBOSS_HOME/bin/standalone.sh + For Windows: JBOSS_HOME\bin\standalone.bat +3. Review the `configure-security-domain-eap.cli` file in the root of this quickstart directory. This script adds the `sp` domain to the `security` subsystem in the server configuration and configures authentication access. Comments in the script describe the purpose of each block of commands. + +4. Open a new command prompt, navigate to the root directory of this quickstart, and run the following command, replacing JBOSS_HOME with the path to your server: + + JBOSS_HOME/bin/jboss-cli.sh --connect --file=configure-security-domain-eap.cli + +You should see the following result when you run the script: + + The batch executed successfully + { + "outcome" => "success", + } + + +Create the Security Domain for WildFly +--------------- +If you are running this example with the Keycloak application distribution, you can skip this step. + +These steps assume you are running the server in standalone mode and using the default standalone.xml supplied with the distribution. + +You configure the security domain by running JBoss CLI commands. For your convenience, this quickstart batches the commands into a `configure-security-domain-wildfly.cli` script provided in the root directory of this quickstart. + +1. Before you begin, back up your server configuration file + * If it is running, stop the JBoss server. + * Backup the file: `JBOSS_HOME/standalone/configuration/standalone.xml` + * After you have completed testing this quickstart, you can replace this file to restore the server to its original configuration. + +2. Start the JBoss server by typing the following: + + For Linux: JBOSS_HOME/bin/standalone.sh + For Windows: JBOSS_HOME\bin\standalone.bat +3. Review the `configure-security-domain-wildfly.cli` file in the root of this quickstart directory. This script adds the `sp` domain to the `security` subsystem in the server configuration and configures authentication access. Comments in the script describe the purpose of each block of commands. + +4. Open a new command prompt, navigate to the root directory of this quickstart, and run the following command, replacing JBOSS_HOME with the path to your server: + + JBOSS_HOME/bin/jboss-cli.sh --connect --file=configure-security-domain-wildfly.cli + +You should see the following result when you run the script: + + The batch executed successfully + { + "outcome" => "success", + } + + + +Review the Modified Server Configuration for EAP +----------------------------------- +If you are running this example with the Keycloak application distribution, you can skip this step. + +If you want to review and understand newly added XML configuration, stop the JBoss server and open the `JBOSS_HOME/standalone/configuration/standalone.xml` file. + +The following `sp` security-domain was added to the `security` subsystem. + + + + + + + +The configuration above defines a security-domain which will be used by the SP to authenticate users based on a SAML Assertion previously issued by a Identity Provider. + +Review the Modified Server Configuration for WildFly +----------------------------------- +If you are running this example with the Keycloak application distribution, you can skip this step. + +If you are using Wildfly, the security-domain should have the following configuration: + + + + + + + + +SAML SP-Initiated Single Sign-On +----------------------------------- + +The SAML v2.0 specification defines a specific SSO mode called *SP-Initiated SSO*. In this mode, the SSO flow starts at the Service Provider side. +Please, take a look at the following documentation for more details: + +1. [SAML v2.0 SP-Initiated SSO](https://docs.jboss.org/author/display/PLINK/SP-Initiated+SSO) + + +Start JBoss Enterprise Application Platform 6 or WildFly with the Web Profile +------------------------- + +1. Open a command line and navigate to the root of the JBoss server directory. +2. The following shows the command line to start the server with the web profile: + + For Linux: JBOSS_HOME/bin/standalone.sh + For Windows: JBOSS_HOME\bin\standalone.bat + + +Build and Deploy the Quickstart +------------------------- + +_NOTE: The following build command assumes you have configured your Maven user settings. If you have not, you must include Maven setting arguments on the command line. See [Build and Deploy the Quickstarts](../README.md#build-and-deploy-the-quickstarts) for complete instructions and additional options._ + +1. Make sure you have started the JBoss Server as described above. +2. Open a command line and navigate to the root directory of this quickstart. +3. Type this command to build and deploy the archive: + + For EAP 6: mvn clean package jboss-as:deploy + For WildFly: mvn -Pwildfly clean package wildfly:deploy + +4. This will deploy `target/picketlink-federation-saml-sp-post-with-signature.war` to the running instance of the server. + + +Access the application +--------------------- + +The application will be running at the following URL: . + +*Note: A Service Provider alone is not very useful without an Identity Provider to authenticate users and issue SAML Assertions. Once you get this application deployed, please take a look at [About the PicketLink Federation Quickstarts](../README.md#about-the-picketlink-federation-quickstarts).* + +Undeploy the Archive +-------------------- + +1. Make sure you have started the JBoss Server as described above. +2. Open a command line and navigate to the root directory of this quickstart. +3. When you are finished testing, type this command to undeploy the archive: + + For EAP 6: mvn jboss-as:undeploy + For WildFly: mvn -Pwildfly wildfly:undeploy + + +Run the Quickstart in JBoss Developer Studio or Eclipse +------------------------------------- +You can also start the server and deploy the quickstarts from Eclipse using JBoss tools. For more information, see [Use JBoss Developer Studio or Eclipse to Run the Quickstarts](../README.md#use-jboss-developer-studio-or-eclipse-to-run-the-quickstarts) + + +Debug the Application +------------------------------------ + +If you want to debug the source code or look at the Javadocs of any library in the project, run either of the following commands to pull them into your local repository. The IDE should then detect them. + + mvn dependency:sources + mvn dependency:resolve -Dclassifier=javadoc \ No newline at end of file diff --git a/examples/saml/post-with-signature/conf/jboss-eap/META-INF/jboss-deployment-structure.xml b/examples/saml/post-with-signature/conf/jboss-eap/META-INF/jboss-deployment-structure.xml new file mode 100644 index 00000000000..7b07a0210b8 --- /dev/null +++ b/examples/saml/post-with-signature/conf/jboss-eap/META-INF/jboss-deployment-structure.xml @@ -0,0 +1,10 @@ + + + + + + + + + diff --git a/examples/saml/post-with-signature/conf/jboss-eap/WEB-INF/jboss-web.xml b/examples/saml/post-with-signature/conf/jboss-eap/WEB-INF/jboss-web.xml new file mode 100644 index 00000000000..10562b84b2b --- /dev/null +++ b/examples/saml/post-with-signature/conf/jboss-eap/WEB-INF/jboss-web.xml @@ -0,0 +1,16 @@ + + + + sp + + + sales-post-sig + + + + org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator + + diff --git a/examples/saml/post-with-signature/conf/wildfly/META-INF/jboss-deployment-structure.xml b/examples/saml/post-with-signature/conf/wildfly/META-INF/jboss-deployment-structure.xml new file mode 100644 index 00000000000..7b07a0210b8 --- /dev/null +++ b/examples/saml/post-with-signature/conf/wildfly/META-INF/jboss-deployment-structure.xml @@ -0,0 +1,10 @@ + + + + + + + + + diff --git a/examples/saml/post-with-signature/conf/wildfly/WEB-INF/classes/META-INF/services/io.undertow.servlet.ServletExtension b/examples/saml/post-with-signature/conf/wildfly/WEB-INF/classes/META-INF/services/io.undertow.servlet.ServletExtension new file mode 100644 index 00000000000..ffaf42ca712 --- /dev/null +++ b/examples/saml/post-with-signature/conf/wildfly/WEB-INF/classes/META-INF/services/io.undertow.servlet.ServletExtension @@ -0,0 +1 @@ +org.picketlink.identity.federation.bindings.wildfly.sp.SPServletExtension \ No newline at end of file diff --git a/examples/saml/post-with-signature/conf/wildfly/WEB-INF/jboss-web.xml b/examples/saml/post-with-signature/conf/wildfly/WEB-INF/jboss-web.xml new file mode 100644 index 00000000000..284b87a988d --- /dev/null +++ b/examples/saml/post-with-signature/conf/wildfly/WEB-INF/jboss-web.xml @@ -0,0 +1,10 @@ + + + + sp + + + sales-post-sig + diff --git a/examples/saml/post-with-signature/configure-security-domain-eap.cli b/examples/saml/post-with-signature/configure-security-domain-eap.cli new file mode 100644 index 00000000000..9f9777c4cbb --- /dev/null +++ b/examples/saml/post-with-signature/configure-security-domain-eap.cli @@ -0,0 +1,16 @@ +# Batch script to add and configure the quickstart-domain security domain in the JBoss server + +# Start batching commands +batch + +# Add and configure the security domain, then add the PicketLink SAML2LoginModule. Which wil be used to extract user's information from the SAML Assertion and authenticate the user. +/subsystem=security/security-domain=sp:add(cache-type=default) +/subsystem=security/security-domain=sp/authentication=classic:add +/subsystem=security/security-domain=sp/authentication=classic/login-module=org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule:add(code=org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule,flag=required) + +# Run the batch commands +run-batch + +# Reload the server configuration +:reload + diff --git a/examples/saml/post-with-signature/configure-security-domain-wildfly.cli b/examples/saml/post-with-signature/configure-security-domain-wildfly.cli new file mode 100644 index 00000000000..6b65d5e94fc --- /dev/null +++ b/examples/saml/post-with-signature/configure-security-domain-wildfly.cli @@ -0,0 +1,16 @@ +# Batch script to add and configure the quickstart-domain security domain in the JBoss server + +# Start batching commands +batch + +# Add and configure the security domain, then add the PicketLink SAML2LoginModule. Which wil be used to extract user's information from the SAML Assertion and authenticate the user. +/subsystem=security/security-domain=sp:add(cache-type=default) +/subsystem=security/security-domain=sp/authentication=classic:add +/subsystem=security/security-domain=sp/authentication=classic/login-module=org.picketlink.identity.federation.bindings.wildfly.SAML2LoginModule:add(code=org.picketlink.identity.federation.bindings.wildfly.SAML2LoginModule,flag=required) + +# Run the batch commands +run-batch + +# Reload the server configuration +:reload + diff --git a/examples/saml/post-with-signature/pom.xml b/examples/saml/post-with-signature/pom.xml new file mode 100755 index 00000000000..2c644a706ac --- /dev/null +++ b/examples/saml/post-with-signature/pom.xml @@ -0,0 +1,116 @@ + + 4.0.0 + + org.picketlink.quickstarts + picketlink-federation-saml-sp-post-with-signature + 2.7.0.Beta2 + + war + + PicketLink Quickstart: picketlink-federation-saml-sp-post-with-signature + PicketLink Quickstart: PicketLink Service Provider With a Basic Configuration using SAML HTTP POST Binding With Signature Support + + http://www.picketlink.org + + + + Apache License, Version 2.0 + repo + http://www.apache.org/licenses/LICENSE-2.0.html + + + + + + 7.4.Final + + + 1.0.1.Final + + + 2.7.0.Beta2 + + + jboss-eap + + + 2.1.1 + + + 3.1 + 1.6 + 1.6 + + + + + ${project.artifactId} + + + src/main/resources + + + ../post-basic/src/main/resources + + + + + maven-war-plugin + ${version.war.plugin} + + + false + + + ${target.container} + + + + + src/main/webapp + + + ../post-basic/src/main/webapp + + + ${basedir}/conf/${target.container} + + + + + + + org.jboss.as.plugins + jboss-as-maven-plugin + ${version.jboss.maven.plugin} + + ${project.build.finalName}-${target.container}.${project.packaging} + + + + + + + + wildfly + + wildfly + + + + + org.wildfly.plugins + wildfly-maven-plugin + ${version.wildfly.maven.plugin} + + ${project.build.finalName}-${target.container}.${project.packaging} + + + + + + + + \ No newline at end of file diff --git a/examples/saml/post-with-signature/remove-security-domain.cli b/examples/saml/post-with-signature/remove-security-domain.cli new file mode 100644 index 00000000000..9487613e2ca --- /dev/null +++ b/examples/saml/post-with-signature/remove-security-domain.cli @@ -0,0 +1,13 @@ +# Batch script to remove the quickstart-domain security domain from the JBoss server + +# Start batching commands +batch + +# Remove the security domain +/subsystem=security/security-domain=sp:remove + +# Run the batch commands +run-batch + +# Reload the server configuration +:reload \ No newline at end of file diff --git a/examples/saml/post-with-signature/src/main/resources/keystore.jks b/examples/saml/post-with-signature/src/main/resources/keystore.jks new file mode 100755 index 00000000000..4185d3c309c Binary files /dev/null and b/examples/saml/post-with-signature/src/main/resources/keystore.jks differ diff --git a/examples/saml/post-with-signature/src/main/webapp/WEB-INF/picketlink.xml b/examples/saml/post-with-signature/src/main/webapp/WEB-INF/picketlink.xml new file mode 100755 index 00000000000..05293a5ca0a --- /dev/null +++ b/examples/saml/post-with-signature/src/main/webapp/WEB-INF/picketlink.xml @@ -0,0 +1,31 @@ + + + ${idp-sig.url::http://localhost:8080/auth/realms/saml-demo/protocol/saml} + + ${sales-post-sig.url::http://localhost:8080/sales-post-sig/} + + + + + + + + + + + + + + + + + + + diff --git a/examples/saml/redirect-basic/README.md b/examples/saml/redirect-basic/README.md new file mode 100755 index 00000000000..9cf014cd21d --- /dev/null +++ b/examples/saml/redirect-basic/README.md @@ -0,0 +1,270 @@ +picketlink-federation-saml-sp-redirect-basic: PicketLink Service Provider With a Basic Configuration using SAML HTTP Redirect Binding +=============================== +Author: Pedro Igor +Level: Intermediate +Technologies: PicketLink Federation, SAML v2.0 +Summary: Basic example that demonstrates how to setup an application as a SAML v2.0 Service Provider using SAML HTTP Redirect Binding. +Source: + + +What is it? +----------- + +This example demonstrates Keycloak SAML 2.0 support in conjunction with a servlet secured by Picketlink's SAML SP client. + + +Make sure you've set up the Keycloak Server +-------------------------------------- +The Keycloak Appliance Distribution comes with a preconfigured Keycloak server (based on Wildfly). You can use it out of +the box to run these demos. So, if you're using this, you can head to Step 2. + +Alternatively, you can install the Keycloak Server onto any JBoss AS 7.1.1, EAP 6.x, or Wildfly 8.x server, but there is +a few steps you must follow. + +Obtain latest keycloak-war-dist-all.zip. This distro is used to install Keycloak onto an existing JBoss installation. +This installs the server. + + $ cd ${wildfly.jboss.home}/standalone + $ cp -r ${keycloak-war-dist-all}/deployments . + +To be able to run the demos you also need to install the Keycloak client adapter. For Wildfly: + + $ cd ${wildfly.home} + $ unzip ${keycloak-war-dist-all}/adapters/keycloak-wildfly-adapter-dist.zip + +For JBoss EAP 6.x + + $ cd ${eap.home} + $ unzip ${keycloak-war-dist-all}/adapters/keycloak-eap6-adapter-dist.zip + +For JBoss AS 7.1.1: + + $ cd ${as7.home} + $ unzip ${keycloak-war-dist-all}/adapters/keycloak-as7-adapter-dist.zip + +Unzipping the adapter ZIP only installs the JAR files. You must also add the Keycloak Subsystem to the server's +configuration (standalone/configuration/standalone.xml). + +For Wildfly: + + + + + + ... + + + + + ... + + +For JBoss 7.1.1 and EAP 6.x: + + + + + + ... + + + + + ... + + + +Boot Keycloak Server +--------------------------------------- +Where you go to start up the Keycloak Server depends on which distro you installed. + +From appliance: + +``` +$ cd keycloak/bin +$ ./standalone.sh +``` + + +From existing Wildfly/EAP6/AS7 distro + +``` +$ cd ${wildfly.jboss.home}/bin +$ ./standalone.sh +``` + + +Import the Test Realm +--------------------------------------- +Next thing you have to do is import the test realm for the demo. Clicking on the below link will bring you to the +create realm page in the Admin UI. The username/password is admin/admin to login in. Keycloak will ask you to +create a new admin password before you can go to the create realm page. + +[http://localhost:8080/auth/admin/master/console/#/create/realm](http://localhost:8080/auth/admin/master/console/#/create/realm) + +Import the testsaml.json file that is in the saml/ example directory. + +Install Picketlink Modules into App server +------------------------------------------ + +If you are running this example with the Keycloak application distribution, you can skip this step. + +You may have to upgrade your picketlink modules in your JBoss EAP or Wildfly distribution. See Picketlink docs for more details. + +Create the Security Domain for JBoss EAP +--------------- +If you are running this example with the Keycloak application distribution, you can skip this step. + + +These steps assume you are running the server in standalone mode and using the default standalone.xml supplied with the distribution. + +You configure the security domain by running JBoss CLI commands. For your convenience, this quickstart batches the commands into a `configure-security-domain-eap.cli` script provided in the root directory of this quickstart. + +1. Before you begin, back up your server configuration file + * If it is running, stop the JBoss server. + * Backup the file: `JBOSS_HOME/standalone/configuration/standalone.xml` + * After you have completed testing this quickstart, you can replace this file to restore the server to its original configuration. + +2. Start the JBoss server by typing the following: + + For Linux: JBOSS_HOME/bin/standalone.sh + For Windows: JBOSS_HOME\bin\standalone.bat +3. Review the `configure-security-domain-eap.cli` file in the root of this quickstart directory. This script adds the `sp` domain to the `security` subsystem in the server configuration and configures authentication access. Comments in the script describe the purpose of each block of commands. + +4. Open a new command prompt, navigate to the root directory of this quickstart, and run the following command, replacing JBOSS_HOME with the path to your server: + + JBOSS_HOME/bin/jboss-cli.sh --connect --file=configure-security-domain-eap.cli + +You should see the following result when you run the script: + + The batch executed successfully + { + "outcome" => "success", + } + + +Create the Security Domain for WildFly +--------------- +If you are running this example with the Keycloak application distribution, you can skip this step. + +These steps assume you are running the server in standalone mode and using the default standalone.xml supplied with the distribution. + +You configure the security domain by running JBoss CLI commands. For your convenience, this quickstart batches the commands into a `configure-security-domain-wildfly.cli` script provided in the root directory of this quickstart. + +1. Before you begin, back up your server configuration file + * If it is running, stop the JBoss server. + * Backup the file: `JBOSS_HOME/standalone/configuration/standalone.xml` + * After you have completed testing this quickstart, you can replace this file to restore the server to its original configuration. + +2. Start the JBoss server by typing the following: + + For Linux: JBOSS_HOME/bin/standalone.sh + For Windows: JBOSS_HOME\bin\standalone.bat +3. Review the `configure-security-domain-wildfly.cli` file in the root of this quickstart directory. This script adds the `sp` domain to the `security` subsystem in the server configuration and configures authentication access. Comments in the script describe the purpose of each block of commands. + +4. Open a new command prompt, navigate to the root directory of this quickstart, and run the following command, replacing JBOSS_HOME with the path to your server: + + JBOSS_HOME/bin/jboss-cli.sh --connect --file=configure-security-domain-wildfly.cli + +You should see the following result when you run the script: + + The batch executed successfully + { + "outcome" => "success", + } + + + +Review the Modified Server Configuration for EAP +----------------------------------- +If you are running this example with the Keycloak application distribution, you can skip this step. + +If you want to review and understand newly added XML configuration, stop the JBoss server and open the `JBOSS_HOME/standalone/configuration/standalone.xml` file. + +The following `sp` security-domain was added to the `security` subsystem. + + + + + + + +The configuration above defines a security-domain which will be used by the SP to authenticate users based on a SAML Assertion previously issued by a Identity Provider. + +Review the Modified Server Configuration for WildFly +----------------------------------- +If you are running this example with the Keycloak application distribution, you can skip this step. + +If you are using Wildfly, the security-domain should have the following configuration: + + + + + + + + +SAML SP-Initiated Single Sign-On +----------------------------------- + +The SAML v2.0 specification defines a specific SSO mode called *SP-Initiated SSO*. In this mode, the SSO flow starts at the Service Provider side. +Please, take a look at the following documentation for more details: + +1. [SAML v2.0 SP-Initiated SSO](https://docs.jboss.org/author/display/PLINK/SP-Initiated+SSO) + + +Start JBoss Enterprise Application Platform 6 or WildFly with the Web Profile +------------------------- + +1. Open a command line and navigate to the root of the JBoss server directory. +2. The following shows the command line to start the server with the web profile: + + For Linux: JBOSS_HOME/bin/standalone.sh + For Windows: JBOSS_HOME\bin\standalone.bat + + +Build and Deploy the Quickstart +------------------------- + +_NOTE: The following build command assumes you have configured your Maven user settings. If you have not, you must include Maven setting arguments on the command line. See [Build and Deploy the Quickstarts](../README.md#build-and-deploy-the-quickstarts) for complete instructions and additional options._ + +1. Make sure you have started the JBoss Server as described above. +2. Open a command line and navigate to the root directory of this quickstart. +3. Type this command to build and deploy the archive: + + For EAP 6: mvn clean package jboss-as:deploy + For WildFly: mvn -Pwildfly clean package wildfly:deploy + +4. This will deploy `target/picketlink-federation-saml-sp-redirect-basic.war` to the running instance of the server. + + +Access the application +--------------------- + +The application will be running at the following URL: . + +*Note: A Service Provider alone is not very useful without an Identity Provider to authenticate users and issue SAML Assertions. Once you get this application deployed, please take a look at [About the PicketLink Federation Quickstarts](../README.md#about-the-picketlink-federation-quickstarts).* + +Undeploy the Archive +-------------------- + +1. Make sure you have started the JBoss Server as described above. +2. Open a command line and navigate to the root directory of this quickstart. +3. When you are finished testing, type this command to undeploy the archive: + + For EAP 6: mvn jboss-as:undeploy + For WildFly: mvn -Pwildfly wildfly:undeploy + + +Run the Quickstart in JBoss Developer Studio or Eclipse +------------------------------------- +You can also start the server and deploy the quickstarts from Eclipse using JBoss tools. For more information, see [Use JBoss Developer Studio or Eclipse to Run the Quickstarts](../README.md#use-jboss-developer-studio-or-eclipse-to-run-the-quickstarts) + + +Debug the Application +------------------------------------ + +If you want to debug the source code or look at the Javadocs of any library in the project, run either of the following commands to pull them into your local repository. The IDE should then detect them. + + mvn dependency:sources + mvn dependency:resolve -Dclassifier=javadoc \ No newline at end of file diff --git a/examples/saml/redirect-basic/conf/jboss-eap/META-INF/jboss-deployment-structure.xml b/examples/saml/redirect-basic/conf/jboss-eap/META-INF/jboss-deployment-structure.xml new file mode 100644 index 00000000000..7b07a0210b8 --- /dev/null +++ b/examples/saml/redirect-basic/conf/jboss-eap/META-INF/jboss-deployment-structure.xml @@ -0,0 +1,10 @@ + + + + + + + + + diff --git a/examples/saml/redirect-basic/conf/jboss-eap/WEB-INF/jboss-web.xml b/examples/saml/redirect-basic/conf/jboss-eap/WEB-INF/jboss-web.xml new file mode 100644 index 00000000000..f603c9a0688 --- /dev/null +++ b/examples/saml/redirect-basic/conf/jboss-eap/WEB-INF/jboss-web.xml @@ -0,0 +1,16 @@ + + + + sp + + + employee + + + + org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator + + diff --git a/examples/saml/redirect-basic/conf/wildfly/META-INF/jboss-deployment-structure.xml b/examples/saml/redirect-basic/conf/wildfly/META-INF/jboss-deployment-structure.xml new file mode 100644 index 00000000000..7b07a0210b8 --- /dev/null +++ b/examples/saml/redirect-basic/conf/wildfly/META-INF/jboss-deployment-structure.xml @@ -0,0 +1,10 @@ + + + + + + + + + diff --git a/examples/saml/redirect-basic/conf/wildfly/WEB-INF/classes/META-INF/services/io.undertow.servlet.ServletExtension b/examples/saml/redirect-basic/conf/wildfly/WEB-INF/classes/META-INF/services/io.undertow.servlet.ServletExtension new file mode 100644 index 00000000000..ffaf42ca712 --- /dev/null +++ b/examples/saml/redirect-basic/conf/wildfly/WEB-INF/classes/META-INF/services/io.undertow.servlet.ServletExtension @@ -0,0 +1 @@ +org.picketlink.identity.federation.bindings.wildfly.sp.SPServletExtension \ No newline at end of file diff --git a/examples/saml/redirect-basic/conf/wildfly/WEB-INF/jboss-web.xml b/examples/saml/redirect-basic/conf/wildfly/WEB-INF/jboss-web.xml new file mode 100644 index 00000000000..309b91b9dc7 --- /dev/null +++ b/examples/saml/redirect-basic/conf/wildfly/WEB-INF/jboss-web.xml @@ -0,0 +1,10 @@ + + + + sp + + + employee + diff --git a/examples/saml/redirect-basic/configure-security-domain-eap.cli b/examples/saml/redirect-basic/configure-security-domain-eap.cli new file mode 100644 index 00000000000..9f9777c4cbb --- /dev/null +++ b/examples/saml/redirect-basic/configure-security-domain-eap.cli @@ -0,0 +1,16 @@ +# Batch script to add and configure the quickstart-domain security domain in the JBoss server + +# Start batching commands +batch + +# Add and configure the security domain, then add the PicketLink SAML2LoginModule. Which wil be used to extract user's information from the SAML Assertion and authenticate the user. +/subsystem=security/security-domain=sp:add(cache-type=default) +/subsystem=security/security-domain=sp/authentication=classic:add +/subsystem=security/security-domain=sp/authentication=classic/login-module=org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule:add(code=org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule,flag=required) + +# Run the batch commands +run-batch + +# Reload the server configuration +:reload + diff --git a/examples/saml/redirect-basic/configure-security-domain-wildfly.cli b/examples/saml/redirect-basic/configure-security-domain-wildfly.cli new file mode 100644 index 00000000000..6b65d5e94fc --- /dev/null +++ b/examples/saml/redirect-basic/configure-security-domain-wildfly.cli @@ -0,0 +1,16 @@ +# Batch script to add and configure the quickstart-domain security domain in the JBoss server + +# Start batching commands +batch + +# Add and configure the security domain, then add the PicketLink SAML2LoginModule. Which wil be used to extract user's information from the SAML Assertion and authenticate the user. +/subsystem=security/security-domain=sp:add(cache-type=default) +/subsystem=security/security-domain=sp/authentication=classic:add +/subsystem=security/security-domain=sp/authentication=classic/login-module=org.picketlink.identity.federation.bindings.wildfly.SAML2LoginModule:add(code=org.picketlink.identity.federation.bindings.wildfly.SAML2LoginModule,flag=required) + +# Run the batch commands +run-batch + +# Reload the server configuration +:reload + diff --git a/examples/saml/redirect-basic/pom.xml b/examples/saml/redirect-basic/pom.xml new file mode 100644 index 00000000000..98c3a40b624 --- /dev/null +++ b/examples/saml/redirect-basic/pom.xml @@ -0,0 +1,102 @@ + + 4.0.0 + + org.picketlink.quickstarts + picketlink-federation-saml-sp-redirect-basic + 2.7.0.Beta2 + + war + + PicketLink Quickstart: picketlink-federation-saml-sp-redirect-basic + PicketLink Quickstart: PicketLink Service Provider With a Basic Configuration using SAML HTTP Redirect Binding + + http://www.picketlink.org + + + + Apache License, Version 2.0 + repo + http://www.apache.org/licenses/LICENSE-2.0.html + + + + + + 7.4.Final + + + 1.0.1.Final + + + 2.7.0.Beta2 + + + jboss-eap + + + 2.1.1 + + + 3.1 + 1.6 + 1.6 + + + + + ${project.artifactId} + + + maven-war-plugin + ${version.war.plugin} + + + false + + + ${target.container} + + + + + ${basedir}/conf/${target.container} + + + + + + + org.jboss.as.plugins + jboss-as-maven-plugin + ${version.jboss.maven.plugin} + + ${project.build.finalName}-${target.container}.${project.packaging} + + + + + + + + wildfly + + wildfly + + + + + org.wildfly.plugins + wildfly-maven-plugin + ${version.wildfly.maven.plugin} + + ${project.build.finalName}-${target.container}.${project.packaging} + + + + + + + + \ No newline at end of file diff --git a/examples/saml/redirect-basic/remove-security-domain.cli b/examples/saml/redirect-basic/remove-security-domain.cli new file mode 100644 index 00000000000..9487613e2ca --- /dev/null +++ b/examples/saml/redirect-basic/remove-security-domain.cli @@ -0,0 +1,13 @@ +# Batch script to remove the quickstart-domain security domain from the JBoss server + +# Start batching commands +batch + +# Remove the security domain +/subsystem=security/security-domain=sp:remove + +# Run the batch commands +run-batch + +# Reload the server configuration +:reload \ No newline at end of file diff --git a/examples/saml/redirect-basic/src/main/webapp/META-INF/jboss-deployment-structure.xml b/examples/saml/redirect-basic/src/main/webapp/META-INF/jboss-deployment-structure.xml new file mode 100644 index 00000000000..7b07a0210b8 --- /dev/null +++ b/examples/saml/redirect-basic/src/main/webapp/META-INF/jboss-deployment-structure.xml @@ -0,0 +1,10 @@ + + + + + + + + + diff --git a/examples/saml/redirect-basic/src/main/webapp/WEB-INF/picketlink.xml b/examples/saml/redirect-basic/src/main/webapp/WEB-INF/picketlink.xml new file mode 100755 index 00000000000..78e8c938a29 --- /dev/null +++ b/examples/saml/redirect-basic/src/main/webapp/WEB-INF/picketlink.xml @@ -0,0 +1,20 @@ + + + ${idp.url::http://localhost:8080/auth/realms/saml-demo/protocol/saml} + ${employee.url::http://localhost:8080/employee/} + + + + + + + + + + \ No newline at end of file diff --git a/examples/saml/redirect-basic/src/main/webapp/WEB-INF/web.xml b/examples/saml/redirect-basic/src/main/webapp/WEB-INF/web.xml new file mode 100644 index 00000000000..d1b8e114c5f --- /dev/null +++ b/examples/saml/redirect-basic/src/main/webapp/WEB-INF/web.xml @@ -0,0 +1,52 @@ + + + + PicketLink Employee Service Provider + + PicketLink Service Provider With a Basic Configuration using SAML HTTP Redirect Binding + + + + + EMPLOYEE Application + /* + + + manager + + + + + + + freezone + /freezone/* + + + images + /images/* + + + css + /css/* + + + + + + FORM + Tomcat SALES Application + + /jsp/login.jsp + /jsp/loginerror.jsp + + + + + + The role that is required to log in to the EMPLOYEE Application + manager + + diff --git a/examples/saml/redirect-basic/src/main/webapp/careermap.jpg b/examples/saml/redirect-basic/src/main/webapp/careermap.jpg new file mode 100644 index 00000000000..4a012a785a4 Binary files /dev/null and b/examples/saml/redirect-basic/src/main/webapp/careermap.jpg differ diff --git a/examples/saml/redirect-basic/src/main/webapp/css/idp.css b/examples/saml/redirect-basic/src/main/webapp/css/idp.css new file mode 100644 index 00000000000..afb49ea9429 --- /dev/null +++ b/examples/saml/redirect-basic/src/main/webapp/css/idp.css @@ -0,0 +1,78 @@ +/* + ~ JBoss, Home of Professional Open Source. + ~ Copyright (c) 2011, Red Hat, Inc., and individual contributors + ~ as indicated by the @author tags. See the copyright.txt file in the + ~ distribution for a full listing of individual contributors. + ~ + ~ This is free software; you can redistribute it and/or modify it + ~ under the terms of the GNU Lesser General Public License as + ~ published by the Free Software Foundation; either version 2.1 of + ~ the License, or (at your option) any later version. + ~ + ~ This software is distributed in the hope that it will be useful, + ~ but WITHOUT ANY WARRANTY; without even the implied warranty of + ~ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + ~ Lesser General Public License for more details. + ~ + ~ You should have received a copy of the GNU Lesser General Public + ~ License along with this software; if not, write to the Free + ~ Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA + ~ 02110-1301 USA, or see the FSF site: http://www.fsf.org. +*/ +body { + background: url(images/rh_bg.png) repeat-x scroll 0 0 #F3F3F3; + color: #555555; + font: 12px/1.4 "Lucida Sans Unicode", "Lucida Grande", sans-serif; +} + +.loginBox { + position:absolute; + top: 50%; + left: 50%; + width:30em; + height:3em; + margin-top: -9em; /*set to a negative number 1/2 of your height*/ + margin-left: -15em; /*set to a negative number 1/2 of your width*/ + border: 1px solid #ccc; + background-color: #f3f3f3; +} + +.wrapper { + margin-left: auto; + margin-right: auto; + width: 50em; + text-align: left; +} + +a { + text-decoration: none; + color: #5e8a9a; +} + +h1 { + padding-top: 20px; + color: #7b1e1e; +} + +a:hover { + text-decoration: underline; + color: #8ec6d9; +} + +.content { + margin-left: 230px; +} + +.dualbrand { + padding-top: 20px; +} + +.as7 { + float: left; + margin-left: 10px; +} + +.note { + font-size: 8pt; + color: #aaaaaa; +} \ No newline at end of file diff --git a/examples/saml/redirect-basic/src/main/webapp/error.jsp b/examples/saml/redirect-basic/src/main/webapp/error.jsp new file mode 100644 index 00000000000..7a78c2fefc4 --- /dev/null +++ b/examples/saml/redirect-basic/src/main/webapp/error.jsp @@ -0,0 +1,43 @@ + + + + + +PicketLink Example Application + + + + + + +
+
+

+ The Service Provider could not process the request. +

+
+
+ + \ No newline at end of file diff --git a/examples/saml/redirect-basic/src/main/webapp/favicon.ico b/examples/saml/redirect-basic/src/main/webapp/favicon.ico new file mode 100644 index 00000000000..c31d0fa862a Binary files /dev/null and b/examples/saml/redirect-basic/src/main/webapp/favicon.ico differ diff --git a/examples/saml/redirect-basic/src/main/webapp/images/bkg.gif b/examples/saml/redirect-basic/src/main/webapp/images/bkg.gif new file mode 100644 index 00000000000..523877c0874 Binary files /dev/null and b/examples/saml/redirect-basic/src/main/webapp/images/bkg.gif differ diff --git a/examples/saml/redirect-basic/src/main/webapp/images/picketlink-banner-1180px.png b/examples/saml/redirect-basic/src/main/webapp/images/picketlink-banner-1180px.png new file mode 100644 index 00000000000..2509ff4480f Binary files /dev/null and b/examples/saml/redirect-basic/src/main/webapp/images/picketlink-banner-1180px.png differ diff --git a/examples/saml/redirect-basic/src/main/webapp/images/rh_bg.png b/examples/saml/redirect-basic/src/main/webapp/images/rh_bg.png new file mode 100644 index 00000000000..b0e6a006d01 Binary files /dev/null and b/examples/saml/redirect-basic/src/main/webapp/images/rh_bg.png differ diff --git a/examples/saml/redirect-basic/src/main/webapp/index.jsp b/examples/saml/redirect-basic/src/main/webapp/index.jsp new file mode 100644 index 00000000000..5b3ecd4e279 --- /dev/null +++ b/examples/saml/redirect-basic/src/main/webapp/index.jsp @@ -0,0 +1,10 @@ +
+

EmployeeDashboard

+
+Welcome to the Employee Tool, <%=request.getUserPrincipal().getName()%>. +
+ +
+Click to LogOut + +
diff --git a/examples/saml/redirect-basic/src/main/webapp/logout.jsp b/examples/saml/redirect-basic/src/main/webapp/logout.jsp new file mode 100644 index 00000000000..05ef7d35969 --- /dev/null +++ b/examples/saml/redirect-basic/src/main/webapp/logout.jsp @@ -0,0 +1,44 @@ + + + + + +PicketLink Example Application + + + + + + + +
+
+

+ Logout in progress. You will be redirected to the Login Page. +

+
+
+ + \ No newline at end of file diff --git a/examples/saml/redirect-with-signature/README.md b/examples/saml/redirect-with-signature/README.md new file mode 100755 index 00000000000..329f554e802 --- /dev/null +++ b/examples/saml/redirect-with-signature/README.md @@ -0,0 +1,270 @@ +picketlink-federation-saml-sp-redirect-with-signature: PicketLink Service Provider With a Basic Configuration using SAML HTTP Redirect Binding With Signature Support +=============================== +Author: Pedro Igor +Level: Intermediate +Technologies: PicketLink Federation, SAML v2.0 +Summary: Basic example that demonstrates how to setup an application as a SAML v2.0 Service Provider using SAML HTTP Redirect Binding With Signature Support. +Source: + + +What is it? +----------- + +This example demonstrates Keycloak SAML 2.0 support in conjunction with a servlet secured by Picketlink's SAML SP client. + + +Make sure you've set up the Keycloak Server +-------------------------------------- +The Keycloak Appliance Distribution comes with a preconfigured Keycloak server (based on Wildfly). You can use it out of +the box to run these demos. So, if you're using this, you can head to Step 2. + +Alternatively, you can install the Keycloak Server onto any JBoss AS 7.1.1, EAP 6.x, or Wildfly 8.x server, but there is +a few steps you must follow. + +Obtain latest keycloak-war-dist-all.zip. This distro is used to install Keycloak onto an existing JBoss installation. +This installs the server. + + $ cd ${wildfly.jboss.home}/standalone + $ cp -r ${keycloak-war-dist-all}/deployments . + +To be able to run the demos you also need to install the Keycloak client adapter. For Wildfly: + + $ cd ${wildfly.home} + $ unzip ${keycloak-war-dist-all}/adapters/keycloak-wildfly-adapter-dist.zip + +For JBoss EAP 6.x + + $ cd ${eap.home} + $ unzip ${keycloak-war-dist-all}/adapters/keycloak-eap6-adapter-dist.zip + +For JBoss AS 7.1.1: + + $ cd ${as7.home} + $ unzip ${keycloak-war-dist-all}/adapters/keycloak-as7-adapter-dist.zip + +Unzipping the adapter ZIP only installs the JAR files. You must also add the Keycloak Subsystem to the server's +configuration (standalone/configuration/standalone.xml). + +For Wildfly: + + + + + + ... + + + + + ... + + +For JBoss 7.1.1 and EAP 6.x: + + + + + + ... + + + + + ... + + + +Boot Keycloak Server +--------------------------------------- +Where you go to start up the Keycloak Server depends on which distro you installed. + +From appliance: + +``` +$ cd keycloak/bin +$ ./standalone.sh +``` + + +From existing Wildfly/EAP6/AS7 distro + +``` +$ cd ${wildfly.jboss.home}/bin +$ ./standalone.sh +``` + + +Import the Test Realm +--------------------------------------- +Next thing you have to do is import the test realm for the demo. Clicking on the below link will bring you to the +create realm page in the Admin UI. The username/password is admin/admin to login in. Keycloak will ask you to +create a new admin password before you can go to the create realm page. + +[http://localhost:8080/auth/admin/master/console/#/create/realm](http://localhost:8080/auth/admin/master/console/#/create/realm) + +Import the testsaml.json file that is in the saml/ example directory. + +Install Picketlink Modules into App server +------------------------------------------ + +If you are running this example with the Keycloak application distribution, you can skip this step. + +You may have to upgrade your picketlink modules in your JBoss EAP or Wildfly distribution. See Picketlink docs for more details. + +Create the Security Domain for JBoss EAP +--------------- +If you are running this example with the Keycloak application distribution, you can skip this step. + + +These steps assume you are running the server in standalone mode and using the default standalone.xml supplied with the distribution. + +You configure the security domain by running JBoss CLI commands. For your convenience, this quickstart batches the commands into a `configure-security-domain-eap.cli` script provided in the root directory of this quickstart. + +1. Before you begin, back up your server configuration file + * If it is running, stop the JBoss server. + * Backup the file: `JBOSS_HOME/standalone/configuration/standalone.xml` + * After you have completed testing this quickstart, you can replace this file to restore the server to its original configuration. + +2. Start the JBoss server by typing the following: + + For Linux: JBOSS_HOME/bin/standalone.sh + For Windows: JBOSS_HOME\bin\standalone.bat +3. Review the `configure-security-domain-eap.cli` file in the root of this quickstart directory. This script adds the `sp` domain to the `security` subsystem in the server configuration and configures authentication access. Comments in the script describe the purpose of each block of commands. + +4. Open a new command prompt, navigate to the root directory of this quickstart, and run the following command, replacing JBOSS_HOME with the path to your server: + + JBOSS_HOME/bin/jboss-cli.sh --connect --file=configure-security-domain-eap.cli + +You should see the following result when you run the script: + + The batch executed successfully + { + "outcome" => "success", + } + + +Create the Security Domain for WildFly +--------------- +If you are running this example with the Keycloak application distribution, you can skip this step. + +These steps assume you are running the server in standalone mode and using the default standalone.xml supplied with the distribution. + +You configure the security domain by running JBoss CLI commands. For your convenience, this quickstart batches the commands into a `configure-security-domain-wildfly.cli` script provided in the root directory of this quickstart. + +1. Before you begin, back up your server configuration file + * If it is running, stop the JBoss server. + * Backup the file: `JBOSS_HOME/standalone/configuration/standalone.xml` + * After you have completed testing this quickstart, you can replace this file to restore the server to its original configuration. + +2. Start the JBoss server by typing the following: + + For Linux: JBOSS_HOME/bin/standalone.sh + For Windows: JBOSS_HOME\bin\standalone.bat +3. Review the `configure-security-domain-wildfly.cli` file in the root of this quickstart directory. This script adds the `sp` domain to the `security` subsystem in the server configuration and configures authentication access. Comments in the script describe the purpose of each block of commands. + +4. Open a new command prompt, navigate to the root directory of this quickstart, and run the following command, replacing JBOSS_HOME with the path to your server: + + JBOSS_HOME/bin/jboss-cli.sh --connect --file=configure-security-domain-wildfly.cli + +You should see the following result when you run the script: + + The batch executed successfully + { + "outcome" => "success", + } + + + +Review the Modified Server Configuration for EAP +----------------------------------- +If you are running this example with the Keycloak application distribution, you can skip this step. + +If you want to review and understand newly added XML configuration, stop the JBoss server and open the `JBOSS_HOME/standalone/configuration/standalone.xml` file. + +The following `sp` security-domain was added to the `security` subsystem. + + + + + + + +The configuration above defines a security-domain which will be used by the SP to authenticate users based on a SAML Assertion previously issued by a Identity Provider. + +Review the Modified Server Configuration for WildFly +----------------------------------- +If you are running this example with the Keycloak application distribution, you can skip this step. + +If you are using Wildfly, the security-domain should have the following configuration: + + + + + + + + +SAML SP-Initiated Single Sign-On +----------------------------------- + +The SAML v2.0 specification defines a specific SSO mode called *SP-Initiated SSO*. In this mode, the SSO flow starts at the Service Provider side. +Please, take a look at the following documentation for more details: + +1. [SAML v2.0 SP-Initiated SSO](https://docs.jboss.org/author/display/PLINK/SP-Initiated+SSO) + + +Start JBoss Enterprise Application Platform 6 or WildFly with the Web Profile +------------------------- + +1. Open a command line and navigate to the root of the JBoss server directory. +2. The following shows the command line to start the server with the web profile: + + For Linux: JBOSS_HOME/bin/standalone.sh + For Windows: JBOSS_HOME\bin\standalone.bat + + +Build and Deploy the Quickstart +------------------------- + +_NOTE: The following build command assumes you have configured your Maven user settings. If you have not, you must include Maven setting arguments on the command line. See [Build and Deploy the Quickstarts](../README.md#build-and-deploy-the-quickstarts) for complete instructions and additional options._ + +1. Make sure you have started the JBoss Server as described above. +2. Open a command line and navigate to the root directory of this quickstart. +3. Type this command to build and deploy the archive: + + For EAP 6: mvn clean package jboss-as:deploy + For WildFly: mvn -Pwildfly clean package wildfly:deploy + +4. This will deploy `target/picketlink-federation-saml-sp-redirect-with-signature.war` to the running instance of the server. + + +Access the application +--------------------- + +The application will be running at the following URL: . + +*Note: A Service Provider alone is not very useful without an Identity Provider to authenticate users and issue SAML Assertions. Once you get this application deployed, please take a look at [About the PicketLink Federation Quickstarts](../README.md#about-the-picketlink-federation-quickstarts).* + +Undeploy the Archive +-------------------- + +1. Make sure you have started the JBoss Server as described above. +2. Open a command line and navigate to the root directory of this quickstart. +3. When you are finished testing, type this command to undeploy the archive: + + For EAP 6: mvn jboss-as:undeploy + For WildFly: mvn -Pwildfly wildfly:undeploy + + +Run the Quickstart in JBoss Developer Studio or Eclipse +------------------------------------- +You can also start the server and deploy the quickstarts from Eclipse using JBoss tools. For more information, see [Use JBoss Developer Studio or Eclipse to Run the Quickstarts](../README.md#use-jboss-developer-studio-or-eclipse-to-run-the-quickstarts) + + +Debug the Application +------------------------------------ + +If you want to debug the source code or look at the Javadocs of any library in the project, run either of the following commands to pull them into your local repository. The IDE should then detect them. + + mvn dependency:sources + mvn dependency:resolve -Dclassifier=javadoc \ No newline at end of file diff --git a/examples/saml/redirect-with-signature/conf/jboss-eap/META-INF/jboss-deployment-structure.xml b/examples/saml/redirect-with-signature/conf/jboss-eap/META-INF/jboss-deployment-structure.xml new file mode 100644 index 00000000000..7b07a0210b8 --- /dev/null +++ b/examples/saml/redirect-with-signature/conf/jboss-eap/META-INF/jboss-deployment-structure.xml @@ -0,0 +1,10 @@ + + + + + + + + + diff --git a/examples/saml/redirect-with-signature/conf/jboss-eap/WEB-INF/jboss-web.xml b/examples/saml/redirect-with-signature/conf/jboss-eap/WEB-INF/jboss-web.xml new file mode 100644 index 00000000000..4d1aef2bc18 --- /dev/null +++ b/examples/saml/redirect-with-signature/conf/jboss-eap/WEB-INF/jboss-web.xml @@ -0,0 +1,16 @@ + + + + sp + + + employee-sig + + + + org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator + + diff --git a/examples/saml/redirect-with-signature/conf/wildfly/META-INF/jboss-deployment-structure.xml b/examples/saml/redirect-with-signature/conf/wildfly/META-INF/jboss-deployment-structure.xml new file mode 100644 index 00000000000..7b07a0210b8 --- /dev/null +++ b/examples/saml/redirect-with-signature/conf/wildfly/META-INF/jboss-deployment-structure.xml @@ -0,0 +1,10 @@ + + + + + + + + + diff --git a/examples/saml/redirect-with-signature/conf/wildfly/WEB-INF/classes/META-INF/services/io.undertow.servlet.ServletExtension b/examples/saml/redirect-with-signature/conf/wildfly/WEB-INF/classes/META-INF/services/io.undertow.servlet.ServletExtension new file mode 100644 index 00000000000..ffaf42ca712 --- /dev/null +++ b/examples/saml/redirect-with-signature/conf/wildfly/WEB-INF/classes/META-INF/services/io.undertow.servlet.ServletExtension @@ -0,0 +1 @@ +org.picketlink.identity.federation.bindings.wildfly.sp.SPServletExtension \ No newline at end of file diff --git a/examples/saml/redirect-with-signature/conf/wildfly/WEB-INF/jboss-web.xml b/examples/saml/redirect-with-signature/conf/wildfly/WEB-INF/jboss-web.xml new file mode 100644 index 00000000000..b6279d9ca16 --- /dev/null +++ b/examples/saml/redirect-with-signature/conf/wildfly/WEB-INF/jboss-web.xml @@ -0,0 +1,10 @@ + + + + sp + + + employee-sig + diff --git a/examples/saml/redirect-with-signature/configure-security-domain-eap.cli b/examples/saml/redirect-with-signature/configure-security-domain-eap.cli new file mode 100644 index 00000000000..9f9777c4cbb --- /dev/null +++ b/examples/saml/redirect-with-signature/configure-security-domain-eap.cli @@ -0,0 +1,16 @@ +# Batch script to add and configure the quickstart-domain security domain in the JBoss server + +# Start batching commands +batch + +# Add and configure the security domain, then add the PicketLink SAML2LoginModule. Which wil be used to extract user's information from the SAML Assertion and authenticate the user. +/subsystem=security/security-domain=sp:add(cache-type=default) +/subsystem=security/security-domain=sp/authentication=classic:add +/subsystem=security/security-domain=sp/authentication=classic/login-module=org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule:add(code=org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule,flag=required) + +# Run the batch commands +run-batch + +# Reload the server configuration +:reload + diff --git a/examples/saml/redirect-with-signature/configure-security-domain-wildfly.cli b/examples/saml/redirect-with-signature/configure-security-domain-wildfly.cli new file mode 100644 index 00000000000..6b65d5e94fc --- /dev/null +++ b/examples/saml/redirect-with-signature/configure-security-domain-wildfly.cli @@ -0,0 +1,16 @@ +# Batch script to add and configure the quickstart-domain security domain in the JBoss server + +# Start batching commands +batch + +# Add and configure the security domain, then add the PicketLink SAML2LoginModule. Which wil be used to extract user's information from the SAML Assertion and authenticate the user. +/subsystem=security/security-domain=sp:add(cache-type=default) +/subsystem=security/security-domain=sp/authentication=classic:add +/subsystem=security/security-domain=sp/authentication=classic/login-module=org.picketlink.identity.federation.bindings.wildfly.SAML2LoginModule:add(code=org.picketlink.identity.federation.bindings.wildfly.SAML2LoginModule,flag=required) + +# Run the batch commands +run-batch + +# Reload the server configuration +:reload + diff --git a/examples/saml/redirect-with-signature/pom.xml b/examples/saml/redirect-with-signature/pom.xml new file mode 100755 index 00000000000..d491d8ec897 --- /dev/null +++ b/examples/saml/redirect-with-signature/pom.xml @@ -0,0 +1,116 @@ + + 4.0.0 + + org.picketlink.quickstarts + picketlink-federation-saml-sp-redirect-with-signature + 2.7.0.Beta2 + + war + + PicketLink Quickstart: picketlink-federation-saml-sp-redirect-with-signature + PicketLink Quickstart: PicketLink Service Provider With a Basic Configuration using SAML HTTP Redirect Binding With Signature Support + + http://www.picketlink.org + + + + Apache License, Version 2.0 + repo + http://www.apache.org/licenses/LICENSE-2.0.html + + + + + + 7.4.Final + + + 1.0.1.Final + + + 2.7.0.Beta2 + + + jboss-eap + + + 2.1.1 + + + 3.1 + 1.6 + 1.6 + + + + + ${project.artifactId} + + + src/main/resources + + + ../redirect-basic/src/main/resources + + + + + maven-war-plugin + ${version.war.plugin} + + + false + + + ${target.container} + + + + + src/main/webapp + + + ../redirect-basic/src/main/webapp + + + ${basedir}/conf/${target.container} + + + + + + + org.jboss.as.plugins + jboss-as-maven-plugin + ${version.jboss.maven.plugin} + + ${project.build.finalName}-${target.container}.${project.packaging} + + + + + + + + wildfly + + wildfly + + + + + org.wildfly.plugins + wildfly-maven-plugin + ${version.wildfly.maven.plugin} + + ${project.build.finalName}-${target.container}.${project.packaging} + + + + + + + + \ No newline at end of file diff --git a/examples/saml/redirect-with-signature/remove-security-domain.cli b/examples/saml/redirect-with-signature/remove-security-domain.cli new file mode 100644 index 00000000000..9487613e2ca --- /dev/null +++ b/examples/saml/redirect-with-signature/remove-security-domain.cli @@ -0,0 +1,13 @@ +# Batch script to remove the quickstart-domain security domain from the JBoss server + +# Start batching commands +batch + +# Remove the security domain +/subsystem=security/security-domain=sp:remove + +# Run the batch commands +run-batch + +# Reload the server configuration +:reload \ No newline at end of file diff --git a/examples/saml/redirect-with-signature/src/main/resources/keystore.jks b/examples/saml/redirect-with-signature/src/main/resources/keystore.jks new file mode 100755 index 00000000000..f044ece2844 Binary files /dev/null and b/examples/saml/redirect-with-signature/src/main/resources/keystore.jks differ diff --git a/examples/saml/redirect-with-signature/src/main/webapp/WEB-INF/picketlink.xml b/examples/saml/redirect-with-signature/src/main/webapp/WEB-INF/picketlink.xml new file mode 100755 index 00000000000..609b42889e8 --- /dev/null +++ b/examples/saml/redirect-with-signature/src/main/webapp/WEB-INF/picketlink.xml @@ -0,0 +1,36 @@ + + + ${idp-sig.url::http://localhost:8080/auth/realms/saml-demo/protocol/saml} + + ${employee-sig.url::http://localhost:8080/employee-sig/} + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/examples/saml/testsaml.json b/examples/saml/testsaml.json new file mode 100755 index 00000000000..210c4597973 --- /dev/null +++ b/examples/saml/testsaml.json @@ -0,0 +1,118 @@ +{ + "id": "saml-demo", + "realm": "saml-demo", + "enabled": true, + "sslRequired": "external", + "passwordCredentialGrantAllowed": true, + "privateKey": "MIICXAIBAAKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQABAoGAfmO8gVhyBxdqlxmIuglbz8bcjQbhXJLR2EoS8ngTXmN1bo2L90M0mUKSdc7qF10LgETBzqL8jYlQIbt+e6TH8fcEpKCjUlyq0Mf/vVbfZSNaVycY13nTzo27iPyWQHK5NLuJzn1xvxxrUeXI6A2WFpGEBLbHjwpx5WQG9A+2scECQQDvdn9NE75HPTVPxBqsEd2z10TKkl9CZxu10Qby3iQQmWLEJ9LNmy3acvKrE3gMiYNWb6xHPKiIqOR1as7L24aTAkEAtyvQOlCvr5kAjVqrEKXalj0Tzewjweuxc0pskvArTI2Oo070h65GpoIKLc9jf+UA69cRtquwP93aZKtW06U8dQJAF2Y44ks/mK5+eyDqik3koCI08qaC8HYq2wVl7G2QkJ6sbAaILtcvD92ToOvyGyeE0flvmDZxMYlvaZnaQ0lcSQJBAKZU6umJi3/xeEbkJqMfeLclD27XGEFoPeNrmdx0q10Azp4NfJAY+Z8KRyQCR2BEG+oNitBOZ+YXF9KCpH3cdmECQHEigJhYg+ykOvr1aiZUMFT72HU0jnmQe2FVekuG+LJUt2Tm7GtMjTFoGpf0JwrVuZN39fOYAlo+nTixgeW7X8Y=", + "publicKey": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB", + "requiredCredentials": [ "password" ], + "defaultRoles": [ "user" ], + "smtpServer": { + "from": "auto@keycloak.org", + "host": "localhost", + "port":"3025" + }, + "users" : [ + { + "username" : "bburke", + "enabled": true, + "email" : "bburke@redhat.com", + "credentials" : [ + { "type" : "password", + "value" : "password" } + ], + "realmRoles": ["manager"] + } + ], + "applications": [ + { + "name": "http://localhost:8080/sales-post/", + "enabled": true, + "fullScopeAllowed": true, + "protocol": "saml", + "baseUrl": "http://localhost:8080/sales-post", + "adminUrl": "http://localhost:8080/sales-post", + "redirectUris": [ + "http://localhost:8080/sales-post/*" + ] + }, + { + "name": "http://localhost:8080/sales-post-sig/", + "enabled": true, + "protocol": "saml", + "fullScopeAllowed": true, + "baseUrl": "http://localhost:8080/sales-post-sig", + "adminUrl": "http://localhost:8080/sales-post-sig", + "redirectUris": [ + "http://localhost:8080/sales-post-sig/*" + ], + "attributes": { + "saml.server.signature": "true", + "saml.signature.algorithm": "RSA_SHA256", + "saml.client.signature": "true", + "privateKey": "MIICWwIBAAKBgQDVG8a7xGN6ZIkDbeecySygcDfsypjUMNPE4QJjis8B316CvsZQ0hcTTLUyiRpHlHZys2k3xEhHBHymFC1AONcvzZzpb40tAhLHO1qtAnut00khjAdjR3muLVdGkM/zMC7G5s9iIwBVhwOQhy+VsGnCH91EzkjZ4SVEr55KJoyQJQIDAQABAoGADaTtoG/+foOZUiLjRWKL/OmyavK9vjgyFtThNkZY4qHOh0h3og0RdSbgIxAsIpEa1FUwU2W5yvI6mNeJ3ibFgCgcxqPk6GkAC7DWfQfdQ8cS+dCuaFTs8ObIQEvU50YzeNPiiFxRA+MnauCUXaKm/PnDfjd4tPgru7XZvlGh0wECQQDsBbN2cKkBKpr/b5oJiBcBaSZtWiMNuYBDn9x8uORj+Gy/49BUIMHF2EWyxOWz6ocP5YiynNRkPe21Zus7PEr1AkEA5yWQOkxUTIg43s4pxNSeHtL+Ebqcg54lY2xOQK0yufxUVZI8ODctAKmVBMiCKpU3mZQquOaQicuGtocpgxlScQI/YM31zZ5nsxLGf/5GL6KhzPJT0IYn2nk7IoFu7bjn9BjwgcPurpLA52TNMYWQsTqAKwT6DEhG1NaRqNWNpb4VAkBehObAYBwMm5udyHIeEc+CzUalm0iLLa0eRdiN7AUVNpCJ2V2Uo0NcxPux1AgeP5xXydXafDXYkwhINWcNO9qRAkEA58ckAC5loUGwU5dLaugsGH/a2Q8Ac8bmPglwfCstYDpl8Gp/eimb1eKyvDEELOhyImAv4/uZV9wN85V0xZXWsw==", + "publicKey": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDVG8a7xGN6ZIkDbeecySygcDfsypjUMNPE4QJjis8B316CvsZQ0hcTTLUyiRpHlHZys2k3xEhHBHymFC1AONcvzZzpb40tAhLHO1qtAnut00khjAdjR3muLVdGkM/zMC7G5s9iIwBVhwOQhy+VsGnCH91EzkjZ4SVEr55KJoyQJQIDAQAB", + "X509Certificate": "MIIB1DCCAT0CBgFJGP5dZDANBgkqhkiG9w0BAQsFADAwMS4wLAYDVQQDEyVodHRwOi8vbG9jYWxob3N0OjgwODAvc2FsZXMtcG9zdC1zaWcvMB4XDTE0MTAxNjEyNDQyM1oXDTI0MTAxNjEyNDYwM1owMDEuMCwGA1UEAxMlaHR0cDovL2xvY2FsaG9zdDo4MDgwL3NhbGVzLXBvc3Qtc2lnLzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1RvGu8RjemSJA23nnMksoHA37MqY1DDTxOECY4rPAd9egr7GUNIXE0y1MokaR5R2crNpN8RIRwR8phQtQDjXL82c6W+NLQISxztarQJ7rdNJIYwHY0d5ri1XRpDP8zAuxubPYiMAVYcDkIcvlbBpwh/dRM5I2eElRK+eSiaMkCUCAwEAATANBgkqhkiG9w0BAQsFAAOBgQCLms6htnPaY69k1ntm9a5jgwSn/K61cdai8R8B0ccY7zvinn9AfRD7fiROQpFyY29wKn8WCLrJ86NBXfgFUGyR5nLNHVy3FghE36N2oHy53uichieMxffE6vhkKJ4P8ChfJMMOZlmCPsQPDvjoAghHt4mriFiQgRdPgIy/zDjSNw==" + } + }, + { + "name": "http://localhost:8080/sales-post-enc/", + "enabled": true, + "protocol": "saml", + "fullScopeAllowed": true, + "baseUrl": "http://localhost:8080/sales-post-enc", + "adminUrl": "http://localhost:8080/sales-post-enc", + "redirectUris": [ + "http://localhost:8080/sales-post-enc/*" + ], + "attributes": { + "saml.server.signature": "true", + "saml.signature.algorithm": "RSA_SHA512", + "saml.client.signature": "true", + "saml.encrypt": "true", + "privateKey": "MIICXQIBAAKBgQDb7kwJPkGdU34hicplwfp6/WmNcaLh94TSc7Jyr9Undp5pkyLgb0DE7EIE+6kSs4LsqCb8HDkB0nLD5DXbBJFd8n0WGoKstelvtg6FtVJMnwN7k7yZbfkPECWH9zF70VeOo9vbzrApNRnct8ZhH5fbflRB4JMA9L9R+LbURdoSKQIDAQABAoGBANtbZG9bruoSGp2s5zhzLzd4hczT6Jfk3o9hYjzNb5Z60ymN3Z1omXtQAdEiiNHkRdNxK+EM7TcKBfmoJqcaeTkW8cksVEAW23ip8W9/XsLqmbU2mRrJiKa+KQNDSHqJi1VGyimi4DDApcaqRZcaKDFXg2KDr/Qt5JFD/o9IIIPZAkEA+ZENdBIlpbUfkJh6Ln+bUTss/FZ1FsrcPZWu13rChRMrsmXsfzu9kZUWdUeQ2Dj5AoW2Q7L/cqdGXS7Mm5XhcwJBAOGZq9axJY5YhKrsksvYRLhQbStmGu5LG75suF+rc/44sFq+aQM7+oeRr4VY88Mvz7mk4esdfnk7ae+cCazqJvMCQQCx1L1cZw3yfRSn6S6u8XjQMjWE/WpjulujeoRiwPPY9WcesOgLZZtYIH8nRL6ehEJTnMnahbLmlPFbttxPRUanAkA11MtSIVcKzkhp2KV2ipZrPJWwI18NuVJXb+3WtjypTrGWFZVNNkSjkLnHIeCYlJIGhDd8OL9zAiBXEm6kmgLNAkBWAg0tK2hCjvzsaA505gWQb4X56uKWdb0IzN+fOLB3Qt7+fLqbVQNQoNGzqey6B4MoS1fUKAStqdGTFYPG/+9t", + "publicKey": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDb7kwJPkGdU34hicplwfp6/WmNcaLh94TSc7Jyr9Undp5pkyLgb0DE7EIE+6kSs4LsqCb8HDkB0nLD5DXbBJFd8n0WGoKstelvtg6FtVJMnwN7k7yZbfkPECWH9zF70VeOo9vbzrApNRnct8ZhH5fbflRB4JMA9L9R+LbURdoSKQIDAQAB", + "X509Certificate": "MIIB1DCCAT0CBgFJGVacCDANBgkqhkiG9w0BAQsFADAwMS4wLAYDVQQDEyVodHRwOi8vbG9jYWxob3N0OjgwODAvc2FsZXMtcG9zdC1lbmMvMB4XDTE0MTAxNjE0MjA0NloXDTI0MTAxNjE0MjIyNlowMDEuMCwGA1UEAxMlaHR0cDovL2xvY2FsaG9zdDo4MDgwL3NhbGVzLXBvc3QtZW5jLzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2+5MCT5BnVN+IYnKZcH6ev1pjXGi4feE0nOycq/VJ3aeaZMi4G9AxOxCBPupErOC7Kgm/Bw5AdJyw+Q12wSRXfJ9FhqCrLXpb7YOhbVSTJ8De5O8mW35DxAlh/cxe9FXjqPb286wKTUZ3LfGYR+X235UQeCTAPS/Ufi21EXaEikCAwEAATANBgkqhkiG9w0BAQsFAAOBgQBMrfGD9QFfx5v7ld/OAto5rjkTe3R1Qei8XRXfcs83vLaqEzjEtTuLGrJEi55kXuJgBpVmQpnwCCkkjSy0JxbqLDdVi9arfWUxEGmOr01ZHycELhDNaQcFqVMPr5kRHIHgktT8hK2IgCvd3Fy9/JCgUgCPxKfhwecyEOKxUc857g==" + } + }, + { + "name": "http://localhost:8080/employee/", + "enabled": true, + "fullScopeAllowed": true, + "protocol": "saml", + "baseUrl": "http://localhost:8080/employee", + "adminUrl": "http://localhost:8080/employee", + "redirectUris": [ + "http://localhost:8080/employee/*" + ] + }, + { + "name": "http://localhost:8080/employee-sig/", + "enabled": true, + "protocol": "saml", + "fullScopeAllowed": true, + "baseUrl": "http://localhost:8080/employee-sig", + "adminUrl": "http://localhost:8080/employee-sig", + "redirectUris": [ + "http://localhost:8080/employee-sig/*" + ], + "attributes": { + "saml.server.signature": "true", + "saml.client.signature": "true", + "saml.signature.algorithm": "RSA_SHA1", + "privateKey": "MIICXQIBAAKBgQC+9kVgPFpshjS2aT2g52lqTv2lqb1jgvXZVk7iFF4LAO6SdCXKXRZI4SuzIRkVNpE1a42V1kQRlaozoFklgvX5sje8tkpa9ylq+bxGXM9RRycqRu2B+oWUV7Aqq7Bs0Xud0WeHQYRcEoCjqsFKGy65qkLRDdT70FTJgpSHts+gDwIDAQABAoGANU1efgc6ojIvwn7Lsf8GAKN9z2D6uS0T3I9nw1k2CtI+xWhgKAUltEANx5lEfBRYIdYclidRpqrk8DYgzASrDYTHXzqVBJfAk1VrAGpqyRq+TNMLUHkXiTiSDOQ6WqhX93UGMmAgQm1RsLa6+fy1BO/B2y85+Yf2OUylsKS6avECQQDslRDiNFdtEjdvyOL20tQ7+W+eKVxVxKAyQ3gFjIIDizELZt+Jq1Wz6XV9NhK1JFtlVugeD1tlW/+K16fEmDYXAkEAzqKoN/JeGb20rfQldAUWdQbb0jrQAYlgoSU/9fYH9YVJT8vnkfhPBTwIw9H9euf1//lRP/jHltHd5ch4230YyQJBAN3rOkoltPiABPZbpuLGgwS7BwOCYrWlWmurtBLoaTCvyVKbrgXybNL1pBrOtR+rufvGWLeRyja65Gs1vY6BBQMCQQCTsNq/MjJj/522f7yNUl2cw4w2lOa7Um+IflFbAcDqkZu2ty0Kvgns2d4B6INeZ5ECpjaWnMA7YkFRzZnkd2NRAkB8lEY56ScnNigoZkkjtEUd2ejdhZPYuS9SKfv9zHwN+I+DE2vVFZz8GPq/iLcMx13PkZaYaJNQ4FtQY/hRLSn5", + "publicKey": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+9kVgPFpshjS2aT2g52lqTv2lqb1jgvXZVk7iFF4LAO6SdCXKXRZI4SuzIRkVNpE1a42V1kQRlaozoFklgvX5sje8tkpa9ylq+bxGXM9RRycqRu2B+oWUV7Aqq7Bs0Xud0WeHQYRcEoCjqsFKGy65qkLRDdT70FTJgpSHts+gDwIDAQAB", + "X509Certificate": "MIIB0DCCATkCBgFJH5u0EDANBgkqhkiG9w0BAQsFADAuMSwwKgYDVQQDEyNodHRwOi8vbG9jYWxob3N0OjgwODAvZW1wbG95ZWUtc2lnLzAeFw0xNDEwMTcxOTMzNThaFw0yNDEwMTcxOTM1MzhaMC4xLDAqBgNVBAMTI2h0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9lbXBsb3llZS1zaWcvMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+9kVgPFpshjS2aT2g52lqTv2lqb1jgvXZVk7iFF4LAO6SdCXKXRZI4SuzIRkVNpE1a42V1kQRlaozoFklgvX5sje8tkpa9ylq+bxGXM9RRycqRu2B+oWUV7Aqq7Bs0Xud0WeHQYRcEoCjqsFKGy65qkLRDdT70FTJgpSHts+gDwIDAQABMA0GCSqGSIb3DQEBCwUAA4GBACKyPLGqMX8GsIrCfJU8eVnpaqzTXMglLVo/nTcfAnWe9UAdVe8N3a2PXpDBvuqNA/DEAhVcQgxdlOTWnB6s8/yLTRuH0bZgb3qGdySif+lU+E7zZ/SiDzavAvn+ABqemnzHcHyhYO+hNRGHvUbW5OAii9Vdjhm8BI32YF1NwhKp" + } + } + ], + "roles" : { + "realm" : [ + { + "name": "manager", + "description": "Have Manager privileges" + } + ] + } +} diff --git a/forms/common-themes/src/main/resources/theme/admin/base/resources/partials/application-detail.html b/forms/common-themes/src/main/resources/theme/admin/base/resources/partials/application-detail.html index 60d7ae5a223..590f78c0157 100755 --- a/forms/common-themes/src/main/resources/theme/admin/base/resources/partials/application-detail.html +++ b/forms/common-themes/src/main/resources/theme/admin/base/resources/partials/application-detail.html @@ -84,7 +84,7 @@
- +
diff --git a/pom.xml b/pom.xml index 623b0e0c0f8..5b3f1547cab 100755 --- a/pom.xml +++ b/pom.xml @@ -18,7 +18,8 @@ 2.3.7.Final 3.0.9.Final 1.0.15.Final - 2.7.0.CR1-20140924 + + 2.7.0.CR1 1.0.2.Final 2.11.3 3.1.4.GA @@ -251,6 +252,16 @@ picketlink-config ${picketlink.version} + + org.picketlink + picketlink-api + ${picketlink.version} + + + org.picketlink + picketlink-impl + ${picketlink.version} + org.picketbox picketbox-ldap diff --git a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SALM2LoginResponseBuilder.java b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SALM2LoginResponseBuilder.java index 6ed495d9896..3d53c66df7b 100755 --- a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SALM2LoginResponseBuilder.java +++ b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SALM2LoginResponseBuilder.java @@ -53,7 +53,11 @@ public class SALM2LoginResponseBuilder extends SAML2BindingBuilder { return (T)this; } - public class BindingBuilder { + public class PostBindingBuilder { protected Document document; - public BindingBuilder(Document document) { + public PostBindingBuilder(Document document) throws ProcessingException { + this.document = document; + if (signed) { + signDocument(document); + } + } + + public String encoded() throws ProcessingException, ConfigurationException, IOException { + byte[] responseBytes = org.picketlink.identity.federation.core.saml.v2.util.DocumentUtil.getDocumentAsString(document).getBytes("UTF-8"); + return PostBindingUtil.base64Encode(new String(responseBytes)); + } + public Document getDocument() { + return document; + } + + public String htmlResponse() throws ProcessingException, ConfigurationException, IOException { + return buildHtml(encoded()); + + } + public Response response() throws ConfigurationException, ProcessingException, IOException { + return buildResponse(document); + } + } + + + public class RedirectBindingBuilder { + protected Document document; + + public RedirectBindingBuilder(Document document) { this.document = document; } public Document getDocument() { return document; } - public Response postResponse() throws ConfigurationException, ProcessingException, IOException { - return buildResponse(document); - } - - public URI redirectResponseUri() throws ConfigurationException, ProcessingException, IOException { + public URI responseUri() throws ConfigurationException, ProcessingException, IOException { return generateRedirectUri("SAMLResponse", document); } - - public Response redirectResponse() throws ProcessingException, ConfigurationException, IOException { - URI uri = redirectResponseUri(); + public Response response() throws ProcessingException, ConfigurationException, IOException { + URI uri = responseUri(); CacheControl cacheControl = new CacheControl(); cacheControl.setNoCache(true); @@ -140,6 +163,7 @@ public class SAML2BindingBuilder { } + private String getSAMLNSPrefix(Document samlResponseDocument) { Node assertionElement = samlResponseDocument.getDocumentElement() .getElementsByTagNameNS(JBossSAMLURIConstants.ASSERTION_NSURI.get(), JBossSAMLConstants.ASSERTION.get()).item(0); @@ -171,18 +195,6 @@ public class SAML2BindingBuilder { } - protected void encryptAndSign(Document samlDocument) throws ProcessingException { - if (encrypt) { - encryptDocument(samlDocument); - signDocument(samlDocument); - return; - } - if (signed) { - signDocument(samlDocument); - return; - } - } - protected void signDocument(Document samlDocument) throws ProcessingException { SamlProtocolUtils.signDocument(samlDocument, signingKeyPair, signatureAlgorithm.getXmlSignatureMethod(), signatureAlgorithm.getXmlSignatureDigestMethod(), signingCertificate); } @@ -201,6 +213,10 @@ public class SAML2BindingBuilder { byte[] responseBytes = DocumentUtil.getDocumentAsString(responseDoc).getBytes("UTF-8"); String samlResponse = PostBindingUtil.base64Encode(new String(responseBytes)); + return buildHtml(samlResponse); + } + + protected String buildHtml(String samlResponse) { if (destination == null) { throw SALM2LoginResponseBuilder.logger.nullValueError("Destination is null"); } diff --git a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2ErrorResponseBuilder.java b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2ErrorResponseBuilder.java index 8d7a8158ca4..c4a2c2bad15 100755 --- a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2ErrorResponseBuilder.java +++ b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2ErrorResponseBuilder.java @@ -18,7 +18,27 @@ import org.w3c.dom.Document; */ public class SAML2ErrorResponseBuilder extends SAML2BindingBuilder { - public Document buildDocument(String status) throws ProcessingException { + protected String status; + + public SAML2ErrorResponseBuilder status(String status) { + this.status = status; + return this; + } + + public RedirectBindingBuilder redirectBinding() throws ConfigurationException, ProcessingException { + Document samlResponseDocument = buildDocument(); + return new RedirectBindingBuilder(samlResponseDocument); + + } + + public PostBindingBuilder postBinding() throws ConfigurationException, ProcessingException { + Document samlResponseDocument = buildDocument(); + return new PostBindingBuilder(samlResponseDocument); + + } + + + public Document buildDocument() throws ProcessingException { Document samlResponse = null; ResponseType responseType = null; @@ -41,15 +61,9 @@ public class SAML2ErrorResponseBuilder extends SAML2BindingBuilderBill Burke * @version $Revision: 1 $ */ -public class SalmProtocol implements LoginProtocol { - protected static final Logger logger = Logger.getLogger(SalmProtocol.class); +public class SamlProtocol implements LoginProtocol { + protected static final Logger logger = Logger.getLogger(SamlProtocol.class); public static final String LOGIN_PROTOCOL = "saml"; public static final String SAML_BINDING = "saml_binding"; public static final String SAML_POST_BINDING = "post"; @@ -49,19 +49,19 @@ public class SalmProtocol implements LoginProtocol { @Override - public SalmProtocol setSession(KeycloakSession session) { + public SamlProtocol setSession(KeycloakSession session) { this.session = session; return this; } @Override - public SalmProtocol setRealm(RealmModel realm) { + public SamlProtocol setRealm(RealmModel realm) { this.realm = realm; return this; } @Override - public SalmProtocol setUriInfo(UriInfo uriInfo) { + public SamlProtocol setUriInfo(UriInfo uriInfo) { this.uriInfo = uriInfo; return this; } @@ -84,12 +84,13 @@ public class SalmProtocol implements LoginProtocol { SAML2ErrorResponseBuilder builder = new SAML2ErrorResponseBuilder() .relayState(clientSession.getNote(GeneralConstants.RELAY_STATE)) .destination(clientSession.getRedirectUri()) - .responseIssuer(getResponseIssuer(realm)); + .responseIssuer(getResponseIssuer(realm)) + .status(status); try { if (isPostBinding(clientSession)) { - return builder.binding(status).postResponse(); + return builder.postBinding().response(); } else { - return builder.binding(status).redirectResponse(); + return builder.redirectBinding().response(); } } catch (Exception e) { return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Failed to process response"); @@ -97,7 +98,7 @@ public class SalmProtocol implements LoginProtocol { } protected boolean isPostBinding(ClientSessionModel clientSession) { - return SalmProtocol.SAML_POST_BINDING.equals(clientSession.getNote(SalmProtocol.SAML_BINDING)); + return SamlProtocol.SAML_POST_BINDING.equals(clientSession.getNote(SamlProtocol.SAML_BINDING)); } @Override @@ -142,9 +143,9 @@ public class SalmProtocol implements LoginProtocol { } try { if (isPostBinding(clientSession)) { - return builder.binding().postResponse(); + return builder.postBinding().response(); } else { - return builder.binding().redirectResponse(); + return builder.redirectBinding().response(); } } catch (Exception e) { logger.error("failed", e); @@ -156,7 +157,7 @@ public class SalmProtocol implements LoginProtocol { return "true".equals(client.getAttribute("saml.server.signature")); } - private SignatureAlgorithm getSignatureAlgorithm(ClientModel client) { + public static SignatureAlgorithm getSignatureAlgorithm(ClientModel client) { String alg = client.getAttribute("saml.signature.algorithm"); if (alg != null) { SignatureAlgorithm algorithm = SignatureAlgorithm.valueOf(alg); @@ -214,7 +215,7 @@ public class SalmProtocol implements LoginProtocol { String logoutRequestString = null; try { - logoutRequestString = logoutBuilder.buildRequestString(); + logoutRequestString = logoutBuilder.postBinding().encoded(); } catch (Exception e) { logger.warn("failed to send saml logout", e); return; diff --git a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SamlProtocolFactory.java b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SamlProtocolFactory.java index 5021d0cbb75..e2c0fd5bc7a 100755 --- a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SamlProtocolFactory.java +++ b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SamlProtocolFactory.java @@ -22,7 +22,7 @@ public class SamlProtocolFactory implements LoginProtocolFactory { @Override public LoginProtocol create(KeycloakSession session) { - return new SalmProtocol().setSession(session); + return new SamlProtocol().setSession(session); } @Override diff --git a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SamlService.java b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SamlService.java index 1ccfba196e1..2b428289ec0 100755 --- a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SamlService.java +++ b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SamlService.java @@ -42,11 +42,9 @@ import javax.ws.rs.core.SecurityContext; import javax.ws.rs.core.UriBuilder; import javax.ws.rs.core.UriInfo; import javax.ws.rs.ext.Providers; -import java.io.IOException; import java.net.URI; import java.security.PublicKey; import java.security.Signature; -import java.security.SignatureException; /** * Resource class for the oauth/openid connect token service @@ -195,10 +193,10 @@ public class SamlService { ClientSessionModel clientSession = session.sessions().createClientSession(realm, client); - clientSession.setAuthMethod(SalmProtocol.LOGIN_PROTOCOL); + clientSession.setAuthMethod(SamlProtocol.LOGIN_PROTOCOL); clientSession.setRedirectUri(redirect); clientSession.setAction(ClientSessionModel.Action.AUTHENTICATE); - clientSession.setNote(SalmProtocol.SAML_BINDING, getBindingType()); + clientSession.setNote(SamlProtocol.SAML_BINDING, getBindingType()); clientSession.setNote(GeneralConstants.RELAY_STATE, relayState); clientSession.setNote("REQUEST_ID", requestAbstractType.getID()); @@ -278,7 +276,7 @@ public class SamlService { @Override protected String getBindingType() { - return SalmProtocol.SAML_POST_BINDING; + return SamlProtocol.SAML_POST_BINDING; } @@ -307,7 +305,9 @@ public class SamlService { if (algorithm == null) throw new VerificationException("SigAlg as null"); if (signature == null) throw new VerificationException("Signature as null"); - SamlProtocolUtils.verifyDocumentSignature(client, documentHolder.getSamlDocument()); + // Shibboleth doesn't sign the document for redirect binding. + // todo maybe a flag? + // SamlProtocolUtils.verifyDocumentSignature(client, documentHolder.getSamlDocument()); PublicKey publicKey = SamlProtocolUtils.getPublicKey(client); @@ -323,7 +323,8 @@ public class SamlService { try { byte[] decodedSignature = RedirectBindingUtil.urlBase64Decode(signature); - Signature validator = SignatureAlgorithm.RSA_SHA1.createSignature(); // todo plugin signature alg + SignatureAlgorithm signatureAlgorithm = SamlProtocol.getSignatureAlgorithm(client); + Signature validator = signatureAlgorithm.createSignature(); // todo plugin signature alg validator.initVerify(publicKey); validator.update(rawQuery.getBytes("UTF-8")); if (!validator.verify(decodedSignature)) { @@ -343,7 +344,7 @@ public class SamlService { @Override protected String getBindingType() { - return SalmProtocol.SAML_GET_BINDING; + return SamlProtocol.SAML_GET_BINDING; }