keycloak · pedroigor · Jun 14, 2024 · May 16, 2024 · Jun 11, 2024 · Jun 12, 2024
@@ -25,6 +25,9 @@ image:images/saml-add-identity-provider.png[Add Identity Provider]
 |Single Sign-On Service URL
 |The SAML endpoint that starts the authentication process.  If your SAML IDP publishes an IDP entity descriptor, the value of this field is specified there.
 
+|Artifact service URL
+|The SAML artifact resolution endpoint. If your SAML IDP publishes an IDP entity descriptor, the value of this field is specified there.
+
 |Single Logout Service URL
 |The SAML logout endpoint. If your SAML IDP publishes an IDP entity descriptor, the value of this field is specified there.
 
@@ -46,6 +49,9 @@ image:images/saml-add-identity-provider.png[Add Identity Provider]
 |HTTP-POST Binding Response
 |Controls the SAML binding in response to any SAML requests sent by an external IDP. When *OFF*, {project_name} uses Redirect Binding.
 
+|ARTIFACT Binding Response
+|Controls the SAML binding in response to any SAML requests sent by an external IDP. When *OFF*, {project_name} evaluates the HTTP-POST Binding Response configuration.
+
 |HTTP-POST Binding for AuthnRequest
 |Controls the SAML binding when requesting authentication from an external IDP. When *OFF*, {project_name} uses Redirect Binding.
 

@@ -119,8 +119,8 @@ describe("Partial import test", () => {
 
     //clear button should be disabled if there is nothing in the dialog
     modal.clearButton().should("be.disabled");
-    modal.textArea().type("{}", { force: true });
-    modal.textArea().get(".view-lines").should("have.text", "{}");
+    modal.textArea().type("test", { force: true });
+    modal.textArea().get(".view-lines").should("have.text", "test");
     modal.clearButton().should("not.be.disabled");
     modal.clearButton().click();
     modal.clickClearConfirmButton();

@@ -376,6 +376,7 @@ createAttributeError=Error\! User Profile configuration has not been saved {{err
 password=Password
 eventTypes.VERIFY_EMAIL.name=Verify email
 httpPostBindingResponseHelp=Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
+artifactBindingResponseHelp=Indicates whether to respond to requests using ARTIFACT binding. If false, the HTTP-POST binding configuration will be evaluated.
 mapperTypeHardcodedAttributeMapper=hardcoded-attribute-mapper
 eventTypes.IMPERSONATE.description=Impersonate
 forbidden_other=Forbidden, permissions needed\:
@@ -1748,6 +1749,7 @@ idTokenSignatureAlgorithm=ID token signature algorithm
 displayHeaderHintHelp=A user-friendly name for the group that should be used when rendering a group of attributes in user-facing forms. Supports keys for localized values as well. For example\: ${profile.attribute.group.address}.
 providerInfo=Provider info
 ssoServiceUrl=Single Sign-On service URL
+artifactResolutionServiceUrl=Artifact Resolution service URL
 inputHelperTextAfter=Helper text (under) the input field
 appliedByClients=Applied by the following clients
 createFlowHelp=You can create a top level flow within this from
@@ -2075,6 +2077,7 @@ experimental=Experimental
 idTokenSignatureAlgorithmHelp=JWA algorithm used for signing ID tokens.
 deleteResourceConfirm=If you delete this resource, some permissions will be affected.
 httpPostBindingResponse=HTTP-POST binding response
+artifactBindingResponse=ARTIFACT binding response
 tokenLifespan.inherited=Inherits from realm settings
 saveEvents=Save events
 issuer=Issuer
@@ -2825,6 +2828,7 @@ clientUpdaterTrustedHosts=Trusted Hosts
 deleteSuccess=Attributes group deleted.
 attributesDropdown=Attributes dropdown
 ssoServiceUrlHelp=The Url that must be used to send authentication requests (SAML AuthnRequest).
+artifactResolutionServiceUrlHelp=The Url that must be used to get SAML assertions from artifacts (SAML ArtifactResolve).
 copy=Copy
 credentialData=Data
 clientRolesConditionTooltip=Client roles, which will be checked during this condition evaluation. Condition evaluates to true if client has at least one client role with the name as the client roles specified in the configuration.

@@ -70,6 +70,13 @@ const Fields = ({ readOnly }: DescriptorSettingsProps) => {
           readOnly={readOnly}
           rules={{ required: t("required") }}
         />
+        <TextControl
+          name="config.artifactResolutionServiceUrl"
+          label={t("artifactResolutionServiceUrl")}
+          labelIcon={t("artifactResolutionServiceUrlHelp")}
+          type="url"
+          isDisabled={readOnly}
+        />
         <TextControl
           name="config.singleLogoutServiceUrl"
           label={t("singleLogoutServiceUrl")}
@@ -174,6 +181,13 @@ const Fields = ({ readOnly }: DescriptorSettingsProps) => {
           stringify
         />
 
+        <DefaultSwitchControl
+          name="config.artifactBindingResponse"
+          label={t("artifactBindingResponse")}
+          isDisabled={readOnly}
+          stringify
+        />
+
         <DefaultSwitchControl
           name="config.postBindingAuthnRequest"
           label={t("httpPostBindingAuthnRequest")}

@@ -0,0 +1,92 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.saml;
+
+import org.keycloak.dom.saml.v2.assertion.NameIDType;
+import org.keycloak.dom.saml.v2.protocol.ArtifactResolveType;
+import org.keycloak.dom.saml.v2.protocol.ExtensionsType;
+import org.keycloak.saml.common.exceptions.ConfigurationException;
+import org.keycloak.saml.common.exceptions.ParsingException;
+import org.keycloak.saml.common.exceptions.ProcessingException;
+import org.keycloak.saml.processing.api.saml.v2.request.SAML2Request;
+import org.w3c.dom.Document;
+
+import java.net.URI;
+import java.util.LinkedList;
+import java.util.List;
+
+public class SAML2ArtifactResolveRequestBuilder implements SamlProtocolExtensionsAwareBuilder<SAML2ArtifactResolveRequestBuilder> {
+    protected String artifact;
+    protected String destination;
+    protected NameIDType issuer;
+    protected final List<NodeGenerator> extensions = new LinkedList<>();
+
+    public SAML2ArtifactResolveRequestBuilder artifact(String artifact) {
+        this.artifact = artifact;
+        return this;
+    }
+
+    public SAML2ArtifactResolveRequestBuilder destination(String destination) {
+        this.destination = destination;
+        return this;
+    }
+
+    public SAML2ArtifactResolveRequestBuilder issuer(NameIDType issuer) {
+        this.issuer = issuer;
+        return this;
+    }
+
+    public SAML2ArtifactResolveRequestBuilder issuer(String issuer) {
+        return issuer(SAML2NameIDBuilder.value(issuer).build());
+    }
+
+    @Override
+    public SAML2ArtifactResolveRequestBuilder addExtension(NodeGenerator extension) {
+        this.extensions.add(extension);
+        return this;
+    }
+
+    public Document buildDocument() throws ProcessingException, ConfigurationException, ParsingException {
+        Document document = SAML2Request.convert(createArtifactResolveRequest());
+        return document;
+    }
+
+    public ArtifactResolveType createArtifactResolveRequest() throws ConfigurationException {
+        ArtifactResolveType lort = SAML2Request.createArtifactResolveRequest(issuer);
+
+        lort.setIssuer(issuer);
+
+        if (destination != null) {
+            lort.setDestination(URI.create(destination));
+        }
+
+        if (artifact != null) {
+            lort.setArtifact(artifact);
+        }
+
+        if (!this.extensions.isEmpty()) {
+            ExtensionsType extensionsType = new ExtensionsType();
+            for (NodeGenerator extension : this.extensions) {
+                extensionsType.addExtension(extension);
+            }
+            lort.setExtensions(extensionsType);
+        }
+
+        return lort;
+    }
+}
@@ -18,6 +18,7 @@
 
 import org.keycloak.dom.saml.v2.SAML2Object;
 import org.keycloak.dom.saml.v2.assertion.NameIDType;
+import org.keycloak.dom.saml.v2.protocol.ArtifactResolveType;
 import org.keycloak.dom.saml.v2.protocol.AuthnRequestType;
 import org.keycloak.dom.saml.v2.protocol.LogoutRequestType;
 import org.keycloak.dom.saml.v2.protocol.NameIDPolicyType;
@@ -275,6 +276,22 @@ public static LogoutRequestType createLogoutRequest(NameIDType issuer) throws Co
         return lrt;
     }
 
+    /**
+     * Create a Artifact Resolve Request
+     *
+     * @param issuer
+     *
+     * @return
+     *
+     * @throws ConfigurationException
+     */
+    public static ArtifactResolveType createArtifactResolveRequest(NameIDType issuer) {
+        ArtifactResolveType lrt = new ArtifactResolveType(IDGenerator.create("ID_"), XMLTimeUtil.getIssueInstant());
+
+        lrt.setIssuer(issuer);
+
+        return lrt;
+    }
     /**
      * Return the DOM object
      *
@@ -294,6 +311,8 @@ public static Document convert(RequestAbstractType rat) throws ProcessingExcepti
             writer.write((AuthnRequestType) rat);
         } else if (rat instanceof LogoutRequestType) {
             writer.write((LogoutRequestType) rat);
+        } else if (rat instanceof ArtifactResolveType) {
+            writer.write((ArtifactResolveType) rat);
         }
 
         return DocumentUtil.getDocument(new String(bos.toByteArray(), GeneralConstants.SAML_CHARSET));

@@ -34,6 +34,7 @@
 import org.keycloak.dom.saml.v2.assertion.SubjectConfirmationDataType;
 import org.keycloak.dom.saml.v2.assertion.SubjectConfirmationType;
 import org.keycloak.dom.saml.v2.assertion.SubjectType;
+import org.keycloak.dom.saml.v2.protocol.ArtifactResponseType;
 import org.keycloak.dom.saml.v2.protocol.ResponseType;
 import org.keycloak.dom.saml.v2.protocol.StatusResponseType;
 import org.keycloak.saml.common.PicketLinkLogger;
@@ -445,7 +446,10 @@ public static Document convert(StatusResponseType responseType) throws Processin
 
         SAMLResponseWriter writer = new SAMLResponseWriter(StaxUtil.getXMLStreamWriter(bos));
 
-        if (responseType instanceof ResponseType) {
+        if (responseType instanceof ArtifactResponseType) {
+            ArtifactResponseType response = (ArtifactResponseType) responseType;
+            writer.write(response);
+        } else if (responseType instanceof ResponseType) {
             ResponseType response = (ResponseType) responseType;
             writer.write(response);
         } else {