I’m writing autotests. technology stack: Java, restAssured, selenide, lombok, junit etc…
I need to create new SAML client for every new test.
I copied requests from frontend, so I do this:
- get metadata and links from my platform
- send POST {host}/admin/realms/QA-realm/clients
with body
{
"id": null,
"clientId": "{metadata is here}",
"name": "{name}",
"rootUrl": "",
"baseUrl": "",
"surrogateAuthRequired": false,
"enabled": true,
"alwaysDisplayInConsole": false,
"clientAuthenticatorType": "client-secret",
"redirectUris": [
"{here it's acs link}"
],
"webOrigins": [
"{correct data}"
],
"notBefore": 0,
"bearerOnly": false,
"consentRequired": false,
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": true,
"serviceAccountsEnabled": false,
"frontchannelLogout": true,
"protocol": "saml",
"attributes": null,
"authenticationFlowBindingOverrides": null,
"fullScopeAllowed": true,
"nodeReRegistrationTimeout": -1,
"defaultClientScopes": null,
"optionalClientScopes": null,
"access": null,
"protocolMappers": null,
"description": "created by autotest",
"adminUrl": "{here it's sls}",
"secret": null,
"publicClient": true,
"authorizationServicesEnabled": false
}
-
GET /admin/realms/QA-realm/clients/{clientId}
and I see that “saml.signing.certificate” and “saml.signing.private.key” are here -
So now I have to fiinish configuring my new saml client (like in UI) and this is next request:
PUT /admin/realms/QA-realm/clients/{clientd}
with body:
{
"id": "{clientd}",
"clientId": "{metadata}",
"name": "{name}",
"rootUrl": "",
"baseUrl": "",
"surrogateAuthRequired": false,
"enabled": true,
"alwaysDisplayInConsole": false,
"clientAuthenticatorType": "client-secret",
"redirectUris": [
"{acs}"
],
"webOrigins": [
"{correct data}"
],
"notBefore": 0,
"bearerOnly": false,
"consentRequired": false,
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": true,
"serviceAccountsEnabled": false,
"frontchannelLogout": true,
"protocol": "saml",
"attributes": {
"saml_idp_initiated_sso_url_name": null,
"saml_idp_initiated_sso_relay_state": null,
"post.logout.redirect.uris": null,
"pkce.code.challenge.method": null,
"saml.assertion.signature": true,
"saml.encryption.private.key": null,
"saml.force.post.binding": true,
"saml.encrypt": false,
"saml.server.signature": true,
"saml.server.signature.keyinfo.ext": false,
"saml.signing.certificate": "{cert from GET request}",
"saml.artifact.binding.identifier": "8ebba307-ffaa-489b-818d-d176c8a99935",
"saml.artifact.binding": false,
"saml.signature.algorithm": "RSA_SHA256",
"saml_force_name_id_format": true,
"saml.client.signature": false,
"saml.encryption.certificate": null,
"saml.authnstatement": true,
"display.on.consent.screen": false,
"saml_name_id_format": "email",
"saml.signing.private.key": "{key from GET request}",
"saml.allow.ecp.flow": false,
"saml_signature_canonicalization_method": "http://www.w3.org/2001/10/xml-exc-c14n#",
"saml.onetimeuse.condition": false,
"saml.server.signature.keyinfo.xmlSigKeyInfoKeyNameTransformer": "CERT_SUBJECT",
"login_theme": "keycloak",
"oidc.ciba.grant.enabled": null,
"client.secret.creation.time": null,
"backchannel.logout.session.required": null,
"oauth2.device.authorization.grant.enabled": null,
"backchannel.logout.revoke.offline.tokens": null
},
"authenticationFlowBindingOverrides": {
},
"fullScopeAllowed": true,
"nodeReRegistrationTimeout": -1,
"defaultClientScopes": [
],
"optionalClientScopes": [
"role_list"
],
"access": {
"view": true,
"configure": true,
"manage": true
},
"protocolMappers": null,
"description": "created by autotest",
"adminUrl": "{sls}",
"secret": null,
"publicClient": true,
"authorizationServicesEnabled": false
}
- then I can add mapping, but it’s not necessary for login via SSO test
When I open 2 clients:
- created in UI - it’s working without any problems
- created via api - it LOOKS totally similar to ui-created client, BUT:
when user in autotest is trying to log in through this client he gets 401 error with text “unable to extract public key” while redirecting from KK back to our platform.
I don’t have access to our dev repo + my developers can’t help me(
who knows how to solve this problem?