private static CredentialResolver credentialResolver(KeyStore keyStore)
        throws IOException, GeneralSecurityException {
    final KeyStoreCredentialResolverBuilder builder;
    final String path = keyStore.path();
    final File file = new File(path);
    if (file.isFile()) {
        builder = new KeyStoreCredentialResolverBuilder(file);
    } else {
        builder = new KeyStoreCredentialResolverBuilder(
                SamlAuthProviderFactory.class.getClassLoader(), path);
    }

    builder.type(keyStore.type())
           .password(keyStore.password())
           .addKeyPasswords(keyStore.keyPasswords());
    return builder.build();
}
 

private SignatureTrustEngine buildSignatureTrustEngine(X509Certificate certificate) {
    CredentialResolver credentialResolver = new StaticCredentialResolver(new BasicX509Credential(certificate));
    KeyInfoCredentialResolver keyInfoCredentialResolver = new StaticKeyInfoCredentialResolver(
            new BasicX509Credential(certificate));

    return new ExplicitKeySignatureTrustEngine(credentialResolver, keyInfoCredentialResolver);
}
 

/**
 * Configures an identity provider with <a href="https://idp.ssocircle.com/meta-idp.xml">
 * the metadata of the SSOCircle</a>. You must <a href="https://idp.ssocircle.com/sso/hos/SPMetaInter.jsp">
 * register</a> this service provider, which we are configuring here, to the SSOCircle.
 * You can get the metadata of this service provider from {@code https://localhost:8443/saml/metadata}
 * after starting this server.
 *
 * <p>The {@code signing} and {@code encryption} key pair in the keystore {@code sample.jks} can be
 * generated with the following commands:
 * <pre>{@code
 * $ keytool -genkeypair -keystore sample.jks -storepass 'N5^X[hvG' -keyalg rsa -sigalg sha1withrsa \
 *     -dname 'CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown' -alias signing
 *
 * $ keytool -genkeypair -keystore sample.jks -storepass 'N5^X[hvG' -keyalg rsa -sigalg sha1withrsa \
 *     -dname 'CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown' -alias encryption
 * }</pre>
 *
 * <p>The certificate of the SSOCircle can be imported into the keystore with the following command.
 * You can specify its alias as same as its entity ID so that you do not need to specify the alias
 * when building a {@link SamlServiceProvider}. You can make {@code ssocircle.crt} file with
 * the certificate from <a href="https://www.ssocircle.com/en/idp-tips-tricks/public-idp-configuration/">
 * Public IDP Configuration</a> of SSOCircle.
 * <pre>{@code
 * $ keytool -importcert -keystore sample.jks -storepass 'N5^X[hvG' -file ssocircle.crt \
 *     -alias 'https://idp.ssocircle.com'
 * }</pre>
 */
private static SamlServiceProvider samlServiceProvider() throws IOException, GeneralSecurityException {
    final MyAuthHandler authHandler = new MyAuthHandler();

    // Specify information about your keystore.
    // The keystore contains two key pairs, which are identified as 'signing' and 'encryption'.
    final CredentialResolver credentialResolver =
            new KeyStoreCredentialResolverBuilder(Main.class.getClassLoader(), "sample.jks")
                    .type("PKCS12")
                    .password("N5^X[hvG")
                    // You need to specify your key pair and its password here.
                    .addKeyPassword("signing", "N5^X[hvG")
                    .addKeyPassword("encryption", "N5^X[hvG")
                    .build();

    return SamlServiceProvider.builder()
                              .credentialResolver(credentialResolver)
                              // Specify the entity ID of this service provider.
                              // You can specify what you want.
                              .entityId("armeria-sp")
                              .hostname("localhost")
                              // Specify an authorizer in order to authenticate a request.
                              .authorizer(authHandler)
                              // Speicify an SAML single sign-on handler
                              // which sends a response to an end user
                              // after he or she is authenticated or not.
                              .ssoHandler(authHandler)
                              // Specify the signature algorithm of your key.
                              .signatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA)
                              // The following information is from
                              // https://idp.ssocircle.com/meta-idp.xml.
                              .idp()
                              // Specify the entity ID of the identity provider.
                              // It can be found from the metadata of the identity provider.
                              .entityId("https://idp.ssocircle.com")
                              // Specify the endpoint that is supposed to send an authentication request.
                              .ssoEndpoint(ofHttpPost("https://idp.ssocircle.com:443/sso/SSOPOST/metaAlias/publicidp"))
                              .and()
                              .build();
}
 

/**
 * Creates a new {@link KeyStoreCredentialResolver}.
 */
public CredentialResolver build() throws IOException, GeneralSecurityException {
    final KeyStore ks = KeyStore.getInstance(type);
    try (InputStream is = open()) {
        ks.load(is, password != null ? password.toCharArray() : null);
    }
    return new KeyStoreCredentialResolver(ks, keyPasswords);
}
 

CredentialResolverAdapter(CredentialResolver resolver) {
    this.resolver = requireNonNull(resolver, "resolver");
}