Documentation
¶
Index ¶
- Variables
- func RequireAttribute(name, value string) func(http.Handler) http.Handler
- type Auth
- type AuthService
- type Config
- type Middleware
- func (m *Middleware) CreateSessionFromAssertion(w http.ResponseWriter, r *http.Request, assertion *saml.Assertion, ...)
- func (m *Middleware) HandleStartAuthFlow(w http.ResponseWriter, r *http.Request)
- func (m *Middleware) RequireAccount(c *gin.Context)
- func (m *Middleware) ServeACS(c *gin.Context)
- func (m *Middleware) ServeHTTP(c *gin.Context)
- func (m *Middleware) ServeMetadata(c *gin.Context)
Constants ¶
This section is empty.
Variables ¶
var ( ErrInvalidState = apperr.New("saml_invalid_state", apperr.WithTextTranslate(translator.Translate{translator.RU: "Неизвестный источник", translator.EN: "Unknown source"}), apperr.WithCode(code.InvalidArgument)) ErrInvalidCode = apperr.New("saml_invalid_code", apperr.WithTextTranslate(translator.Translate{translator.RU: "Неизвестный код", translator.EN: "Unknown code"}), apperr.WithCode(code.InvalidArgument)) ErrInvalidToken = apperr.New("saml_invalid_token", apperr.WithTextTranslate(translator.Translate{translator.RU: "Неверный токен", translator.EN: "Invalid token"}), apperr.WithCode(code.InvalidArgument)) ErrInvalidAttribute = apperr.New("saml_invalid_attribute", apperr.WithTextTranslate(translator.Translate{translator.RU: "Неверный аттрибут", translator.EN: "Invalid attribute"}), apperr.WithCode(code.InvalidArgument)) )
Functions ¶
func RequireAttribute ¶
RequireAttribute returns a middleware function that requires that the SAML attribute `name` be set to `value`. This can be used to require that a remote user be a member of a group. It relies on the Claims assigned to to the context in RequireAccount.
For example:
goji.Use(m.RequireAccount)
goji.Use(RequireAttributeMiddleware("eduPersonAffiliation", "Staff"))
Types ¶
type Auth ¶
type Auth struct {
// contains filtered or unexported fields
}
func (*Auth) CheckRedirectURLs ¶
func (*Auth) GetLoginFromContext ¶
func (*Auth) SamlSP ¶
func (auth *Auth) SamlSP() *Middleware
type AuthService ¶
type Middleware ¶
type Middleware struct {
ServiceProvider saml.ServiceProvider
OnError func(w http.ResponseWriter, r *http.Request, err error)
Binding string // either saml.HTTPPostBinding or saml.HTTPRedirectBinding
ResponseBinding string // either saml.HTTPPostBinding or saml.HTTPArtifactBinding
RequestTracker samlsp.RequestTracker
Session samlsp.SessionProvider
}
Middleware implements middleware than allows a web application to support SAML.
It implements http.Handler so that it can provide the metadata and ACS endpoints, typically /saml/metadata and /saml/acs, respectively.
It also provides middleware RequireAccount which redirects users to the auth process if they do not have session credentials.
When redirecting the user through the SAML auth flow, the middleware assigns a temporary cookie with a random name beginning with "saml_". The value of the cookie is a signed JSON Web Token containing the original URL requested and the SAML request ID. The random part of the name corresponds to the RelayState parameter passed through the SAML flow.
When validating the SAML response, the RelayState is used to look up the correct cookie, validate that the SAML request ID, and redirect the user back to their original URL.
Sessions are established by issuing a JSON Web Token (JWT) as a session cookie once the SAML flow has succeeded. The JWT token contains the authenticated attributes from the SAML assertion.
When the middleware receives a request with a valid session JWT it extracts the SAML attributes and modifies the http.Request object adding a Context object to the request context that contains attributes from the initial SAML assertion.
When issuing JSON Web Tokens, a signing key is required. Because the SAML service provider already has a private key, we borrow that key to sign the JWTs as well.
func (*Middleware) CreateSessionFromAssertion ¶
func (m *Middleware) CreateSessionFromAssertion(w http.ResponseWriter, r *http.Request, assertion *saml.Assertion, redirectURI string)
CreateSessionFromAssertion is invoked by ServeHTTP when we have a new, valid SAML assertion.
func (*Middleware) HandleStartAuthFlow ¶
func (m *Middleware) HandleStartAuthFlow(w http.ResponseWriter, r *http.Request)
HandleStartAuthFlow is called to start the SAML authentication process.
func (*Middleware) RequireAccount ¶
func (m *Middleware) RequireAccount(c *gin.Context)
RequireAccount is HTTP middleware that requires that each request be associated with a valid session. If the request is not associated with a valid session, then rather than serve the request, the middleware redirects the user to start the SAML auth flow.
func (*Middleware) ServeACS ¶
func (m *Middleware) ServeACS(c *gin.Context)
ServeACS handles requests for the SAML ACS endpoint.
func (*Middleware) ServeHTTP ¶
func (m *Middleware) ServeHTTP(c *gin.Context)
ServeHTTP implements http.Handler and serves the SAML-specific HTTP endpoints on the URIs specified by m.ServiceProvider.MetadataURL and m.ServiceProvider.AcsURL.
func (*Middleware) ServeMetadata ¶
func (m *Middleware) ServeMetadata(c *gin.Context)
ServeMetadata handles requests for the SAML metadata endpoint.
Source Files