Documentation
¶
Index ¶
- Constants
- func IsAnonymousSession(session samlsp.Session) bool
- func NewJWESessionCodec(sessionCodec samlsp.SessionCodec, publicKey crypto.PublicKey, ...) (samlsp.SessionCodec, error)
- func Start(ctx context.Context, listener net.Listener, logger *zap.Logger, cfg *Config) error
- type AnonymousSession
- type Config
- type CookieRequestTracker
- type InitAnonymousSessionProvider
- func (p *InitAnonymousSessionProvider) CreateSession(w http.ResponseWriter, r *http.Request, assertion *saml.Assertion) error
- func (p *InitAnonymousSessionProvider) DeleteSession(w http.ResponseWriter, r *http.Request) error
- func (p *InitAnonymousSessionProvider) GetSession(r *http.Request) (samlsp.Session, error)
- type JWESessionCodec
- type Proxy
Constants ¶
View Source
const ( HeaderAuthorizedUsing = "X-Authorized-Using" HeaderForwardedProto = "X-Forwarded-Proto" HeaderForwardedFor = "X-Forwarded-For" HeaderForwardedHost = "X-Forwarded-Host" HeaderForwardedURI = "X-Forwarded-Uri" )
Variables ¶
This section is empty.
Functions ¶
func IsAnonymousSession ¶
func NewJWESessionCodec ¶
func NewJWESessionCodec(sessionCodec samlsp.SessionCodec, publicKey crypto.PublicKey, privateKey *rsa.PrivateKey) (samlsp.SessionCodec, error)
Types ¶
type AnonymousSession ¶
type AnonymousSession struct {
}
type Config ¶
type Config struct {
Version bool `usage:"show version and exit" env:""`
Bind string `default:":8080" usage:"[host:port] to bind for serving HTTP"`
BaseUrl string `usage:"External [URL] of this proxy"`
BackendUrl string `usage:"[URL] of the backend being proxied"`
EntityID string `usage:"Entity ID of this service provider"`
IdpMetadataUrl string `usage:"[URL] of the IdP's metadata XML, can be a local file by specifying the file:// scheme"`
IdpCaPath string `usage:"Optional [path] to a CA certificate PEM file for the IdP"`
NameIdFormat string `` /* 145-byte string literal not displayed */
SpKeyPath string `default:"saml-auth-proxy.key" usage:"The [path] to the X509 private key PEM file for this SP"`
SpCertPath string `default:"saml-auth-proxy.cert" usage:"The [path] to the X509 public certificate PEM file for this SP"`
NameIdMapping string `usage:"Name of the request [header] to convey the SAML nameID/subject"`
AttributeHeaderMappings map[string]string `usage:"Comma separated list of [attribute=header] pairs mapping SAML IdP response attributes to forwarded request header"`
AttributeHeaderWildcard string `usage:"Maps all SAML attributes with this option as a prefix, slashes in attribute names will be replaced by dashes"`
NewAuthWebhookUrl string `usage:"[URL] of webhook that will get POST'ed when a new authentication is processed"`
AuthorizeAttribute string `usage:"Enables authorization and specifies the [attribute] to check for authorized values"`
AuthorizeValues []string `usage:"If enabled, comma separated list of [values] that must be present in the authorize attribute"`
CookieName string `usage:"Name of the cookie that tracks session token" default:"token"`
CookieMaxAge time.Duration `usage:"Specifies the amount of time the authentication token will remain valid" default:"2h"`
CookieDomain string `usage:"Overrides the domain set on the session cookie. By default the BaseUrl host is used."`
AllowIdpInitiated bool `usage:"If set, allows for IdP initiated authentication flow"`
AuthVerify bool `usage:"Enables verify path endpoint for forward auth and trusts X-Forwarded headers"`
AuthVerifyPath string `default:"/_verify" usage:"Path under BaseUrl that will respond with a 204 when authenticated"`
AuthVerifyRequireLogin bool `usage:"If set, trigger a login if the user is not authenticated during verify"`
Debug bool `usage:"Enable debug logs"`
StaticRelayState string `` /* 169-byte string literal not displayed */
InitiateSessionPath string `` /* 145-byte string literal not displayed */
SignRequests bool `usage:"If set, enables SAML request signing"`
EncryptJWT bool `usage:"If set, enables JWT session encryption"`
}
type CookieRequestTracker ¶
type CookieRequestTracker struct {
samlsp.CookieRequestTracker
CookieDomain string
StaticRelayState string
TrustForwardedHeaders bool
}
Extends samlsp.CookieRequestTracker to add CookieDomain configuration.
func (CookieRequestTracker) TrackRequest ¶
func (t CookieRequestTracker) TrackRequest(w http.ResponseWriter, r *http.Request, samlRequestID string) (string, error)
Source: https://github.com/crewjam/saml/blob/5e0ffd290abf0be7dfd4f8279e03a963071544eb/samlsp/request_tracker_cookie.go#L28-58 Changes: - Adds host in request URI - Adds CookieDomain config in http.SetCookie - Handles X-Forwarded headers
type InitAnonymousSessionProvider ¶
type InitAnonymousSessionProvider struct {
// contains filtered or unexported fields
}
InitAnonymousSessionProvider will initially provide AnonymousSession instances when requested; however, once the given initiateSessionPath is intercepted, then remaining session access is delegated to the given delegateSessionProvider.
func NewInitAnonymousSessionProvider ¶
func NewInitAnonymousSessionProvider(logger *zap.Logger, initiateSessionPath string, delegateSessionProvider samlsp.SessionProvider) *InitAnonymousSessionProvider
func (*InitAnonymousSessionProvider) CreateSession ¶
func (p *InitAnonymousSessionProvider) CreateSession(w http.ResponseWriter, r *http.Request, assertion *saml.Assertion) error
func (*InitAnonymousSessionProvider) DeleteSession ¶
func (p *InitAnonymousSessionProvider) DeleteSession(w http.ResponseWriter, r *http.Request) error
func (*InitAnonymousSessionProvider) GetSession ¶
type JWESessionCodec ¶
type JWESessionCodec struct {
// contains filtered or unexported fields
}
JWESessionCodec wraps a JWTSessionCodec and applies JWE encryption to protect sensitive attributes
func (*JWESessionCodec) Decode ¶
func (c *JWESessionCodec) Decode(encrypted string) (samlsp.Session, error)
Decode first decrypts the JWE payload to get the signed JWT (JWS), and then uses the wrapped codec to decode and validate the JWS
Source Files
Click to show internal directories.
Click to hide internal directories.