spidsaml

package module
v1.0.5 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 24, 2025 License: BSD-3-Clause Imports: 30 Imported by: 0

README

SPID SAML Library for Go

Usage (Example)

  • create idp_depo directory
  • download idp metadata under the idp_depo
  • create certs under certs directory
  • openssl req -x509 -newkey rsa:4096 -keyout certs/key.pem -out certs/cert.pem -sha256 -days 3650 -nodes -subj "/CN=localhost"
  • set other keys in settings.toml
  • serve with Echo framework

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var AttributeMap = map[string]string{
	"displayName":                "urn:oid:2.16.840.1.113730.3.1.241",
	"givenName":                  "urn:oid:2.5.4.42",
	"surname":                    "urn:oid:2.5.4.4",
	"cn":                         "urn:oid:2.5.4.3",
	"sn":                         "urn:oid:2.5.4.4",
	"uid":                        "urn:oid:0.9.2342.19200300.100.1.1",
	"mail":                       "urn:oid:0.9.2342.19200300.100.1.3",
	"schacPersonalUniqueCode":    "urn:oid:1.3.6.1.4.1.25178.1.2.14",
	"schacHomeOrganization":      "urn:oid:1.3.6.1.4.1.25178.1.2.9",
	"eduPersonOrcid":             "urn:oid:1.3.6.1.4.1.5923.1.1.1.16",
	"eduPersonUniqueId":          "urn:oid:1.3.6.1.4.1.5923.1.1.1.13",
	"eduPersonAssurance":         "urn:oid:1.3.6.1.4.1.5923.1.1.1.11",
	"eduPersonTargetedID":        "urn:oid:1.3.6.1.4.1.5923.1.1.1.10",
	"eduPersonScopedAffiliation": "urn:oid:1.3.6.1.4.1.5923.1.1.1.9",
	"eduPersonEntitlement":       "urn:oid:1.3.6.1.4.1.5923.1.1.1.7",
	"eduPersonPrincipalName":     "urn:oid:1.3.6.1.4.1.5923.1.1.1.6",
	"eduPersonAffiliation":       "urn:oid:1.3.6.1.4.1.5923.1.1.1.1",
}

Functions

func SignXML 

func SignXML(xml []byte, sp *SP) ([]byte, error)

Types

type Attribute 

type Attribute struct {
	FriendlyName string
	Name         string
	IsRequired   string
}

type AttributeConsumingService 

type AttributeConsumingService struct {
	ServiceNames []ServiceName
	Attributes   []Attribute
}

AttributeConsumingService defines, well, an AttributeConsumingService.

type AuthnRequest 

type AuthnRequest struct {
	AcsURL     string
	AcsIndex   int
	AttrIndex  int
	Level      int
	Comparison string
	// contains filtered or unexported fields
}

AuthnRequest defines an outgoing SPID/SAML AuthnRequest. Do not instantiate it directly but use sp.NewAuthnRequest() instead.

func (*AuthnRequest) IssueInstant 

func (msg *AuthnRequest) IssueInstant() *time.Time

func (*AuthnRequest) IssueInstantString 

func (msg *AuthnRequest) IssueInstantString() string

func (*AuthnRequest) PostForm 

func (authnreq *AuthnRequest) PostForm() []byte

PostForm returns an HTML page with a JavaScript auto-post command that submits the request to the Identity Provider in order to initiate their Single Sign-On. In SAML words, this implements the HTTP-POST binding.

func (*AuthnRequest) RedirectURL 

func (authnreq *AuthnRequest) RedirectURL() string

RedirectURL returns the full URL of the Identity Provider where user should be redirected in order to initiate their Single Sign-On. In SAML words, this implements the HTTP-Redirect binding.

func (*AuthnRequest) XML 

func (authnreq *AuthnRequest) XML(binding SAMLBinding) []byte

XML generates the XML representation of this AuthnRequest

type ConfigAttributeConsumingService added in v1.0.5 

type ConfigAttributeConsumingService struct {
	Details ConfigServiceDetails `toml:"Details"`
}

type ConfigFile added in v1.0.5 

type ConfigFile struct {
	IDPEntityID                string                            `toml:"IDPEntityID"`
	IDPdepo                    string                            `toml:"IDPdepo"`
	EntityID                   string                            `toml:"EntityID"`
	KeyFile                    string                            `toml:"KeyFile"`
	CertFile                   string                            `toml:"CertFile"`
	AcsUrls                    []string                          `toml:"AcsUrls"`
	SlsUrls                    []string                          `toml:"SlsUrls"`
	AttributeConsumingServices []ConfigAttributeConsumingService `toml:"AttributeConsumingServices"`
}

type ConfigServiceDetails added in v1.0.5 

type ConfigServiceDetails struct {
	ServiceNames []ServiceName `toml:"ServiceNames"`
	Attributes   []string      `toml:"Attributes"`
}

type ContactPerson 

type ContactPerson struct {
	Email   string
	IPACode string
}

type IDP 

type IDP struct {
	XML        string
	EntityID   string
	Certs      []*x509.Certificate
	SSOURLs    map[SAMLBinding]string
	SLOReqURLs map[SAMLBinding]string
	SLOResURLs map[SAMLBinding]string
}

IDP represents an Identity Provider.

func ParseIDPsFromXML 

func ParseIDPsFromXML(xml []byte) ([]*IDP, error)

ParseIDPsFromXML takes XML metadata and returns an IDP object.

func (*IDP) CertPEM 

func (idp *IDP) CertPEM() [][]byte

CertPEM returns the IdP certificate in PEM format.

type LogoutRequestIn 

type LogoutRequestIn struct {
	// contains filtered or unexported fields
}

LogoutRequestIn represents an incoming LogoutRequest. You can use this to parse a logout request in case the user initiated a logout procedure elsewhere and an Identity Provider is requesting logout to you. You are not supposed to instantiate this directly; use ParseLogoutRequest() instead.

func (*LogoutRequestIn) Destination 

func (msg *LogoutRequestIn) Destination() string

Destination returns the value of the <Destination> element.

func (*LogoutRequestIn) ID 

func (msg *LogoutRequestIn) ID() string

ID returns the message ID.

func (*LogoutRequestIn) InResponseTo 

func (msg *LogoutRequestIn) InResponseTo() string

InResponseTo returns the value of the <InResponseTo> element.

func (*LogoutRequestIn) Issuer 

func (msg *LogoutRequestIn) Issuer() string

Issuer returns the value of the <Issuer> element.

func (*LogoutRequestIn) SessionIndex 

func (logoutreq *LogoutRequestIn) SessionIndex() string

SessionIndex returns the value of the <SessionIndex> element.

func (*LogoutRequestIn) SetXML 

func (msg *LogoutRequestIn) SetXML(xml []byte) error

func (*LogoutRequestIn) Validate 

func (logoutreq *LogoutRequestIn) Validate(r *http.Request) error

validate performs validation on this message.

type LogoutRequestOut 

type LogoutRequestOut struct {
	Session *Session
	// contains filtered or unexported fields
}

LogoutRequestOut defines an outgoing SPID/SAML LogoutRequest. You can use it to generate such a request in case you're initiating a logout procedure on behalf of your user. Do not instantiate it directly but use sp.NewLogoutRequest() instead.

func (*LogoutRequestOut) IssueInstant 

func (msg *LogoutRequestOut) IssueInstant() *time.Time

func (*LogoutRequestOut) IssueInstantString 

func (msg *LogoutRequestOut) IssueInstantString() string

func (*LogoutRequestOut) PostForm 

func (logoutreq *LogoutRequestOut) PostForm() []byte

PostForm returns an HTML page with a JavaScript auto-post command that submits the request to the Identity Provider in order to initiate their Single Logout. In SAML words, this implements the HTTP-POST binding.

func (*LogoutRequestOut) RedirectURL 

func (logoutreq *LogoutRequestOut) RedirectURL() string

RedirectURL returns the full URL of the Identity Provider where user should be redirected in order to initiate their Single Logout. In SAML words, this implements the HTTP-Redirect binding.

func (*LogoutRequestOut) XML 

func (logoutreq *LogoutRequestOut) XML(binding SAMLBinding) []byte

XML generates the XML representation of this LogoutRequest

type LogoutResponseIn 

type LogoutResponseIn struct {
	// contains filtered or unexported fields
}

LogoutResponseIn represents an incoming LogoutResponse. You can use this to parse the response coming from the Identity Provider after you sent a LogoutRequest for a SP-initiated logout. You are not supposed to instantiate this directly; use ParseLogoutResponse() instead.

func (*LogoutResponseIn) Destination 

func (msg *LogoutResponseIn) Destination() string

Destination returns the value of the <Destination> element.

func (*LogoutResponseIn) ID 

func (msg *LogoutResponseIn) ID() string

ID returns the message ID.

func (*LogoutResponseIn) InResponseTo 

func (msg *LogoutResponseIn) InResponseTo() string

InResponseTo returns the value of the <InResponseTo> element.

func (*LogoutResponseIn) Issuer 

func (msg *LogoutResponseIn) Issuer() string

Issuer returns the value of the <Issuer> element.

func (*LogoutResponseIn) SetXML 

func (msg *LogoutResponseIn) SetXML(xml []byte) error

func (*LogoutResponseIn) Validate 

func (logoutres *LogoutResponseIn) Validate(r *http.Request, inResponseTo string) error

validate performs validation on this message.

type LogoutResponseOut 

type LogoutResponseOut struct {
	InResponseTo string
	// contains filtered or unexported fields
}

LogoutResponseOut defines an outgoing SPID/SAML LogoutResponse. You need to craft such a response in case you received a LogoutRequest from the Identity Provider, thus during an IdP-initiated logout. Do not instantiate it directly but use sp.NewLogoutResponse() instead.

func (*LogoutResponseOut) IssueInstant 

func (msg *LogoutResponseOut) IssueInstant() *time.Time

func (*LogoutResponseOut) IssueInstantString 

func (msg *LogoutResponseOut) IssueInstantString() string

func (*LogoutResponseOut) PostForm 

func (logoutres *LogoutResponseOut) PostForm() []byte

PostForm returns an HTML page with a JavaScript auto-post command that submits the request to the Identity Provider in order to complete their Single Logout. In SAML words, this implements the HTTP-POST binding.

func (*LogoutResponseOut) RedirectURL 

func (logoutres *LogoutResponseOut) RedirectURL() string

RedirectURL returns the full URL of the Identity Provider where user should be redirected in order to continue their Single Logout. In SAML words, this implements the HTTP-Redirect binding.

func (*LogoutResponseOut) XML 

func (logoutres *LogoutResponseOut) XML(binding SAMLBinding) []byte

XML generates the XML representation of this LogoutResponseOut

type LogoutStatus 

type LogoutStatus string

LogoutStatus represent the possible result statuses of Single Logout. 

const (
	SuccessLogout LogoutStatus = "success"
	PartialLogout LogoutStatus = "partial"
)

LogoutStatus represent the possible result statuses of Single Logout.

type Organization 

type Organization struct {
	Names        []string
	DisplayNames []string
	URLs         []string
}

Organization defines SP Organization data

type Response 

type Response struct {
	// contains filtered or unexported fields
}

Response represents an incoming SPID Response/Assertion message. We get such messages after an AuthnRequest (Single Sign-On).

func ParseResponse 

func ParseResponse(r *http.Request, sp *SP) (*Response, error)

ParseResponse parses a Response/Assertion. Validation is performed (see the documentation for the Response::validate() method), so this method may return an error.

func (*Response) AssertionAudience 

func (response *Response) AssertionAudience() string

AssertionAudience returns the value of the <Assertion><Audience> element.

func (*Response) AssertionInResponseTo 

func (response *Response) AssertionInResponseTo() string

AssertionInResponseTo returns the value of the <Assertion> InResponseTo attribute.

func (*Response) AssertionIssuer 

func (response *Response) AssertionIssuer() string

AssertionIssuer returns the value of the <Assertion><Issuer> element.

func (*Response) AssertionRecipient 

func (response *Response) AssertionRecipient() string

AssertionRecipient returns the value of the <Assertion> Recipient attribute.

func (*Response) Attributes 

func (response *Response) Attributes() map[string]string

Attributes returns the attributes carried by the assertion.

func (*Response) Destination 

func (msg *Response) Destination() string

Destination returns the value of the <Destination> element.

func (*Response) ID 

func (msg *Response) ID() string

ID returns the message ID.

func (*Response) InResponseTo 

func (msg *Response) InResponseTo() string

InResponseTo returns the value of the <InResponseTo> element.

func (*Response) Issuer 

func (msg *Response) Issuer() string

Issuer returns the value of the <Issuer> element.

func (*Response) Level 

func (response *Response) Level() int

Level returns the SPID level specified in the assertion.

func (*Response) NameID 

func (response *Response) NameID() string

NameID returns the value of the <NameID> element.

func (*Response) NotBefore 

func (response *Response) NotBefore() (time.Time, error)

NotBefore returns the value of the <Assertion> NotBefore attribute.

func (*Response) NotOnOrAfter 

func (response *Response) NotOnOrAfter() (time.Time, error)

NotOnOrAfter returns the value of the <Assertion> NotOnOrAfter attribute.

func (*Response) Session 

func (response *Response) Session() *Session

Session returns a Session object populated with useful information from this Response/Assertion. You might want to store this object along with the user session of your application, so that you can use it for generating the LoginRequest

func (*Response) SessionIndex 

func (response *Response) SessionIndex() string

SessionIndex returns the value of the SessionIndex attribute.

func (*Response) SetXML 

func (msg *Response) SetXML(xml []byte) error

func (*Response) StatusCode 

func (response *Response) StatusCode() string

StatusCode returns the value of the <StatusCode> element.

func (*Response) StatusCode2 

func (response *Response) StatusCode2() string

StatusCode2 returns the value of the <StatusCode><StatusCode> sub-element.

func (*Response) StatusMessage 

func (response *Response) StatusMessage() string

StatusMessage returns the value of the <StatusMessage> element.

func (*Response) SubjectConfirmationDataNotOnOrAfter 

func (response *Response) SubjectConfirmationDataNotOnOrAfter() (time.Time, error)

SubjectConfirmationDataNotOnOrAfter returns the value of the <Assertion><SubjectConfirmationData> NotOnOrAfter attribute.

func (*Response) Success 

func (response *Response) Success() bool

Success returns true if authentication succeeded (and thus we got an assertion from the Identity Provider). In case of failure, you can call the StatusCode() method for more details.

func (*Response) Validate 

func (response *Response) Validate(inResponseTo string) error

Validate performs validation on this message, that is a response from an IDP to a login request An argument is required, containing the C<ID> of the authnreq message, that will be checked against the InResponseTo field.

type SAMLBinding 

type SAMLBinding string

SAMLBinding can be either HTTPRedirect or HTTPPost. 

const (
	HTTPRedirect SAMLBinding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
	HTTPPost     SAMLBinding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
)

Constants for SAMLBinding

type SP 

type SP struct {
	IDPEntityID string
	EntityID    string
	Key         []byte
	KeyFile     string
	Cert        []byte
	CertFile    string
	//SingleSignOnService        string
	AssertionConsumerServices  []string
	SingleLogoutServices       map[string]SAMLBinding
	AttributeConsumingServices []AttributeConsumingService
	IDP                        map[string]*IDP

	Organization  Organization
	ContactPerson ContactPerson
	// contains filtered or unexported fields
}

SP represents our Service Provider

func ConfigureSP added in v1.0.5 

func ConfigureSP(config_file string) *SP

func (*SP) GetCert 

func (sp *SP) GetCert() *x509.Certificate

Cert returns the certificate of this Service Provider.

func (*SP) GetCertPEM 

func (sp *SP) GetCertPEM() []byte

CertPEM returns the certificate of this Service Provider in PEM format.

func (*SP) GetIDP 

func (sp *SP) GetIDP(entityID string) (*IDP, error)

GetIDP returns an IDP object representing the Identity Provider matching the given entityID.

func (*SP) GetKey 

func (sp *SP) GetKey() *rsa.PrivateKey

Key returns the private key of this Service Provider

func (*SP) GetKeyPEM 

func (sp *SP) GetKeyPEM() []byte

KeyPEM returns the private key of this Service Provider in PEM format

func (*SP) GetSigningContext 

func (sp *SP) GetSigningContext() *dsig.SigningContext

func (*SP) LoadIDPMetadata 

func (sp *SP) LoadIDPMetadata(dir string) error

LoadIDPMetadata load one or multiple Identity Providers by reading all the XML files in the given directory.

func (*SP) LoadIDPsFromXMLFile 

func (sp *SP) LoadIDPsFromXMLFile(path string) error

LoadIDPsFromXMLFile loads an Identity Provider from its XML metadata.

func (*SP) Metadata 

func (sp *SP) Metadata() string

Metadata generates XML metadata of this Service Provider.

func (*SP) NewAuthnRequest 

func (sp *SP) NewAuthnRequest(idp *IDP) *AuthnRequest

NewAuthnRequest generates an AuthnRequest addressed to this Identity Provider. Note that this method does not perform any network call, it just initializes an object.

func (*SP) NewLogoutRequest 

func (sp *SP) NewLogoutRequest(session *Session) (*LogoutRequestOut, error)

NewLogoutRequest generates a LogoutRequest addressed to the Identity Provider. Note that this method does not perform any network call, it just initializes an object.

func (*SP) NewLogoutResponse 

func (sp *SP) NewLogoutResponse(logoutreq *LogoutRequestIn, status LogoutStatus) (*LogoutResponseOut, error)

NewLogoutResponse generates a LogoutRequest addressed to the Identity Provider. Note that this method does not perform any network call, it just initializes an object.

func (*SP) ParseLogoutRequest 

func (sp *SP) ParseLogoutRequest(r *http.Request) (*LogoutRequestIn, error)

ParseLogoutRequest parses an http.Request and instantiates a LogoutRequestIn.

func (*SP) ParseLogoutResponse 

func (sp *SP) ParseLogoutResponse(r *http.Request) (*LogoutResponseIn, error)

ParseLogoutResponse parses an http.Request and instantiates a LogoutResponseIn.

type ServiceName 

type ServiceName struct {
	Lang string
	Name string
}

type Session 

type Session struct {
	IDPEntityID  string
	NameID       string
	SessionIndex string
	AssertionXML []byte
	Level        int
	Attributes   map[string]string
}

Session represents an active SPID session.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.