saml

package module
v0.10.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 27, 2018 License: MIT Imports: 26 Imported by: 2

README

saml

Build Status cover.run go Go Report Card GoDoc

Package saml provides tools and middleware for implementing SAML based single sign-on.

Currently, the saml package depends on the xmlsec1 command.

See _example/servers for example implementations of IdP and SP servers.

SAML SSO basics

SAML SSO process

IdP initiated SSO
  1. An user selects a service provider (SP) to log in via SSO, a typical use case for this is a login button on an intranet.
  2. The user is asked by their login details (if not within a session yet).
  3. The IdP creates an payload (AuthnRequest) containing the user information and signs it.
  4. The IdP forces the user to submit the signed request to the SP they selected. This is typically done via a FORM that is auto-submitted via JavaScript.
  5. The SP receives the message and determines if the signature is valid, among other details.
  6. If the SP decides to trust the message, it can decode the payload with is expected to contain user information, such as e-mail address, unique ID and name details.
  7. The SP uses the payload and provides access to the user.
SP initiated SSO
  1. An user tries to access a restricted URL at a SP.
  2. The SP looks up the IdP that matches the private resource and redirects the user to a special IdP page. The original URL is passed as a RelayState parameter.
  3. The user is asked by their login details.
  4. The IdP creates an payload (AuthnRequest) containing the user information and signs it.
  5. The IdP forces the user to submit the signed request to the SP they selected. This is typically done via a FORM that is auto-submitted via JavaScript.
  6. The SP receives the message and determines if the signature is valid, among other details.
  7. If the SP decides to trust the message, it can decode the payload with is expected to contain user information, such as e-mail address, unique ID and name details.
  8. The SP uses the payload, provides access to the user and follows the RelayState URL.
  9. The user gets access to the restricted URL.

License

Code that is not based on previous Open Source work is released under the MIT license:

Copyright (c) 2017 Pressly Inc.

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Other portions of the code were taken from crewjam's saml, with the following license:

Copyright (c) 2015, Ross Kinder All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

  2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Documentation

Overview

Package sp provides tools for buildin an SP such as serving metadata, authenticating an assertion and building assertions for IdPs.

Index

Constants

View Source 
const HTTPPostBinding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

HTTPPostBinding is the official URN for the HTTP-POST binding (transport)

View Source 
const HTTPRedirectBinding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"

HTTPRedirectBinding is the official URN for the HTTP-Redirect binding (transport)

View Source 
const IssueLifetime = time.Second * 90

IssueLifetime is the maximum timeframe where an assertion can be considered valid by the receptor.

Variables

View Source 
var ClockDriftTolerance = time.Duration(0)

ClockDriftTolerance is added or substracted to the current time to give some tolerance to assertion's NotBefore and NotOnOrAfter

View Source 
var NewID = func() string {
	uid, _ := uuid.NewV4()
	return fmt.Sprintf("id-%x", uid)
}

NewID is a function that returns a unique identifier. This value can be overwritten during tests.

View Source 
var Now = time.Now

Now is a function that returns the current time. This vale can be overwritten during tests.

View Source 
var StatusSuccess = "urn:oasis:names:tc:SAML:2.0:status:Success"

StatusSuccess is the value of a StatusCode element when the authentication succeeds. (nominally a constant, except for testing)

View Source 
var WorkDir = "/tmp"

WorkDir is a temporary directory for files. We need to write keys to disk in order for xmlsec1 to pick them and use them.

Functions

func Fatal added in v0.9.1 

func Fatal(v ...interface{})

Fatal prints an error. This does not end the execution of the program.

func Fatalf added in v0.9.1 

func Fatalf(s string, v ...interface{})

Fatalf prints a formatted error. This does not end the execution of the program.

func IsSecurityException 

func IsSecurityException(err error, opts *SecurityOpts) bool

IsSecurityException returns whether the given error is a security exception not bypassed by SecurityOpts.

func Log added in v0.9.1 

func Log(v ...interface{})

Log prints logging message, not necessarily an error.

func Logf 

func Logf(s string, v ...interface{})

Logf prints a formatted logging message, not necessarily an error.

func ParseCacheDuration added in v0.10.0 

func ParseCacheDuration(value string) (time.Duration, error)

ParseCacheDuration reads a xsd:duration from the metadata payload and converts into a time.Duration

See http://www.datypic.com/sc/xsd/t-xsd_duration.html

func SetLogger added in v0.9.1 

func SetLogger(lg Logger)

SetLogger determines which logger to use.

Types

type Assertion 

type Assertion struct {
	XMLName            xml.Name  `xml:"urn:oasis:names:tc:SAML:2.0:assertion Assertion"`
	ID                 string    `xml:",attr"`
	IssueInstant       time.Time `xml:",attr"`
	Version            string    `xml:",attr"`
	Issuer             *Issuer   `xml:"urn:oasis:names:tc:SAML:2.0:assertion Issuer"`
	Signature          *xmlsec.Signature
	Subject            *Subject
	Conditions         *Conditions
	AuthnStatement     *AuthnStatement
	AttributeStatement *AttributeStatement
}

Assertion represents the SAML object of the same name.

See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

func GetAssertionFromCtx added in v0.9.8 

func GetAssertionFromCtx(ctx context.Context) *Assertion

type Attribute 

type Attribute struct {
	FriendlyName string           `xml:",attr"`
	Name         string           `xml:",attr"`
	NameFormat   string           `xml:",attr"`
	Values       []AttributeValue `xml:"AttributeValue"`
}

Attribute represents the SAML object of the same name.

See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

type AttributeStatement 

type AttributeStatement struct {
	Attributes []Attribute `xml:"Attribute"`
}

AttributeStatement represents the SAML object of the same name.

See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

type AttributeValue 

type AttributeValue struct {
	Type   string `xml:"http://www.w3.org/2001/XMLSchema-instance type,attr"`
	Value  string `xml:",chardata"`
	NameID *NameID
}

AttributeValue represents the SAML object of the same name.

See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

type AttributesMap 

type AttributesMap map[string][]string

AttributesMap is a type that provides methods for working with SAML attributes.

func NewAttributesMap 

func NewAttributesMap(assertion *Assertion) *AttributesMap

NewAttributesMap creates an attribute map given a third party assertion.

func (*AttributesMap) Get 

func (a *AttributesMap) Get(name string) string

Get returns the first value of the given attribute, if any.

type Audience 

type Audience struct {
	Value string `xml:",chardata"`
}

Audience represents the SAML object of the same name.

See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

type AudienceRestriction 

type AudienceRestriction struct {
	Audience *Audience
}

AudienceRestriction represents the SAML object of the same name.

See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

type Authenticator added in v0.9.8 

type Authenticator func(w http.ResponseWriter, r *http.Request) (*Session, error)

Authenticator defines an authentication function that returns a *saml.Session value.

type AuthnContext 

type AuthnContext struct {
	AuthnContextClassRef *AuthnContextClassRef
}

AuthnContext represents the SAML object of the same name.

See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

type AuthnContextClassRef 

type AuthnContextClassRef struct {
	Value string `xml:",chardata"`
}

AuthnContextClassRef represents the SAML object of the same name.

See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

type AuthnRequest 

type AuthnRequest struct {
	XMLName                     xml.Name          `xml:"urn:oasis:names:tc:SAML:2.0:protocol AuthnRequest"`
	AssertionConsumerServiceURL string            `xml:",attr"`
	Destination                 string            `xml:",attr"`
	ID                          string            `xml:",attr"`
	IssueInstant                time.Time         `xml:",attr"`
	ProtocolBinding             string            `xml:",attr"`
	Version                     string            `xml:",attr"`
	Issuer                      Issuer            `xml:"urn:oasis:names:tc:SAML:2.0:assertion Issuer"`
	Signature                   *xmlsec.Signature `xml:"http://www.w3.org/2000/09/xmldsig# Signature"`
	NameIDPolicy                NameIDPolicy      `xml:"urn:oasis:names:tc:SAML:2.0:protocol NameIDPolicy"`
}

AuthnRequest represents the SAML object of the same name, a request from a service provider to authenticate a user.

See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

type AuthnStatement 

type AuthnStatement struct {
	AuthnInstant    time.Time `xml:",attr"`
	SessionIndex    string    `xml:",attr"`
	SubjectLocality SubjectLocality
	AuthnContext    AuthnContext
}

AuthnStatement represents the SAML object of the same name.

See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

type CacheDuration added in v0.10.0 

type CacheDuration struct {
	// contains filtered or unexported fields
}

func (*CacheDuration) Duration added in v0.10.0 

func (duration *CacheDuration) Duration() time.Duration

func (*CacheDuration) MarshalAttr added in v0.10.0 

func (duration *CacheDuration) MarshalAttr(name xml.Name) (xml.Attr, error)

func (*CacheDuration) UnmarshalXMLAttr added in v0.10.0 

func (duration *CacheDuration) UnmarshalXMLAttr(attr xml.Attr) error

type Conditions 

type Conditions struct {
	NotBefore           time.Time `xml:",attr"`
	NotOnOrAfter        time.Time `xml:",attr"`
	AudienceRestriction *AudienceRestriction
}

Conditions represents the SAML object of the same name.

See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

type EncryptedAssertion 

type EncryptedAssertion struct {
	Assertion     *Assertion
	EncryptedData []byte `xml:",innerxml"`
}

EncryptedAssertion represents the SAML object of the same name.

See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

type EncryptionMethod 

type EncryptionMethod struct {
	Algorithm string `xml:"Algorithm,attr"`
}

EncryptionMethod represents the XMLSEC object of the same name

type Endpoint 

type Endpoint struct {
	Binding          string `xml:"Binding,attr"`
	Location         string `xml:"Location,attr"`
	ResponseLocation string `xml:"ResponseLocation,attr,omitempty"`
}

Endpoint represents the SAML EndpointType object.

See http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf section 2.2.2

type EntitiesDescriptor 

type EntitiesDescriptor struct {
	XMLName          xml.Name    `xml:"urn:oasis:names:tc:SAML:2.0:metadata EntitiesDescriptor"`
	EntityDescriptor []*Metadata `xml:"urn:oasis:names:tc:SAML:2.0:metadata EntityDescriptor"`
}

EntitiesDescriptor represents the SAML object of the same name.

See http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf section 2.3.1

type IDPSSODescriptor 

type IDPSSODescriptor struct {
	XMLName                    xml.Name        `xml:"urn:oasis:names:tc:SAML:2.0:metadata IDPSSODescriptor"`
	ProtocolSupportEnumeration string          `xml:"protocolSupportEnumeration,attr"`
	KeyDescriptor              []KeyDescriptor `xml:"KeyDescriptor"`
	NameIDFormat               []string        `xml:"NameIDFormat"`
	SingleSignOnService        []Endpoint      `xml:"SingleSignOnService"`
}

IDPSSODescriptor represents the SAML IDPSSODescriptorType object.

See http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf section 2.4.3

type IdentityProvider 

type IdentityProvider struct {
	KeyFile  string
	CertFile string

	PrivkeyPEM string
	PubkeyPEM  string

	SSOURL      string
	MetadataURL string

	SPMetadataURL string
	SPMetadata    *Metadata

	SPAcsURL string

	EntityID string

	SecurityOpts
	// contains filtered or unexported fields
}

IdentityProvider represents an identity provider.

func (*IdentityProvider) Cert 

func (idp *IdentityProvider) Cert() (*pem.Block, error)

Cert returns a *pem.Block value that corresponds to the IdP's certificate.

func (*IdentityProvider) GetSPCertFile 

func (idp *IdentityProvider) GetSPCertFile() (string, error)

GetSPCertFile returns a physical path where the SP's certificate can be accessed.

func (*IdentityProvider) GetSPMetadata 

func (idp *IdentityProvider) GetSPMetadata() (*Metadata, error)

GetSPMetadata returns a the SP's metadata value

func (*IdentityProvider) Metadata 

func (idp *IdentityProvider) Metadata() (*Metadata, error)

Metadata returns a metadata value based on the IdP's data.

func (*IdentityProvider) MetadataHandler added in v0.9.8 

func (idp *IdentityProvider) MetadataHandler(w http.ResponseWriter, r *http.Request)

MetadataHandler generates and serves the IdP's metadata.xml file.

func (*IdentityProvider) NewLoginRequest added in v0.9.8 

func (idp *IdentityProvider) NewLoginRequest(spMetadataURL string, authFn Authenticator) (*LoginRequest, error)

NewLoginRequest creates a login request against an SP.

func (*IdentityProvider) PrivkeyFile 

func (idp *IdentityProvider) PrivkeyFile() (string, error)

PrivkeyFile returns a physical path where the IdP's key can be accessed.

func (*IdentityProvider) PubkeyFile 

func (idp *IdentityProvider) PubkeyFile() (string, error)

PubkeyFile returns a physical path where the IdP's public key can be accessed.

func (*IdentityProvider) ServeSSO added in v0.9.8 

func (idp *IdentityProvider) ServeSSO(authFn Authenticator) func(http.ResponseWriter, *http.Request)

ServeSSO creates and serves a SSO assertion based on a request.

type IdpAuthnRequest 

type IdpAuthnRequest struct {
	IDP                     *IdentityProvider
	HTTPRequest             *http.Request
	RelayState              string
	RequestBuffer           []byte
	Request                 AuthnRequest
	ServiceProviderMetadata *Metadata
	ACSEndpoint             *IndexedEndpoint
	Assertion               *Assertion
	AssertionBuffer         []byte
	Response                *Response
}

IdpAuthnRequest is used by IdentityProvider to handle a single authentication request.

func (*IdpAuthnRequest) MakeAssertion 

func (req *IdpAuthnRequest) MakeAssertion(session *Session) error

MakeAssertion produces a SAML assertion for the given request and assigns it to req.Assertion.

func (*IdpAuthnRequest) MakeResponse 

func (req *IdpAuthnRequest) MakeResponse() error

MakeResponse computes the Response field of the IdpAuthnRequest

func (*IdpAuthnRequest) MarshalAssertion 

func (req *IdpAuthnRequest) MarshalAssertion() error

MarshalAssertion produces a valid and signed XML assertion.

type IndexedEndpoint 

type IndexedEndpoint struct {
	Binding  string `xml:"Binding,attr"`
	Location string `xml:"Location,attr"`
	Index    int    `xml:"index,attr"`
}

IndexedEndpoint represents the SAML IndexedEndpointType object.

See http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf section 2.2.3

type Issuer 

type Issuer struct {
	XMLName xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:assertion Issuer"`
	Format  string   `xml:",attr"`
	Value   string   `xml:",chardata"`
}

Issuer represents the SAML object of the same name.

See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

type KeyDescriptor 

type KeyDescriptor struct {
	Use               string             `xml:"use,attr"`
	KeyInfo           KeyInfo            `xml:"http://www.w3.org/2000/09/xmldsig# KeyInfo"`
	EncryptionMethods []EncryptionMethod `xml:"EncryptionMethod"`
}

KeyDescriptor represents the XMLSEC object of the same name

type KeyInfo 

type KeyInfo struct {
	XMLName     xml.Name `xml:"http://www.w3.org/2000/09/xmldsig# KeyInfo"`
	Certificate string   `xml:"X509Data>X509Certificate"`
}

KeyInfo represents the XMLSEC object of the same name

type Logger added in v0.9.1 

type Logger interface {
	Printf(s string, v ...interface{})

	Print(v ...interface{})

	Fatalf(s string, v ...interface{})

	Fatal(v ...interface{})
}

Logger provides methods for request logging and debugging.

type LoginRequest added in v0.9.8 

type LoginRequest struct {
	// contains filtered or unexported fields
}

LoginRequest represents a login request that the IdP creates in order to try autenticating against a SP.

func (*LoginRequest) PostForm added in v0.9.8 

func (lr *LoginRequest) PostForm(w http.ResponseWriter, r *http.Request)

PostForm creates and serves a form that is used to authenticate to the SP.

type Metadata 

type Metadata struct {
	XMLName          xml.Name          `xml:"urn:oasis:names:tc:SAML:2.0:metadata EntityDescriptor"`
	ValidUntil       time.Time         `xml:"validUntil,attr"`
	CacheDuration    *CacheDuration    `xml:"cacheDuration,attr,omitempty"`
	EntityID         string            `xml:"entityID,attr"`
	SPSSODescriptor  *SPSSODescriptor  `xml:"SPSSODescriptor"`
	IDPSSODescriptor *IDPSSODescriptor `xml:"IDPSSODescriptor"`
}

Metadata represents the SAML EntityDescriptor object.

See http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf section 2.3.2

func GetMetadata 

func GetMetadata(metadataURL string) (*Metadata, error)

GetMetadata takes the URL of a metadata.xml file, downloads and parses it. Returns a *Metadata value.

type NameID 

type NameID struct {
	Format          string `xml:",attr"`
	NameQualifier   string `xml:",attr"`
	SPNameQualifier string `xml:",attr"`
	Value           string `xml:",chardata"`
}

NameID represents the SAML object of the same name.

See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

type NameIDPolicy 

type NameIDPolicy struct {
	XMLName     xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:protocol NameIDPolicy"`
	AllowCreate bool     `xml:",attr"`
	Format      string   `xml:",chardata"`
}

NameIDPolicy represents the SAML object of the same name.

See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

type Response 

type Response struct {
	XMLName            xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:protocol Response"`
	Destination        string   `xml:",attr"`
	Signature          *xmlsec.Signature
	ID                 string    `xml:",attr"`
	InResponseTo       string    `xml:",attr"`
	IssueInstant       time.Time `xml:",attr"`
	Version            string    `xml:",attr"`
	Issuer             *Issuer   `xml:"urn:oasis:names:tc:SAML:2.0:assertion Issuer"`
	Status             *Status   `xml:"urn:oasis:names:tc:SAML:2.0:protocol Status"`
	EncryptedAssertion *EncryptedAssertion
	Assertion          *Assertion `xml:"urn:oasis:names:tc:SAML:2.0:assertion Assertion"`
}

Response represents the SAML object of the same name.

See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

type SPSSODescriptor 

type SPSSODescriptor struct {
	XMLName                    xml.Name          `xml:"urn:oasis:names:tc:SAML:2.0:metadata SPSSODescriptor"`
	AuthnRequestsSigned        bool              `xml:",attr"`
	WantAssertionsSigned       bool              `xml:",attr"`
	ProtocolSupportEnumeration string            `xml:"protocolSupportEnumeration,attr"`
	KeyDescriptor              []KeyDescriptor   `xml:"KeyDescriptor"`
	ArtifactResolutionService  []IndexedEndpoint `xml:"ArtifactResolutionService"`
	SingleLogoutService        []Endpoint        `xml:"SingleLogoutService"`
	ManageNameIDService        []Endpoint
	NameIDFormat               []string          `xml:"NameIDFormat"`
	AssertionConsumerService   []IndexedEndpoint `xml:"AssertionConsumerService"`
	AttributeConsumingService  []interface{}
}

SPSSODescriptor represents the SAML SPSSODescriptorType object.

See http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf section 2.4.2

type SecurityOpts 

type SecurityOpts struct {
	AllowSelfSignedCert   bool
	TrustUnknownAuthority bool
}

SecurityOpts allows to bypass some security checks.

type ServiceProvider 

type ServiceProvider struct {
	IdPMetadataURL string
	IdPMetadataXML []byte
	IdPMetadata    *Metadata

	KeyFile  string
	CertFile string

	PrivkeyPEM string
	PubkeyPEM  string

	MetadataURL string
	AcsURL      string

	DTDFile string

	AllowIdpInitiated bool

	SecurityOpts
	// contains filtered or unexported fields
}

ServiceProvider represents a service provider.

func (*ServiceProvider) AssertionMiddleware added in v0.9.8 

func (sp *ServiceProvider) AssertionMiddleware(next http.Handler) http.Handler

AssertionMiddleware creates an HTTP handler that can be used to authenticate and validate an assertion. If the assertion is valid the flow it passed to the given grantFn function.

func (*ServiceProvider) AuthnRequestHandler added in v0.9.8 

func (sp *ServiceProvider) AuthnRequestHandler(w http.ResponseWriter, r *http.Request)

AuthnRequestHandler creates an authentication assert and makes the user send it to the IdP (via redirection).

func (*ServiceProvider) Cert 

func (sp *ServiceProvider) Cert() (*pem.Block, error)

Cert returns a *pem.Block value that corresponds to the SP's certificate.

func (*ServiceProvider) GetIdPAuthResource 

func (sp *ServiceProvider) GetIdPAuthResource() (string, error)

GetIdPAuthResource returns the authentication URL for the SP.

func (*ServiceProvider) GetIdPCertFile 

func (sp *ServiceProvider) GetIdPCertFile() (string, error)

GetIdPCertFile returns a physical path where the IdP certificate can be accessed.

func (*ServiceProvider) GetIdPMetadata 

func (sp *ServiceProvider) GetIdPMetadata() (*Metadata, error)

GetIdPMetadata returns the IdP metadata value.

func (*ServiceProvider) MakeAuthenticationRequest 

func (sp *ServiceProvider) MakeAuthenticationRequest(idpURL string) (*AuthnRequest, error)

MakeAuthenticationRequest produces a new AuthnRequest object for the given idpURL.

func (*ServiceProvider) Metadata 

func (sp *ServiceProvider) Metadata() (*Metadata, error)

Metadata returns a metadata value based on the SP's data.

func (*ServiceProvider) MetadataHandler added in v0.9.8 

func (sp *ServiceProvider) MetadataHandler(w http.ResponseWriter, r *http.Request)

MetadataHandler creates and serves a metadata XML file.

func (*ServiceProvider) PrivkeyFile 

func (sp *ServiceProvider) PrivkeyFile() (string, error)

PrivkeyFile returns a physical path where the SP's key can be accessed.

func (*ServiceProvider) PubkeyFile 

func (sp *ServiceProvider) PubkeyFile() (string, error)

PubkeyFile returns a physical path where the SP's public certificate can be accessed.

type Session 

type Session struct {
	ID         string
	CreateTime time.Time
	ExpireTime time.Time
	Index      string

	NameID         string
	Groups         []string
	UserID         string
	UserFullname   string
	UserName       string
	UserEmail      string
	UserCommonName string
	UserSurname    string
	UserGivenName  string
}

Session represents a user session. It is returned by the SessionProvider implementation's GetSession method. Fields here are used to set fields in the SAML assertion.

type Status 

type Status struct {
	XMLName    xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:protocol Status"`
	StatusCode StatusCode
}

Status represents the SAML object of the same name.

See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

type StatusCode 

type StatusCode struct {
	XMLName xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:protocol StatusCode"`
	Value   string   `xml:",attr"`
}

StatusCode represents the SAML object of the same name.

See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

type Subject 

type Subject struct {
	XMLName             xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:assertion Subject"`
	NameID              *NameID
	SubjectConfirmation *SubjectConfirmation
}

Subject represents the SAML object of the same name.

See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

type SubjectConfirmation 

type SubjectConfirmation struct {
	Method                  string `xml:",attr"`
	SubjectConfirmationData SubjectConfirmationData
}

SubjectConfirmation represents the SAML object of the same name.

See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

type SubjectConfirmationData 

type SubjectConfirmationData struct {
	Address      string    `xml:",attr"`
	InResponseTo string    `xml:",attr"`
	NotOnOrAfter time.Time `xml:",attr"`
	Recipient    string    `xml:",attr"`
}

SubjectConfirmationData represents the SAML object of the same name.

See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

type SubjectLocality 

type SubjectLocality struct {
	Address string `xml:",attr"`
}

SubjectLocality represents the SAML object of the same name.

See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

type UserRequest added in v0.9.1 

type UserRequest struct {
	Context    context.Context
	RemoteAddr string
	Method     string
	RequestURI string
	Header     http.Header
	Form       string
	Body       string
}

UserRequest represents a request submitted from an user.

func InspectRequest added in v0.9.1 

func InspectRequest(r *http.Request) *UserRequest

InspectRequest creates a *UserRequest from a *http.Request

func (UserRequest) String added in v0.9.1 

func (ur UserRequest) String() string

String returns a formatted log with the user request, useful for debugging.

Source Files

View all Source files

Directories

Path Synopsis
_example
servers/idp-server command
servers/sp-server command
Package xmlsec is a wrapper around the xmlsec1 command https://www.aleksey.com/xmlsec/index.html
 Package xmlsec is a wrapper around the xmlsec1 command https://www.aleksey.com/xmlsec/index.html

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.