saml

package module
v0.12.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 18, 2018 License: MIT Imports: 23 Imported by: 2

README

saml

Build Status cover.run go Go Report Card GoDoc

Package saml provides tools and middleware for implementing SAML based single sign-on.

Currently, the saml package depends on the xmlsec1 command.

See _example/servers for example implementations of IdP and SP servers.

SAML SSO basics

SAML SSO process

IdP initiated SSO
  1. An user selects a service provider (SP) to log in via SSO, a typical use case for this is a login button on an intranet.
  2. The user is asked by their login details (if not within a session yet).
  3. The IdP creates an payload (AuthnRequest) containing the user information and signs it.
  4. The IdP forces the user to submit the signed request to the SP they selected. This is typically done via a FORM that is auto-submitted via JavaScript.
  5. The SP receives the message and determines if the signature is valid, among other details.
  6. If the SP decides to trust the message, it can decode the payload with is expected to contain user information, such as e-mail address, unique ID and name details.
  7. The SP uses the payload and provides access to the user.
SP initiated SSO
  1. An user tries to access a restricted URL at a SP.
  2. The SP looks up the IdP that matches the private resource and redirects the user to a special IdP page. The original URL is passed as a RelayState parameter.
  3. The user is asked by their login details.
  4. The IdP creates an payload (AuthnRequest) containing the user information and signs it.
  5. The IdP forces the user to submit the signed request to the SP they selected. This is typically done via a FORM that is auto-submitted via JavaScript.
  6. The SP receives the message and determines if the signature is valid, among other details.
  7. If the SP decides to trust the message, it can decode the payload with is expected to contain user information, such as e-mail address, unique ID and name details.
  8. The SP uses the payload, provides access to the user and follows the RelayState URL.
  9. The user gets access to the restricted URL.

License

Code that is not based on previous Open Source work is released under the MIT license:

Copyright (c) 2017 Pressly Inc.

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Other portions of the code were taken from crewjam's saml, with the following license:

Copyright (c) 2015, Ross Kinder All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

  2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Documentation

Overview

Package sp provides tools for buildin an SP such as serving metadata, authenticating an assertion and building assertions for IdPs.

Index

Constants

View Source 
const HTTPPostBinding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

HTTPPostBinding is the official URN for the HTTP-POST binding (transport)

View Source 
const HTTPRedirectBinding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"

HTTPRedirectBinding is the official URN for the HTTP-Redirect binding (transport)

View Source 
const IssueLifetime = time.Second * 90

IssueLifetime is the maximum timeframe where an assertion can be considered valid by the receptor.

Variables

View Source 
var ClockDriftTolerance = time.Duration(0)

ClockDriftTolerance is added or substracted to the current time to give some tolerance to assertion's NotBefore and NotOnOrAfter

View Source 
var NewID = func() string {
	uid, _ := uuid.NewV4()
	return fmt.Sprintf("id-%x", uid)
}

NewID is a function that returns a unique identifier. This value can be overwritten during tests.

View Source 
var Now = time.Now

Now is a function that returns the current time. This value can be overwritten during tests.

View Source 
var StatusSuccess = "urn:oasis:names:tc:SAML:2.0:status:Success"

StatusSuccess is the value of a StatusCode element when the authentication succeeds. (nominally a constant, except for testing)

View Source 
var WorkDir = "/tmp"

WorkDir is a temporary directory for files. We need to write keys to disk in order for xmlsec1 to pick them and use them.

Functions

func IsSecurityException 

func IsSecurityException(err error, opts *SecurityOpts) bool

IsSecurityException returns whether the given error is a security exception not bypassed by SecurityOpts.

func ParseCacheDuration added in v0.10.0 

func ParseCacheDuration(value string) (time.Duration, error)

ParseCacheDuration reads a xsd:duration from the metadata payload and converts into a time.Duration

See http://www.datypic.com/sc/xsd/t-xsd_duration.html

Types

type Assertion 

type Assertion struct {
	XMLName            xml.Name  `xml:"urn:oasis:names:tc:SAML:2.0:assertion Assertion"`
	ID                 string    `xml:",attr"`
	IssueInstant       time.Time `xml:",attr"`
	Version            string    `xml:",attr"`
	Issuer             *Issuer   `xml:"urn:oasis:names:tc:SAML:2.0:assertion Issuer"`
	Signature          *xmlsec.Signature
	Subject            *Subject
	Conditions         *Conditions
	AuthnStatement     *AuthnStatement
	AttributeStatement *AttributeStatement
}

Assertion represents the SAML object of the same name.

See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

type Attribute 

type Attribute struct {
	FriendlyName string           `xml:",attr"`
	Name         string           `xml:",attr"`
	NameFormat   string           `xml:",attr"`
	Values       []AttributeValue `xml:"AttributeValue"`
}

Attribute represents the SAML object of the same name.

See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

type AttributeStatement 

type AttributeStatement struct {
	Attributes []Attribute `xml:"Attribute"`
}

AttributeStatement represents the SAML object of the same name.

See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

type AttributeValue 

type AttributeValue struct {
	Type   string `xml:"http://www.w3.org/2001/XMLSchema-instance type,attr"`
	Value  string `xml:",chardata"`
	NameID *NameID
}

AttributeValue represents the SAML object of the same name.

See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

type AttributesMap 

type AttributesMap map[string][]string

AttributesMap is a type that provides methods for working with SAML attributes.

func NewAttributesMap 

func NewAttributesMap(assertion *Assertion) *AttributesMap

NewAttributesMap creates an attribute map given a third party assertion.

func (*AttributesMap) Get 

func (a *AttributesMap) Get(name string) string

Get returns the first value of the given attribute, if any.

type Audience 

type Audience struct {
	Value string `xml:",chardata"`
}

Audience represents the SAML object of the same name.

See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

type AudienceRestriction 

type AudienceRestriction struct {
	Audience *Audience
}

AudienceRestriction represents the SAML object of the same name.

See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

type Authenticator added in v0.9.8 

type Authenticator func(w http.ResponseWriter, r *http.Request) (*Session, error)

Authenticator defines an authentication function that returns a *saml.Session value.

type AuthnContext 

type AuthnContext struct {
	AuthnContextClassRef *AuthnContextClassRef
}

AuthnContext represents the SAML object of the same name.

See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

type AuthnContextClassRef 

type AuthnContextClassRef struct {
	Value string `xml:",chardata"`
}

AuthnContextClassRef represents the SAML object of the same name.

See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

type AuthnRequest 

type AuthnRequest struct {
	XMLName                     xml.Name          `xml:"urn:oasis:names:tc:SAML:2.0:protocol AuthnRequest"`
	AssertionConsumerServiceURL string            `xml:",attr"`
	Destination                 string            `xml:",attr"`
	ID                          string            `xml:",attr"`
	IssueInstant                time.Time         `xml:",attr"`
	ProtocolBinding             string            `xml:",attr"`
	Version                     string            `xml:",attr"`
	Issuer                      Issuer            `xml:"urn:oasis:names:tc:SAML:2.0:assertion Issuer"`
	Signature                   *xmlsec.Signature `xml:"http://www.w3.org/2000/09/xmldsig# Signature"`
	NameIDPolicy                NameIDPolicy      `xml:"urn:oasis:names:tc:SAML:2.0:protocol NameIDPolicy"`
}

AuthnRequest represents the SAML object of the same name, a request from a service provider to authenticate a user.

See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

type AuthnStatement 

type AuthnStatement struct {
	AuthnInstant    time.Time `xml:",attr"`
	SessionIndex    string    `xml:",attr"`
	SubjectLocality SubjectLocality
	AuthnContext    AuthnContext
}

AuthnStatement represents the SAML object of the same name.

See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

type CacheDuration added in v0.10.0 

type CacheDuration struct {
	// contains filtered or unexported fields
}

func (*CacheDuration) Duration added in v0.10.0 

func (duration *CacheDuration) Duration() time.Duration

func (*CacheDuration) MarshalAttr added in v0.10.0 

func (duration *CacheDuration) MarshalAttr(name xml.Name) (xml.Attr, error)

func (*CacheDuration) UnmarshalXMLAttr added in v0.10.0 

func (duration *CacheDuration) UnmarshalXMLAttr(attr xml.Attr) error

type Conditions 

type Conditions struct {
	NotBefore           time.Time `xml:",attr"`
	NotOnOrAfter        time.Time `xml:",attr"`
	AudienceRestriction *AudienceRestriction
}

Conditions represents the SAML object of the same name.

See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

type EncryptedAssertion 

type EncryptedAssertion struct {
	Assertion     *Assertion
	EncryptedData []byte `xml:",innerxml"`
}

EncryptedAssertion represents the SAML object of the same name.

See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

type EncryptionMethod 

type EncryptionMethod struct {
	Algorithm string `xml:"Algorithm,attr"`
}

EncryptionMethod represents the XMLSEC object of the same name

type Endpoint 

type Endpoint struct {
	Binding          string `xml:"Binding,attr"`
	Location         string `xml:"Location,attr"`
	ResponseLocation string `xml:"ResponseLocation,attr,omitempty"`
}

Endpoint represents the SAML EndpointType object.

See http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf section 2.2.2

type EntitiesDescriptor 

type EntitiesDescriptor struct {
	XMLName          xml.Name    `xml:"urn:oasis:names:tc:SAML:2.0:metadata EntitiesDescriptor"`
	EntityDescriptor []*Metadata `xml:"urn:oasis:names:tc:SAML:2.0:metadata EntityDescriptor"`
}

EntitiesDescriptor represents the SAML object of the same name.

See http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf section 2.3.1

type IDPSSODescriptor 

type IDPSSODescriptor struct {
	XMLName                    xml.Name        `xml:"urn:oasis:names:tc:SAML:2.0:metadata IDPSSODescriptor"`
	ProtocolSupportEnumeration string          `xml:"protocolSupportEnumeration,attr"`
	KeyDescriptor              []KeyDescriptor `xml:"KeyDescriptor"`
	NameIDFormat               []string        `xml:"NameIDFormat"`
	SingleSignOnService        []Endpoint      `xml:"SingleSignOnService"`
}

IDPSSODescriptor represents the SAML IDPSSODescriptorType object.

See http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf section 2.4.3

type IdentityProvider 

type IdentityProvider struct {

	// Identifier of the IdP entity  (must be a URI)
	EntityID string

	MetadataURL string

	SSOURL string

	SecurityOpts

	// File system location of the private key file
	KeyFile string

	// File system location of the cert file
	CertFile string

	// Private key can also be provided as a param
	// For now we need to write to a temp file since xmlsec requires a physical file to validate the document signature
	PrivkeyPEM string

	// Cert can also be provided as a param
	// For now we need to write to a temp file since xmlsec requires a physical file to validate the document signature
	PubkeyPEM string

	// Service provide settings
	SPMetadataURL string
	SPMetadata    *Metadata

	SPAcsURL string
	// contains filtered or unexported fields
}

IdentityProvider represents an identity provider.

func (*IdentityProvider) Cert 

func (idp *IdentityProvider) Cert() (*pem.Block, error)

Cert returns a *pem.Block value that corresponds to the IdP's certificate.

func (*IdentityProvider) GenerateResponse added in v0.12.0 

func (idp *IdentityProvider) GenerateResponse(samlRequest, relayState string, sess *Session, address string) ([]byte, error)

func (*IdentityProvider) GetSPCertFile 

func (idp *IdentityProvider) GetSPCertFile() (string, error)

GetSPCertFile returns a physical path where the SP's certificate can be accessed.

func (*IdentityProvider) GetSPMetadata 

func (idp *IdentityProvider) GetSPMetadata() (*Metadata, error)

GetSPMetadata returns a the SP's metadata value

func (*IdentityProvider) Metadata 

func (idp *IdentityProvider) Metadata() (*Metadata, error)

Metadata returns a metadata value based on the IdP's data.

func (*IdentityProvider) MetadataHandler added in v0.9.8 

func (idp *IdentityProvider) MetadataHandler(w http.ResponseWriter, r *http.Request)

MetadataHandler generates and serves the IdP's metadata.xml file.

func (*IdentityProvider) NewLoginRequest added in v0.9.8 

func (idp *IdentityProvider) NewLoginRequest(spMetadataURL string, authFn Authenticator) (*LoginRequest, error)

NewLoginRequest creates a login request against an SP.

func (*IdentityProvider) PrivkeyFile 

func (idp *IdentityProvider) PrivkeyFile() (string, error)

PrivkeyFile returns a physical path where the IdP's key can be accessed.

func (*IdentityProvider) PubkeyFile 

func (idp *IdentityProvider) PubkeyFile() (string, error)

PubkeyFile returns a physical path where the IdP's public key can be accessed.

type IdpAuthnRequest 

type IdpAuthnRequest struct {
	IDP *IdentityProvider

	// Address set in the SubjectConfirmation element of the Assertion
	Address string

	RelayState              string
	RequestBuffer           []byte
	Request                 AuthnRequest
	ServiceProviderMetadata *Metadata
	ACSEndpoint             *IndexedEndpoint
	Assertion               *Assertion
	AssertionBuffer         []byte
	Response                *Response
}

IdpAuthnRequest is used by IdentityProvider to handle a single authentication request.

func (*IdpAuthnRequest) MakeAssertion 

func (req *IdpAuthnRequest) MakeAssertion(session *Session) error

MakeAssertion produces a SAML assertion for the given request and assigns it to req.Assertion.

func (*IdpAuthnRequest) MakeResponse 

func (req *IdpAuthnRequest) MakeResponse() error

MakeResponse computes the Response field of the IdpAuthnRequest

func (*IdpAuthnRequest) MarshalAssertion 

func (req *IdpAuthnRequest) MarshalAssertion() error

MarshalAssertion produces a valid and signed XML assertion.

type IndexedEndpoint 

type IndexedEndpoint struct {
	Binding  string `xml:"Binding,attr"`
	Location string `xml:"Location,attr"`
	Index    int    `xml:"index,attr"`
}

IndexedEndpoint represents the SAML IndexedEndpointType object.

See http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf section 2.2.3

type Issuer 

type Issuer struct {
	XMLName xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:assertion Issuer"`
	Format  string   `xml:",attr"`
	Value   string   `xml:",chardata"`
}

Issuer represents the SAML object of the same name.

See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

type KeyDescriptor 

type KeyDescriptor struct {
	Use               string             `xml:"use,attr"`
	KeyInfo           KeyInfo            `xml:"http://www.w3.org/2000/09/xmldsig# KeyInfo"`
	EncryptionMethods []EncryptionMethod `xml:"EncryptionMethod"`
}

KeyDescriptor represents the XMLSEC object of the same name

type KeyInfo 

type KeyInfo struct {
	XMLName     xml.Name `xml:"http://www.w3.org/2000/09/xmldsig# KeyInfo"`
	Certificate string   `xml:"X509Data>X509Certificate"`
}

KeyInfo represents the XMLSEC object of the same name

type LoginRequest added in v0.9.8 

type LoginRequest struct {
	// contains filtered or unexported fields
}

LoginRequest represents a login request that the IdP creates in order to try autenticating against a SP.

func (*LoginRequest) PostForm added in v0.9.8 

func (lr *LoginRequest) PostForm(w http.ResponseWriter, r *http.Request)

PostForm creates and serves a form that is used to authenticate to the SP.

type Metadata 

type Metadata struct {
	XMLName          xml.Name          `xml:"urn:oasis:names:tc:SAML:2.0:metadata EntityDescriptor"`
	ValidUntil       time.Time         `xml:"validUntil,attr"`
	CacheDuration    *CacheDuration    `xml:"cacheDuration,attr,omitempty"`
	EntityID         string            `xml:"entityID,attr"`
	SPSSODescriptor  *SPSSODescriptor  `xml:"SPSSODescriptor"`
	IDPSSODescriptor *IDPSSODescriptor `xml:"IDPSSODescriptor"`
}

Metadata represents the SAML EntityDescriptor object.

See http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf section 2.3.2

func GetMetadata 

func GetMetadata(metadataURL string) (*Metadata, error)

GetMetadata takes the URL of a metadata.xml file, downloads and parses it. Returns a *Metadata value.

func (*Metadata) Cert added in v0.12.0 

func (metadata *Metadata) Cert() string

func (*Metadata) SSOService added in v0.12.0 

func (metadata *Metadata) SSOService(binding string) *Endpoint

type NameID 

type NameID struct {
	Format          string `xml:",attr"`
	NameQualifier   string `xml:",attr"`
	SPNameQualifier string `xml:",attr"`
	Value           string `xml:",chardata"`
}

NameID represents the SAML object of the same name.

See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

type NameIDPolicy 

type NameIDPolicy struct {
	XMLName     xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:protocol NameIDPolicy"`
	AllowCreate bool     `xml:",attr"`
	Format      string   `xml:",chardata"`
}

NameIDPolicy represents the SAML object of the same name.

See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

type Response 

type Response struct {
	XMLName            xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:protocol Response"`
	Destination        string   `xml:",attr"`
	Signature          *xmlsec.Signature
	ID                 string    `xml:",attr"`
	InResponseTo       string    `xml:",attr"`
	IssueInstant       time.Time `xml:",attr"`
	Version            string    `xml:",attr"`
	Issuer             *Issuer   `xml:"urn:oasis:names:tc:SAML:2.0:assertion Issuer"`
	Status             *Status   `xml:"urn:oasis:names:tc:SAML:2.0:protocol Status"`
	EncryptedAssertion *EncryptedAssertion
	Assertion          *Assertion `xml:"urn:oasis:names:tc:SAML:2.0:assertion Assertion"`
	XMLText            []byte     `xml:"-"`
}

Response represents the SAML object of the same name.

See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf section 3.3.3

type SPSSODescriptor 

type SPSSODescriptor struct {
	XMLName                    xml.Name          `xml:"urn:oasis:names:tc:SAML:2.0:metadata SPSSODescriptor"`
	AuthnRequestsSigned        bool              `xml:",attr"`
	WantAssertionsSigned       bool              `xml:",attr"`
	ProtocolSupportEnumeration string            `xml:"protocolSupportEnumeration,attr"`
	KeyDescriptor              []KeyDescriptor   `xml:"KeyDescriptor"`
	ArtifactResolutionService  []IndexedEndpoint `xml:"ArtifactResolutionService"`
	SingleLogoutService        []Endpoint        `xml:"SingleLogoutService"`
	ManageNameIDService        []Endpoint
	NameIDFormat               []string          `xml:"NameIDFormat"`
	AssertionConsumerService   []IndexedEndpoint `xml:"AssertionConsumerService"`
	AttributeConsumingService  []interface{}
}

SPSSODescriptor represents the SAML SPSSODescriptorType object.

See http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf section 2.4.2

type SecurityOpts 

type SecurityOpts struct {
	AllowSelfSignedCert   bool
	TrustUnknownAuthority bool
}

SecurityOpts allows to bypass some security checks.

type ServiceProvider 

type ServiceProvider struct {
	MetadataURL string

	// Identifier of the SP entity  (must be a URI)
	EntityID string

	// Assertion Consumer Service URL
	// Specifies where the <AuthnResponse> message MUST be returned to
	ACSURL string

	// SAML protocol binding to be used when returning the <Response> message.
	// Supports only HTTP-POST binding
	ACSBinding string

	AllowIdpInitiated bool

	SecurityOpts

	// File system location of the private key file
	KeyFile string

	// File system location of the cert file
	CertFile string

	// Private key can also be provided as a param
	// For now we need to write to a temp file since xmlsec requires a physical file to validate the document signature
	PrivkeyPEM string

	// Cert can also be provided as a param
	// For now we need to write to a temp file since xmlsec requires a physical file to validate the document signature
	PubkeyPEM string

	DTDFile string

	// Identity Provider settings the Service Provider instance should use
	IdPMetadataURL string
	IdPMetadataXML []byte
	IdPMetadata    *Metadata

	// Identifier of the SP entity (must be a URI)
	IdPEntityID string

	// File system location of the cert file
	IdPCertFile string
	// Cert can also be provided as a param
	// For now we need to write to a temp file since xmlsec requires a physical file to validate the document signature
	IdPPubkeyPEM string

	// SAML protocol binding to be used when sending the <AuthnRequest> message
	IdPSSOServiceBinding string

	// URL Target of the IdP where the SP will send the AuthnRequest message
	IdPSSOServiceURL string
	// contains filtered or unexported fields
}

ServiceProvider represents a service provider.

func (*ServiceProvider) AssertResponse added in v0.11.0 

func (sp *ServiceProvider) AssertResponse(base64Res string) (*Assertion, error)

AssertResponse parses and validates a SAML response and its assertion

func (*ServiceProvider) AuthnRequestURL added in v0.11.0 

func (sp *ServiceProvider) AuthnRequestURL(relayState string) (string, error)

AuthnRequestURL creates SAML 2.0 AuthnRequest redirect URL, aka SP-initiated login (SP->IdP). The data is passed in the ?SAMLRequest query parameter and the value is base64 encoded and deflate-compressed <AuthnRequest> XML element. The final redirect destination that will be invoked on successful login is passed using ?RelayState query parameter.

func (*ServiceProvider) Cert 

func (sp *ServiceProvider) Cert() (*pem.Block, error)

Cert returns a *pem.Block value that corresponds to the SP's certificate.

func (*ServiceProvider) GetIdPCertFile 

func (sp *ServiceProvider) GetIdPCertFile() (string, error)

GetIdPCertFile returns a physical path where the IdP certificate can be accessed.

func (*ServiceProvider) Metadata 

func (sp *ServiceProvider) Metadata() (*Metadata, error)

Metadata returns a metadata value based on the SP's data.

func (*ServiceProvider) MetadataXML added in v0.11.0 

func (sp *ServiceProvider) MetadataXML() ([]byte, error)

MetadataXML returns SAML 2.0 Service Provider metadata XML.

func (*ServiceProvider) NewAuthnRequest added in v0.11.0 

func (sp *ServiceProvider) NewAuthnRequest() (*AuthnRequest, error)

NewAuthnRequest creates a new AuthnRequest object for the given IdP URL.

func (*ServiceProvider) NewPostSAMLRequest added in v0.12.0 

func (sp *ServiceProvider) NewPostSAMLRequest() (string, error)

NewSAMLRequest creates SAML 2.0 AuthnRequest The <AuthnRequest> XML element is base64 encoded

func (*ServiceProvider) NewRedirectSAMLRequest added in v0.12.0 

func (sp *ServiceProvider) NewRedirectSAMLRequest() (string, error)

NewSAMLRequest creates SAML 2.0 AuthnRequest The <AuthnRequest> XML element is deflate-compressed, base64 and URL encoded

func (*ServiceProvider) ParseIdPMetadata added in v0.12.0 

func (sp *ServiceProvider) ParseIdPMetadata() (*Metadata, error)

func (*ServiceProvider) PrivkeyFile 

func (sp *ServiceProvider) PrivkeyFile() (string, error)

PrivkeyFile returns a physical path where the SP's key can be accessed.

func (*ServiceProvider) PubkeyFile 

func (sp *ServiceProvider) PubkeyFile() (string, error)

PubkeyFile returns a physical path where the SP's public certificate can be accessed.

type Session 

type Session struct {
	ID         string
	CreateTime time.Time
	ExpireTime time.Time
	Index      string

	NameID         string
	Groups         []string
	UserID         string
	UserFullname   string
	UserName       string
	UserEmail      string
	UserCommonName string
	UserSurname    string
	UserGivenName  string
}

Session represents a user session. It is returned by the SessionProvider implementation's GetSession method. Fields here are used to set fields in the SAML assertion.

type Status 

type Status struct {
	XMLName    xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:protocol Status"`
	StatusCode StatusCode
}

Status represents the SAML object of the same name.

See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

type StatusCode 

type StatusCode struct {
	XMLName xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:protocol StatusCode"`
	Value   string   `xml:",attr"`
}

StatusCode represents the SAML object of the same name.

See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

type Subject 

type Subject struct {
	XMLName             xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:assertion Subject"`
	NameID              *NameID
	SubjectConfirmation *SubjectConfirmation
}

Subject represents the SAML object of the same name.

See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

type SubjectConfirmation 

type SubjectConfirmation struct {
	Method                  string `xml:",attr"`
	SubjectConfirmationData SubjectConfirmationData
}

SubjectConfirmation represents the SAML object of the same name.

See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

type SubjectConfirmationData 

type SubjectConfirmationData struct {
	Address      string    `xml:",attr"`
	InResponseTo string    `xml:",attr"`
	NotOnOrAfter time.Time `xml:",attr"`
	Recipient    string    `xml:",attr"`
}

SubjectConfirmationData represents the SAML object of the same name.

See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

type SubjectLocality 

type SubjectLocality struct {
	Address string `xml:",attr"`
}

SubjectLocality represents the SAML object of the same name.

See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

Source Files

View all Source files

Directories

Path Synopsis
_example
servers/idp-server command
servers/sp-server command
Package xmlsec is a wrapper around the xmlsec1 command https://www.aleksey.com/xmlsec/index.html
 Package xmlsec is a wrapper around the xmlsec1 command https://www.aleksey.com/xmlsec/index.html

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.