Documentation ¶
Index ¶
- Variables
- type Assertion
- type AssumeRoleWithSAMLResult
- type AssumedRoleUser
- type Attribute
- type AttributeStatement
- type AttributeValue
- type Audience
- type AudienceRestriction
- type AuthnContext
- type AuthnContextClassRef
- type AuthnStatement
- type CanonicalizationMethod
- type Conditions
- type DigestMethod
- type DigestValue
- type Issuer
- type KeyInfo
- type NameID
- type Options
- type Response
- type SAMLMiddleware
- func (m *SAMLMiddleware) AssertionConsumerHandler(w http.ResponseWriter, r *http.Request)
- func (m *SAMLMiddleware) Authorize(w http.ResponseWriter, r *http.Request, assertion *saml.Assertion)
- func (m *SAMLMiddleware) LoginHandler(w http.ResponseWriter, r *http.Request)
- func (m *SAMLMiddleware) LogoutHandler(w http.ResponseWriter, r *http.Request)
- func (m *SAMLMiddleware) SAMLMetadataHandler(w http.ResponseWriter, r *http.Request)
- type STSError
- type STSErrorCode
- type STSErrorResponse
- type Signature
- type SignatureMethod
- type Status
- type Subject
- type SubjectConfirmation
- type SubjectConfirmationData
- type TokenClaims
- type Transforms
- type X509Certificate
Constants ¶
This section is empty.
Variables ¶
var ( // GOPATH - GOPATH value at the time of build. GOPATH = "" // Version - version time.RFC3339. Version = goGetTag // ReleaseTag - release tag in TAG.%Y-%m-%dT%H-%M-%SZ. ReleaseTag = goGetTag // CommitID - latest commit id. CommitID = goGetTag // ShortCommitID - first 12 characters from CommitID. ShortCommitID = CommitID[:12] )
DO NOT EDIT THIS FILE DIRECTLY. These are build-time constants set through ‘buildscripts/gen-ldflags.go’.
Functions ¶
This section is empty.
Types ¶
type Assertion ¶
type Assertion struct { XMLName xml.Name ID string `xml:"ID,attr"` Version string `xml:"Version,attr"` XS string `xml:"xmlns:xs,attr"` XSI string `xml:"xmlns:xsi,attr"` SAML string `xml:"xmlns:saml,attr"` IssueInstant string `xml:"IssueInstant,attr"` Issuer Issuer `xml:"Issuer"` Subject Subject Conditions Conditions AuthnStatements []AuthnStatement `xml:"AuthnStatement,omitempty"` AttributeStatement AttributeStatement }
Assertion - contains assertions if any.
type AssumeRoleWithSAMLResult ¶
type AssumeRoleWithSAMLResult struct { // The identifiers for the temporary security credentials that the operation // returns. AssumedRoleUser AssumedRoleUser `xml:",omitempty"` // The value of the Recipient attribute of the SubjectConfirmationData element // of the SAML assertion. Audience string `xml:",omitempty"` // The temporary security credentials, which include an access key ID, a secret // access key, and a security (or session) token. // // Note: The size of the security token that STS APIs return is not fixed. We // strongly recommend that you make no assumptions about the maximum size. As // of this writing, the typical size is less than 4096 bytes, but that can vary. // Also, future updates to AWS might require larger sizes. Credentials credentials.Credential `xml:",omitempty"` // The value of the Issuer element of the SAML assertion. Issuer string `xml:",omitempty"` // A hash value based on the concatenation of the Issuer response value, the // AWS account ID, and the friendly name (the last part of the ARN) of the SAML // provider in IAM. The combination of NameQualifier and Subject can be used // to uniquely identify a federated user. // // The following pseudocode shows how the hash value is calculated: // // BASE64 ( SHA1 ( "https://example.com/saml" + "123456789012" + "/MySAMLIdP" // ) ) NameQualifier string `xml:",omitempty"` // A percentage value that indicates the size of the policy in packed form. // The service rejects any policy with a packed size greater than 100 percent, // which means the policy exceeded the allowed space. PackedPolicySize int64 `xml:",omitempty"` // The value of the NameID element in the Subject element of the SAML assertion. Subject string `xml:",omitempty"` // The format of the name ID, as defined by the Format attribute in the NameID // element of the SAML assertion. Typical examples of the format are transient // or persistent. // // If the format includes the prefix urn:oasis:names:tc:SAML:2.0:nameid-format, // that prefix is removed. For example, urn:oasis:names:tc:SAML:2.0:nameid-format:transient // is returned as transient. If the format includes any other prefix, the format // is returned with no modifications. SubjectType string `xml:",omitempty"` }
AssumeRoleWithSAMLResult - Contains the response to a successful AssumeRoleWithSAML request, including temporary AWS credentials that can be used to make AWS requests. Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithSAMLResponse
type AssumedRoleUser ¶
type AssumedRoleUser struct { // The ARN of the temporary security credentials that are returned from the // AssumeRole action. For more information about ARNs and how to use them in // policies, see IAM Identifiers (http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html) // in Using IAM. // // Arn is a required field Arn string // A unique identifier that contains the role ID and the role session name of // the role that is being assumed. The role ID is generated by AWS when the // role is created. // // AssumedRoleId is a required field AssumedRoleID string `xml:"AssumeRoleId"` }
AssumedRoleUser - The identifiers for the temporary security credentials that the operation returns. Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumedRoleUser
type Attribute ¶
type Attribute struct { XMLName xml.Name Name string `xml:",attr"` FriendlyName string `xml:",attr,omitempty"` NameFormat string `xml:",attr"` AttributeValues []AttributeValue `xml:"AttributeValue"` }
Attribute --
type AttributeStatement ¶
AttributeStatement --
type AttributeValue ¶
type AttributeValue struct { XMLName xml.Name Type string `xml:"xsi:type,attr"` Value string `xml:",innerxml"` }
AttributeValue --
type AudienceRestriction ¶
AudienceRestriction --
type AuthnContext ¶
type AuthnContext struct { XMLName xml.Name AuthnContextClassRef AuthnContextClassRef `xml:"AuthnContextClassRef"` }
AuthnContext --
type AuthnContextClassRef ¶
type AuthnContextClassRef struct { XMLName xml.Name SAML string `xml:"xmlns:saml,attr"` Transport string `xml:",innerxml"` }
AuthnContextClassRef --
type AuthnStatement ¶
type AuthnStatement struct { XMLName xml.Name AuthnInstant string `xml:",attr"` SessionNotOnOrAfter string `xml:",attr,omitempty"` SessionIndex string `xml:",attr,omitempty"` AuthnContext AuthnContext `xml:"AuthnContext"` }
AuthnStatement --
type CanonicalizationMethod ¶
CanonicalizationMethod - Use of Exclusive Canonicalization ensures that signatures created over SAML messages embedded in an XML context can be verified independent of that context.
type Conditions ¶
type Conditions struct { XMLName xml.Name NotBefore string `xml:",attr"` NotOnOrAfter string `xml:",attr"` AudienceRestrictions []AudienceRestriction `xml:"AudienceRestriction,omitempty"` }
Conditions --
type DigestMethod ¶
DigestMethod - algorithm used for generating the digest.
type Issuer ¶
type Issuer struct { XMLName xml.Name SAML string `xml:"xmlns:saml,attr"` URL string `xml:",innerxml"` }
Issuer - http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf The <Issuer> element, with complex type NameIDType, provides information about the issuer of a SAML assertion or protocol message.
type KeyInfo ¶
type KeyInfo struct { XMLName xml.Name X509Data struct { XMLName xml.Name X509Certificate X509Certificate `xml:",innerxml"` } `xml:",innerxml"` }
KeyInfo - SAML does not require the use of <ds:KeyInfo>, nor does it impose any restrictions on its use. Therefore, <ds:KeyInfo> MAY be absent.
type NameID ¶
type NameID struct { XMLName xml.Name Format string `xml:",attr"` SPNameQualifier string `xml:",attr,omitempty"` Value string `xml:",innerxml"` }
NameID --
type Options ¶
type Options struct { SP saml.ServiceProvider IDPMetadata *saml.EntityDescriptor IDPMetadataURL url.URL HTTPClient *http.Client // Initiates IDP initiated login. AllowIDPInitiated bool }
Options represents the parameters for creating a new middleware
type Response ¶
type Response struct { XMLName xml.Name SAMLP string `xml:"xmlns:samlp,attr"` SAML string `xml:"xmlns:saml,attr"` SAMLSIG string `xml:"xmlns:samlsig,attr"` Destination string `xml:"Destination,attr"` ID string `xml:"ID,attr"` Version string `xml:"Version,attr"` IssueInstant string `xml:"IssueInstant,attr"` InResponseTo string `xml:"InResponseTo,attr"` Issuer Issuer `xml:"Issuer"` Signature Signature `xml:"Signature"` Status Status `xml:"Status"` // contains filtered or unexported fields }
Response - saml assertion response obtained after parsing base64 encoded SAML assertion response from identity provider.
func ParseSAMLResponse ¶
ParseSAMLResponse - parses base64 encoded SAML assertion response XML.
type SAMLMiddleware ¶
type SAMLMiddleware struct { ServiceProvider saml.ServiceProvider AllowIDPInitiated bool CookieName string CookieMaxAge time.Duration }
SAMLMiddleware implements middleware than allows a web application to support SAML.
It implements http.Handler so that it can provide the metadata and ACS endpoints, typically /SAML2/Meta and /SAML2/ACS, respectively.
It also provides middleware, RequireAccount which redirects users to the auth process if they do not have session credentials.
When redirecting the user through the SAML auth flow, the middlware assigns a temporary cookie with a random name beginning with "saml_". The value of the cookie is a signed JSON Web Token containing the original URL requested and the SAML request ID. The random part of the name corresponds to the RelayState parameter passed through the SAML flow.
When validating the SAML response, the RelayState is used to look up the correct cookie, validate that the SAML request ID, and redirect the user back to their original URL.
Sessions are established by issuing a JSON Web Token (JWT) as a session cookie once the SAML flow has succeeded. The JWT token contains the authenticated attributes from the SAML assertion.
When issuing JSON Web Tokens, a signing key is required. Because the SAML service provider already has a private key, we borrow that key to sign the JWTs as well.
func (*SAMLMiddleware) AssertionConsumerHandler ¶
func (m *SAMLMiddleware) AssertionConsumerHandler(w http.ResponseWriter, r *http.Request)
AssertionConsumerHandler - implements http.Handler and serves the SAML Assertion Consumer specific HTTP endpoint URI.
func (*SAMLMiddleware) Authorize ¶
func (m *SAMLMiddleware) Authorize(w http.ResponseWriter, r *http.Request, assertion *saml.Assertion)
Authorize is invoked by ServeHTTP when we have a new, valid SAML assertion. It sets a cookie that contains a signed JWT containing the assertion attributes. It then redirects the user's browser to the original URL contained in RelayState.
func (*SAMLMiddleware) LoginHandler ¶
func (m *SAMLMiddleware) LoginHandler(w http.ResponseWriter, r *http.Request)
LoginHandler is SAML login http.Handler - that logs you in. associated with a valid session. If the request is not associated with a valid session, then rather than serve the request, the middlware redirects the user to start the SAML auth flow.
func (*SAMLMiddleware) LogoutHandler ¶
func (m *SAMLMiddleware) LogoutHandler(w http.ResponseWriter, r *http.Request)
LogoutHandler is SAML logout http.Handler - that logs you out.
func (*SAMLMiddleware) SAMLMetadataHandler ¶
func (m *SAMLMiddleware) SAMLMetadataHandler(w http.ResponseWriter, r *http.Request)
SAMLMetadataHandler - implements http.Handler and serves the SAML Metadata specific HTTP endpoint URI.
type STSErrorCode ¶
type STSErrorCode int
STSErrorCode type of error status.
const ( ErrSTSNone STSErrorCode = iota ErrSTSExpiredToken ErrSTSIDPRejectedClaim ErrSTSInvalidIdentityToken ErrSTSMalformedPolicyDocument ErrSTSInternalError )
Error codes, non exhaustive list - http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html
type STSErrorResponse ¶
type STSErrorResponse struct { XMLName xml.Name `xml:"ErrorResponse" json:"-"` Code string Message string RequestID string `xml:"RequestId"` HostID string `xml:"HostId"` }
STSErrorResponse - error response format
type Signature ¶
type Signature struct { XMLName xml.Name ID string `xml:"Id,attr"` SignedInfo struct { XMLName xml.Name CanonicalizationMethod CanonicalizationMethod SignatureMethod SignatureMethod SamlsigReference struct { XMLName xml.Name URI string `xml:"URI,attr"` Transforms Transforms `xml:",innerxml"` DigestMethod DigestMethod `xml:",innerxml"` DigestValue DigestValue `xml:",innerxml"` } } SignatureValue struct { XMLName xml.Name Value string `xml:",innerxml"` } KeyInfo KeyInfo }
Signature - An XML Signature that protects the integrity of and authenticates the issuer of the assertion
type SignatureMethod ¶
SignatureMethod - defines algorithm used to generate assertion signature.
type Status ¶
type Status struct { XMLName xml.Name StatusCode struct { XMLName xml.Name Value string `xml:",attr"` } `xml:"StatusCode"` }
Status - <Status> element contains a code representing the status of the activity carried out in response to the corresponding request.
type Subject ¶
type Subject struct { XMLName xml.Name NameID NameID SubjectConfirmation SubjectConfirmation }
Subject --
type SubjectConfirmation ¶
type SubjectConfirmation struct { XMLName xml.Name Method string `xml:",attr"` SubjectConfirmationData SubjectConfirmationData }
SubjectConfirmation --
type SubjectConfirmationData ¶
type SubjectConfirmationData struct { XMLName xml.Name InResponseTo string `xml:",attr"` NotOnOrAfter string `xml:",attr"` Recipient string `xml:",attr"` }
SubjectConfirmationData --
type TokenClaims ¶
TokenClaims - extends jwt standard claims with SAML attributes.
type Transforms ¶
type Transforms struct { XMLName xml.Name Transform []struct { XMLName xml.Name Algorithm string `xml:"Algorithm,attr"` } }
Transforms - Signatures in SAML messages SHOULD NOT contain transforms other than the enveloped signature transform (with the identifier http://www.w3.org/2000/09/xmldsig#enveloped-signature) or the exclusive
Canonicalization transforms (with the identifier http://www.w3.org/2001/10/xml-exc-c14n# or http://www.w3.org/2001/10/xml-exc-c14n#WithComments). Verifiers of signatures MAY reject signatures that contain other transform algorithms as invalid. If they do not, verifiers MUST ensure that no content of the SAML message is excluded from the signature. This can be accomplished by establishing out-of-band agreement as to what transforms are acceptable, or by applying the transforms manually to the content and reverifying the result as consisting of the same SAML message.
type X509Certificate ¶
X509Certificate - base64 encoded x.509 certificate data.