README
¶
SAML IDP Module
This module allows a service to act as IDP (allow others to SSO with the service).
This module registers a feature configurer which does the following:
- add metadata refresh middleware to the sso endpoint
- add sso endpoint
- add metadata endpoint
- add error handling
Example Usage
samlidp.Use()
func (c *ExampleConfigurer) Configure(ws security.WebSecurity) {
ws.Route(matcher.RouteWithPattern(c.config.Endpoints.SamlSso.Location.Path)).
With(saml_auth.NewEndpoint().
Issuer(c.config.Issuer).
SsoCondition(c.config.Endpoints.SamlSso.Condition).
SsoLocation(c.config.Endpoints.SamlSso.Location).
MetadataPath(c.config.Endpoints.SamlMetadata))
//Add more configuration to WS to finish the rest of the configuration for your app (i.e. what idp to use, etc)
}
Documentation
¶
Index ¶
- Constants
- Variables
- func DetermineACSEndpoint(req *saml.IdpAuthnRequest) error
- func MakeAssertion(ctx context.Context, req *saml.IdpAuthnRequest, ...) error
- func MakeAssertionEl(req *saml.IdpAuthnRequest, skipEncryption bool) error
- func MakeErrorResponse(req *saml.IdpAuthnRequest, code string, message string) error
- func MakeLogoutResponse(req *SamlLogoutRequest, code string, message string) (*saml.LogoutResponse, error)
- func NewSamlInternalError(text string, causes ...interface{}) error
- func NewSamlRequestVersionMismatch(text string, causes ...interface{}) error
- func NewSamlRequesterError(text string, causes ...interface{}) error
- func NewSamlResponderError(text string, causes ...interface{}) error
- func SignLogoutResponse(idp *saml.IdentityProvider, resp *saml.LogoutResponse) error
- func UnmarshalRequest(req *saml.IdpAuthnRequest) error
- func Use()
- func ValidateAuthnRequest(req *saml.IdpAuthnRequest, spDetails SamlSpDetails, ...) error
- type AttributeGenerator
- type DefaultSamlClient
- func (c DefaultSamlClient) GetEntityId() string
- func (c DefaultSamlClient) GetMetadataSource() string
- func (c DefaultSamlClient) GetMetadataTrustedKeys() []string
- func (c DefaultSamlClient) GetTenantRestrictionType() string
- func (c DefaultSamlClient) GetTenantRestrictions() utils.StringSet
- func (c DefaultSamlClient) ShouldMetadataRequireSignature() bool
- func (c DefaultSamlClient) ShouldMetadataTrustCheck() bool
- func (c DefaultSamlClient) ShouldSkipAssertionEncryption() bool
- func (c DefaultSamlClient) ShouldSkipAuthRequestSignatureVerification() bool
- type Feature
- func (f *Feature) EnableSLO(logoutUrl string) *Feature
- func (f *Feature) Identifier() security.FeatureIdentifier
- func (f *Feature) Issuer(issuer security.Issuer) *Feature
- func (f *Feature) MetadataPath(path string) *Feature
- func (f *Feature) SigningMethod(signatureMethod string) *Feature
- func (f *Feature) SsoCondition(condition web.RequestMatcher) *Feature
- func (f *Feature) SsoLocation(location *url.URL) *Feature
- type MetadataMiddleware
- type Options
- type SamlAuthorizeEndpointConfigurer
- type SamlAuthorizeEndpointMiddleware
- type SamlError
- type SamlErrorHandler
- type SamlLogoutEndpointConfigurer
- type SamlLogoutRequest
- type SamlSingleLogoutMiddleware
- func (mw *SamlSingleLogoutMiddleware) Commence(ctx context.Context, r *http.Request, rw http.ResponseWriter, err error)
- func (mw *SamlSingleLogoutMiddleware) HandleAuthenticationError(ctx context.Context, r *http.Request, rw http.ResponseWriter, err error)
- func (mw *SamlSingleLogoutMiddleware) HandleAuthenticationSuccess(ctx context.Context, r *http.Request, rw http.ResponseWriter, ...)
- func (mw *SamlSingleLogoutMiddleware) HandleLogout(ctx context.Context, _ *http.Request, _ http.ResponseWriter, ...) error
- func (mw *SamlSingleLogoutMiddleware) Order() int
- func (mw *SamlSingleLogoutMiddleware) SLOCondition() web.RequestMatcher
- func (mw *SamlSingleLogoutMiddleware) ShouldLogout(ctx context.Context, r *http.Request, _ http.ResponseWriter, ...) error
- type SamlSpDetails
- type SamlSsoErrorTranslator
- type SpMetadataManager
Constants ¶
View Source
const ( TenantRestrictionTypeAny = "any" TenantRestrictionTypeAll = "all" )
View Source
const ( // ErrorSubTypeCodeSamlSso non-programming error that can occur during SAML web sso flow. These errors will be returned to the requester // as a status code when possible ErrorSubTypeCodeSamlSso = security.ErrorTypeCodeSaml + iota<<errorutils.ErrorSubTypeOffset // ErrorSubTypeCodeSamlSlo non-programming error that can occur during SAML SLO flow ErrorSubTypeCodeSamlSlo // ErrorSubTypeCodeSamlInternal programming error, these will be displayed on an error page // so that we can fix the error on our end. ErrorSubTypeCodeSamlInternal )
View Source
const ( ErrorCodeSamlSsoRequester ErrorCodeSamlSsoResponder ErrorCodeSamlSsoRequestVersionMismatch )
ErrorSubTypeCodeSamlSso
View Source
const ( ErrorCodeSamlSloRequester ErrorCodeSamlSloResponder )
ErrorSubTypeCodeSamlSlo
View Source
const CtxKeySamlAuthnRequest = "kSamlAuthnRequest"
View Source
const (
ErrorCodeSamlInternalGeneral
)
ErrorSubTypeCodeSamlInternal
Variables ¶
View Source
var ( ErrorSubTypeSamlSso = security.NewErrorSubType(ErrorSubTypeCodeSamlSso, errors.New("error sub-type: sso")) ErrorSubTypeSamlSlo = security.NewErrorSubType(ErrorSubTypeCodeSamlSlo, errors.New("error sub-type: slo")) ErrorSubTypeSamlInternal = security.NewErrorSubType(ErrorSubTypeCodeSamlInternal, errors.New("error sub-type: internal")) // ErrorSamlSloRequester requester errors are displayed as a HTML page ErrorSamlSloRequester = security.NewCodedError(ErrorCodeSamlSloRequester, "SLO requester error") // ErrorSamlSloResponder responder errors are communicated back to SP via bindings ErrorSamlSloResponder = security.NewCodedError(ErrorCodeSamlSloResponder, "SLO responder error") )
View Source
var ( FeatureId = security.FeatureId("SamlAuthorizeEndpoint", security.FeatureOrderSamlAuthorizeEndpoint) SloFeatureId = security.FeatureId("SamlSLOEndpoint", security.FeatureOrderSamlLogout) )
View Source
var Module = &bootstrap.Module{ Name: "saml auth - authorize", Precedence: security.MinSecurityPrecedence + 20, Options: []fx.Option{ fx.Invoke(register), }, }
Functions ¶
func DetermineACSEndpoint ¶
func DetermineACSEndpoint(req *saml.IdpAuthnRequest) error
func MakeAssertion ¶
func MakeAssertion(ctx context.Context, req *saml.IdpAuthnRequest, authentication security.Authentication, generator AttributeGenerator) error
MakeAssertion This is similar to the method in saml.IdpAuthnRequest but we have our own logic for generating attributes.
func MakeAssertionEl ¶
func MakeAssertionEl(req *saml.IdpAuthnRequest, skipEncryption bool) error
MakeAssertionEl This is similar to the implementation in saml.IdpAuthnRequest we re-implement it here because we need to optionally skip encryption
func MakeErrorResponse ¶
func MakeErrorResponse(req *saml.IdpAuthnRequest, code string, message string) error
func MakeLogoutResponse ¶
func MakeLogoutResponse(req *SamlLogoutRequest, code string, message string) (*saml.LogoutResponse, error)
func NewSamlInternalError ¶
func NewSamlRequesterError ¶
func NewSamlResponderError ¶
func SignLogoutResponse ¶
func SignLogoutResponse(idp *saml.IdentityProvider, resp *saml.LogoutResponse) error
SignLogoutResponse is similar to saml.ServiceProvider.SignLogoutResponse, but for IDP
func UnmarshalRequest ¶
func UnmarshalRequest(req *saml.IdpAuthnRequest) error
func ValidateAuthnRequest ¶
func ValidateAuthnRequest(req *saml.IdpAuthnRequest, spDetails SamlSpDetails, spMetadata *saml.EntityDescriptor) error
ValidateAuthnRequest This method is similar to the method in saml.IdpAuthnRequest, Because the original implementation doesn't support signature check and destination check, we reimplement it here to add support for them
Types ¶
type DefaultSamlClient ¶
type DefaultSamlClient struct {
SamlSpDetails
TenantRestrictions utils.StringSet
TenantRestrictionType string
}
func (DefaultSamlClient) GetEntityId ¶
func (c DefaultSamlClient) GetEntityId() string
func (DefaultSamlClient) GetMetadataSource ¶
func (c DefaultSamlClient) GetMetadataSource() string
func (DefaultSamlClient) GetMetadataTrustedKeys ¶
func (c DefaultSamlClient) GetMetadataTrustedKeys() []string
func (DefaultSamlClient) GetTenantRestrictionType ¶
func (c DefaultSamlClient) GetTenantRestrictionType() string
func (DefaultSamlClient) GetTenantRestrictions ¶
func (c DefaultSamlClient) GetTenantRestrictions() utils.StringSet
func (DefaultSamlClient) ShouldMetadataRequireSignature ¶
func (c DefaultSamlClient) ShouldMetadataRequireSignature() bool
func (DefaultSamlClient) ShouldMetadataTrustCheck ¶
func (c DefaultSamlClient) ShouldMetadataTrustCheck() bool
func (DefaultSamlClient) ShouldSkipAssertionEncryption ¶
func (c DefaultSamlClient) ShouldSkipAssertionEncryption() bool
func (DefaultSamlClient) ShouldSkipAuthRequestSignatureVerification ¶
func (c DefaultSamlClient) ShouldSkipAuthRequestSignatureVerification() bool
type Feature ¶
type Feature struct {
// contains filtered or unexported fields
}
func Configure ¶
func Configure(ws security.WebSecurity) *Feature
func ConfigureLogout ¶
func ConfigureLogout(ws security.WebSecurity) *Feature
func New ¶
func New() *Feature
New Standard security.Feature entrypoint for authorization, DSL style. Used with security.WebSecurity
func NewLogout ¶
func NewLogout() *Feature
NewLogout Standard security.Feature entrypoint for single-logout, DSL style. Used with security.WebSecurity
func (*Feature) EnableSLO ¶
EnableSLO when logoutUrl is set, SLO Request handling is added to logout.Feature. SLO feature cannot work properly if this value mismatches the logout URL
func (*Feature) Identifier ¶
func (f *Feature) Identifier() security.FeatureIdentifier
func (*Feature) MetadataPath ¶
func (*Feature) SigningMethod ¶
func (*Feature) SsoCondition ¶
func (f *Feature) SsoCondition(condition web.RequestMatcher) *Feature
type MetadataMiddleware ¶
type MetadataMiddleware struct {
// contains filtered or unexported fields
}
func NewMetadataMiddleware ¶
func NewMetadataMiddleware(opts *Options, samlClientStore samlctx.SamlClientStore) *MetadataMiddleware
func (*MetadataMiddleware) MetadataHandlerFunc ¶
func (mw *MetadataMiddleware) MetadataHandlerFunc() gin.HandlerFunc
func (*MetadataMiddleware) RefreshMetadataHandler ¶
func (mw *MetadataMiddleware) RefreshMetadataHandler(condition web.RequestMatcher) gin.HandlerFunc
type SamlAuthorizeEndpointConfigurer ¶
type SamlAuthorizeEndpointConfigurer struct {
// contains filtered or unexported fields
}
func (*SamlAuthorizeEndpointConfigurer) Apply ¶
func (c *SamlAuthorizeEndpointConfigurer) Apply(feature security.Feature, ws security.WebSecurity) (err error)
type SamlAuthorizeEndpointMiddleware ¶
type SamlAuthorizeEndpointMiddleware struct {
*MetadataMiddleware
// contains filtered or unexported fields
}
func NewSamlAuthorizeEndpointMiddleware ¶
func NewSamlAuthorizeEndpointMiddleware(metaMw *MetadataMiddleware, accountStore security.AccountStore, attributeGenerator AttributeGenerator) *SamlAuthorizeEndpointMiddleware
func (*SamlAuthorizeEndpointMiddleware) AuthorizeHandlerFunc ¶
func (mw *SamlAuthorizeEndpointMiddleware) AuthorizeHandlerFunc(condition web.RequestMatcher) gin.HandlerFunc
type SamlError ¶
type SamlError struct {
security.CodedError
EC string // saml error code
SC int // status code
}
func NewSamlError ¶
func (*SamlError) TranslateErrorCode ¶
func (*SamlError) TranslateErrorMessage ¶
func (*SamlError) TranslateHttpStatusCode ¶
type SamlErrorHandler ¶
type SamlErrorHandler struct{}
func NewSamlErrorHandler ¶
func NewSamlErrorHandler() *SamlErrorHandler
func (*SamlErrorHandler) HandleError ¶
func (h *SamlErrorHandler) HandleError(c context.Context, r *http.Request, rw http.ResponseWriter, err error)
HandleError * Handles error as saml response when possible. Otherwise let the error handling handle it
See http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf 4.1.3.5
type SamlLogoutEndpointConfigurer ¶
type SamlLogoutEndpointConfigurer struct {
// contains filtered or unexported fields
}
func (*SamlLogoutEndpointConfigurer) Apply ¶
func (c *SamlLogoutEndpointConfigurer) Apply(feature security.Feature, ws security.WebSecurity) (err error)
type SamlLogoutRequest ¶
type SamlLogoutRequest struct {
HTTPRequest *http.Request
Binding string
Request *saml.LogoutRequest
RequestBuffer []byte
RelayState string
IDP *saml.IdentityProvider
SPMeta *saml.EntityDescriptor // the requester
SPSSODescriptor *saml.SPSSODescriptor
Callback *saml.Endpoint
Response *saml.LogoutResponse
}
func (SamlLogoutRequest) Validate ¶
func (r SamlLogoutRequest) Validate() error
func (SamlLogoutRequest) VerifySignature ¶
func (r SamlLogoutRequest) VerifySignature() error
func (SamlLogoutRequest) WriteResponse ¶
func (r SamlLogoutRequest) WriteResponse(rw http.ResponseWriter) error
type SamlSingleLogoutMiddleware ¶
type SamlSingleLogoutMiddleware struct {
*MetadataMiddleware
SamlErrorHandler
}
SamlSingleLogoutMiddleware is a 1. logout.LogoutHandler 2. logout.ConditionalLogoutHandler 3. security.AuthenticationSuccessHandler 4. security.AuthenticationErrorHandler 5. security.AuthenticationEntryPoint focusing on validate SAML logout request and send back SAML LogoutResponse
func NewSamlSingleLogoutMiddleware ¶
func NewSamlSingleLogoutMiddleware(metaMw *MetadataMiddleware) *SamlSingleLogoutMiddleware
func (*SamlSingleLogoutMiddleware) Commence ¶
func (mw *SamlSingleLogoutMiddleware) Commence(ctx context.Context, r *http.Request, rw http.ResponseWriter, err error)
func (*SamlSingleLogoutMiddleware) HandleAuthenticationError ¶
func (mw *SamlSingleLogoutMiddleware) HandleAuthenticationError(ctx context.Context, r *http.Request, rw http.ResponseWriter, err error)
func (*SamlSingleLogoutMiddleware) HandleAuthenticationSuccess ¶
func (mw *SamlSingleLogoutMiddleware) HandleAuthenticationSuccess(ctx context.Context, r *http.Request, rw http.ResponseWriter, from, to security.Authentication)
func (*SamlSingleLogoutMiddleware) HandleLogout ¶
func (mw *SamlSingleLogoutMiddleware) HandleLogout(ctx context.Context, _ *http.Request, _ http.ResponseWriter, auth security.Authentication) error
func (*SamlSingleLogoutMiddleware) Order ¶
func (mw *SamlSingleLogoutMiddleware) Order() int
func (*SamlSingleLogoutMiddleware) SLOCondition ¶
func (mw *SamlSingleLogoutMiddleware) SLOCondition() web.RequestMatcher
func (*SamlSingleLogoutMiddleware) ShouldLogout ¶
func (mw *SamlSingleLogoutMiddleware) ShouldLogout(ctx context.Context, r *http.Request, _ http.ResponseWriter, _ security.Authentication) error
ShouldLogout is a logout.ConditionalLogoutHandler method that intercept SP initiated SAML request. Possible outcomes are: - no error returned if the logout is not SAML single logout (no SAMLRequest found) - no error returned if the logout is a valid SAMLLogoutRequest - ErrorSubTypeSamlSlo if SAMLLogoutRequest is found but invalid
type SamlSpDetails ¶
type SamlSpDetails struct {
EntityId string
MetadataSource string
SkipAssertionEncryption bool
SkipAuthRequestSignatureVerification bool
MetadataRequireSignature bool
MetadataTrustCheck bool
MetadataTrustedKeys []string
//currently the implementation is metaiop profile. this field is reserved for future use
// https://docs.spring.io/autorepo/docs/spring-security-saml/1.0.x-SNAPSHOT/reference/htmlsingle/#configuration-security-profiles-pkix
SecurityProfile string
}
type SamlSsoErrorTranslator ¶
type SpMetadataManager ¶
type SpMetadataManager struct {
// contains filtered or unexported fields
}
func (*SpMetadataManager) GetServiceProvider ¶
func (m *SpMetadataManager) GetServiceProvider(serviceProviderID string) (SamlSpDetails, *saml.EntityDescriptor, error)
func (*SpMetadataManager) RefreshCache ¶
func (m *SpMetadataManager) RefreshCache(ctx context.Context, clients []samlctx.SamlClient)
Source Files
¶
- base_configurer.go
- client.go
- constants.go
- error_handling.go
- errors.go
- feature.go
- logger.go
- metadata_manager.go
- metadata_middleware.go
- package.go
- slo_configurer.go
- slo_middleware.go
- slo_request.go
- slo_response.go
- sso_assertion.go
- sso_authn_request.go
- sso_configurer.go
- sso_error_response.go
- sso_middleware.go
- util.go
Click to show internal directories.
Click to hide internal directories.