gosaml2: github.com/russellhaering/gosaml2 Index | Files | Directories

package saml2

import "github.com/russellhaering/gosaml2"


Package Files

attribute.go authn_request.go build_request.go decode_response.go retrieve_assertion.go saml.go test_constants.go validate.go xml_constants.go


const (
    ReasonUnsupported = "Unsupported"
    ReasonExpired     = "Expired"

Oft-used messages

const (
    ResponseTag                = "Response"
    AssertionTag               = "Assertion"
    EncryptedAssertionTag      = "EncryptedAssertion"
    SubjectTag                 = "Subject"
    NameIdTag                  = "NameID"
    SubjectConfirmationTag     = "SubjectConfirmation"
    SubjectConfirmationDataTag = "SubjectConfirmationData"
    AttributeStatementTag      = "AttributeStatement"
    AttributeValueTag          = "AttributeValue"
    ConditionsTag              = "Conditions"
    AudienceRestrictionTag     = "AudienceRestriction"
    AudienceTag                = "Audience"
    OneTimeUseTag              = "OneTimeUse"
    ProxyRestrictionTag        = "ProxyRestriction"
    IssuerTag                  = "Issuer"
    StatusTag                  = "Status"
    StatusCodeTag              = "StatusCode"
const (
    DestinationAttr  = "Destination"
    VersionAttr      = "Version"
    IdAttr           = "ID"
    MethodAttr       = "Method"
    RecipientAttr    = "Recipient"
    NameAttr         = "Name"
    NotBeforeAttr    = "NotBefore"
    NotOnOrAfterAttr = "NotOnOrAfter"
    CountAttr        = "Count"
const (
    NameIdFormatPersistent      = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
    NameIdFormatTransient       = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
    NameIdFormatEmailAddress    = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
    NameIdFormatUnspecified     = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
    NameIdFormatX509SubjectName = "urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName"

    AuthnContextPasswordProtectedTransport = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"

    AuthnPolicyMatchExact   = "exact"
    AuthnPolicyMatchMinimum = "minimum"
    AuthnPolicyMatchMaximum = "maximum"
    AuthnPolicyMatchBetter  = "better"

    StatusCodeSuccess = "urn:oasis:names:tc:SAML:2.0:status:Success"

    BindingHttpPost     = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    BindingHttpRedirect = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
const (
    SAMLAssertionNamespace = "urn:oasis:names:tc:SAML:2.0:assertion"
    SAMLProtocolNamespace  = "urn:oasis:names:tc:SAML:2.0:protocol"
const (
    SubjMethodBearer = "urn:oasis:names:tc:SAML:2.0:cm:bearer"

Well-known methods of subject confirmation


var (
    ErrMissingAssertion = ErrMissingElement{Tag: AssertionTag}

ErrMissingAssertion indicates that an appropriate assertion element could not be found in the SAML Response

func DecodeUnverifiedBaseResponse Uses

func DecodeUnverifiedBaseResponse(encodedResponse string) (*types.UnverifiedBaseResponse, error)

DecodeUnverifiedBaseResponse decodes several attributes from a SAML response for the purpose of determining how to validate the response. This is useful for Service Providers which expose a single Assertion Consumer Service URL but consume Responses from many IdPs.

type AssertionInfo Uses

type AssertionInfo struct {
    NameID                     string
    Values                     Values
    WarningInfo                *WarningInfo
    AuthnInstant               *time.Time
    SessionNotOnOrAfter        *time.Time
    Assertions                 []types.Assertion
    ResponseSignatureValidated bool

type AuthNRequest Uses

type AuthNRequest struct {
    ID                          string `xml:",attr"`
    Version                     string `xml:",attr"`
    ProtocolBinding             string `xml:",attr"`
    AssertionConsumerServiceURL string `xml:",attr"`

    IssueInstant time.Time `xml:",attr"`

    Destination string `xml:",attr"`
    Issuer      string

AuthNRequest is the go struct representation of an authentication request

type ErrInvalidValue Uses

type ErrInvalidValue struct {
    Key, Expected, Actual string
    Reason                string

ErrInvalidValue indicates that the expected value did not match the received value.

func (ErrInvalidValue) Error Uses

func (e ErrInvalidValue) Error() string

type ErrMissingElement Uses

type ErrMissingElement struct {
    Tag, Attribute string

ErrMissingElement is the error type that indicates an element and/or attribute is missing. It provides a structured error that can be more appropriately acted upon.

func (ErrMissingElement) Error Uses

func (e ErrMissingElement) Error() string

type ErrParsing Uses

type ErrParsing struct {
    Tag, Value, Type string

ErrParsing indicates that the value present in an assertion could not be parsed. It can be inspected for the specific tag name, the contents, and the intended type.

func (ErrParsing) Error Uses

func (ep ErrParsing) Error() string

type ErrSaml Uses

type ErrSaml struct {
    Message string
    System  error

func (ErrSaml) Error Uses

func (serr ErrSaml) Error() string

type ErrVerification Uses

type ErrVerification struct {
    Cause error

func (ErrVerification) Error Uses

func (e ErrVerification) Error() string

type ProxyRestriction Uses

type ProxyRestriction struct {
    Count    int
    Audience []string

type RequestedAuthnContext Uses

type RequestedAuthnContext struct {
    // The RequestedAuthnContext comparison policy to use. See the section
    // of the SAML 2.0 specification for details. Constants named AuthnPolicyMatch*
    // contain standardized values.
    Comparison string

    // Contexts will be passed as AuthnContextClassRefs. For example, to force password
    // authentication on some identity providers, Contexts should have a value of
    // []string{AuthnContextPasswordProtectedTransport}, and Comparison should have a
    // value of AuthnPolicyMatchExact.
    Contexts []string

RequestedAuthnContext controls which authentication mechanisms are requested of the identity provider. It is generally sufficient to omit this and let the identity provider select an authentication mechansim.

type SAMLServiceProvider Uses

type SAMLServiceProvider struct {
    IdentityProviderSSOURL string
    IdentityProviderIssuer string

    AssertionConsumerServiceURL string
    ServiceProviderIssuer       string

    SignAuthnRequests              bool
    SignAuthnRequestsAlgorithm     string
    SignAuthnRequestsCanonicalizer dsig.Canonicalizer

    // RequestedAuthnContext allows service providers to require that the identity
    // provider use specific authentication mechanisms. Leaving this unset will
    // permit the identity provider to choose the auth method. To maximize compatibility
    // with identity providers it is recommended to leave this unset.
    RequestedAuthnContext   *RequestedAuthnContext
    AudienceURI             string
    IDPCertificateStore     dsig.X509CertificateStore
    SPKeyStore              dsig.X509KeyStore // Required encryption key, default signing key
    SPSigningKeyStore       dsig.X509KeyStore // Optional signing key
    NameIdFormat            string
    ValidateEncryptionCert  bool
    SkipSignatureValidation bool
    AllowMissingAttributes  bool
    Clock                   *dsig.Clock
    // contains filtered or unexported fields

func (*SAMLServiceProvider) AuthRedirect Uses

func (sp *SAMLServiceProvider) AuthRedirect(w http.ResponseWriter, r *http.Request, relayState string) (err error)

AuthRedirect takes a ResponseWriter and Request from an http interaction and redirects to the SAMLServiceProvider's configured IdP, including the relayState provided, if any.

func (*SAMLServiceProvider) BuildAuthRequest Uses

func (sp *SAMLServiceProvider) BuildAuthRequest() (string, error)

BuildAuthRequest builds <AuthnRequest> for identity provider

func (*SAMLServiceProvider) BuildAuthRequestDocument Uses

func (sp *SAMLServiceProvider) BuildAuthRequestDocument() (*etree.Document, error)

func (*SAMLServiceProvider) BuildAuthRequestDocumentNoSig Uses

func (sp *SAMLServiceProvider) BuildAuthRequestDocumentNoSig() (*etree.Document, error)

func (*SAMLServiceProvider) BuildAuthURL Uses

func (sp *SAMLServiceProvider) BuildAuthURL(relayState string) (string, error)

BuildAuthURL builds redirect URL to be sent to principal

func (*SAMLServiceProvider) BuildAuthURLFromDocument Uses

func (sp *SAMLServiceProvider) BuildAuthURLFromDocument(relayState string, doc *etree.Document) (string, error)

func (*SAMLServiceProvider) BuildAuthURLRedirect Uses

func (sp *SAMLServiceProvider) BuildAuthURLRedirect(relayState string, doc *etree.Document) (string, error)

func (*SAMLServiceProvider) GetEncryptionCertBytes Uses

func (sp *SAMLServiceProvider) GetEncryptionCertBytes() ([]byte, error)

func (*SAMLServiceProvider) GetEncryptionKey Uses

func (sp *SAMLServiceProvider) GetEncryptionKey() dsig.X509KeyStore

func (*SAMLServiceProvider) GetSigningCertBytes Uses

func (sp *SAMLServiceProvider) GetSigningCertBytes() ([]byte, error)

func (*SAMLServiceProvider) GetSigningKey Uses

func (sp *SAMLServiceProvider) GetSigningKey() dsig.X509KeyStore

func (*SAMLServiceProvider) Metadata Uses

func (sp *SAMLServiceProvider) Metadata() (*types.EntityDescriptor, error)

func (*SAMLServiceProvider) RetrieveAssertionInfo Uses

func (sp *SAMLServiceProvider) RetrieveAssertionInfo(encodedResponse string) (*AssertionInfo, error)

RetrieveAssertionInfo takes an encoded response and returns the AssertionInfo contained, or an error message if an error has been encountered.

func (*SAMLServiceProvider) SignAuthnRequest Uses

func (sp *SAMLServiceProvider) SignAuthnRequest(el *etree.Element) (*etree.Element, error)

SignAuthnRequest takes a document, builds a signature, creates another document and inserts the signature in it. According to the schema, the position of the signature is right after the Issuer [1] then all other children.

[1] https://docs.oasis-open.org/security/saml/v2.0/saml-schema-protocol-2.0.xsd

func (*SAMLServiceProvider) SigningContext Uses

func (sp *SAMLServiceProvider) SigningContext() *dsig.SigningContext

func (*SAMLServiceProvider) Validate Uses

func (sp *SAMLServiceProvider) Validate(response *types.Response) error

Validate ensures that the assertion passed is valid for the current Service Provider.

func (*SAMLServiceProvider) ValidateEncodedResponse Uses

func (sp *SAMLServiceProvider) ValidateEncodedResponse(encodedResponse string) (*types.Response, error)

ValidateEncodedResponse both decodes and validates, based on SP configuration, an encoded, signed response. It will also appropriately decrypt a response if the assertion was encrypted

func (*SAMLServiceProvider) VerifyAssertionConditions Uses

func (sp *SAMLServiceProvider) VerifyAssertionConditions(assertion *types.Assertion) (*WarningInfo, error)

VerifyAssertionConditions inspects an assertion element and makes sure that all SAML2 contracts are upheld.

type Values Uses

type Values map[string]types.Attribute

Values is a convenience wrapper for a map of strings to Attributes, which can be used for easy access to the string values of Attribute lists.

func (Values) Get Uses

func (vals Values) Get(k string) string

Get is a safe method (nil maps will not panic) for returning the first value for an attribute at a key, or the empty string if none exists.

type WarningInfo Uses

type WarningInfo struct {
    OneTimeUse       bool
    ProxyRestriction *ProxyRestriction
    NotInAudience    bool
    InvalidTime      bool



Package saml2 imports 18 packages (graph) and is imported by 23 packages. Updated 2019-04-05. Refresh now. Tools for package owners.