package module
v0.0.0-...-f43d143 Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: Jul 27, 2016 License: Apache-2.0 Imports: 25 Imported by: 0



Build Status GoDoc

SAML 2.0 implemementation for Service Providers based on etree and goxmldsig, a pure Go implementation of XML digital signatures.


Install gosaml2 into your $GOPATH using go get:

go get


See demo.go.

Supported Identity Providers

This library is meant to be a generic SAML implementation. If you find a standards compliant identity provider that it doesn't work with please submit a bug or pull request.

The following identity providers have been tested:

  • Okta
  • Auth0
  • Shibboleth




View Source
const (
	MethodRSAOAEP  = ""
	MethodRSAOAEP2 = ""

Well-known public-key encryption methods

View Source
const (
	MethodAES128GCM = ""
	MethodAES128CBC = ""

Well-known private key encryption methods

View Source
const (
	MethodSHA1   = ""
	MethodSHA256 = ""
	MethodSHA512 = ""

Well-known hash methods

View Source
const (
	ReasonUnsupported = "Unsupported"
	ReasonExpired     = "Expired"

Oft-used messages

View Source
const (
	ResponseTag                = "Response"
	AssertionTag               = "Assertion"
	SubjectTag                 = "Subject"
	NameIdTag                  = "NameID"
	SubjectConfirmationTag     = "SubjectConfirmation"
	SubjectConfirmationDataTag = "SubjectConfirmationData"
	AttributeStatementTag      = "AttributeStatement"
	AttributeValueTag          = "AttributeValue"
	ConditionsTag              = "Conditions"
	AudienceRestrictionTag     = "AudienceRestriction"
	AudienceTag                = "Audience"
	OneTimeUseTag              = "OneTimeUse"
	ProxyRestrictionTag        = "ProxyRestriction"
View Source
const (
	DestinationAttr  = "Destination"
	VersionAttr      = "Version"
	IdAttr           = "ID"
	MethodAttr       = "Method"
	RecipientAttr    = "Recipient"
	NameAttr         = "Name"
	NotBeforeAttr    = "NotBefore"
	NotOnOrAfterAttr = "NotOnOrAfter"
	CountAttr        = "Count"
View Source
const (
	NameIdFormatPersistent      = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
	NameIdFormatTransient       = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
	NameIdFormatEmailAddress    = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
	NameIdFormatUnspecified     = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
	NameIdFormatX509SubjectName = "urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName"
View Source
const (
	SubjMethodBearer = "urn:oasis:names:tc:SAML:2.0:cm:bearer"

Well-known methods of subject confirmation


View Source
var (
	ErrMissingAssertion = ErrMissingElement{Tag: AssertionTag}

ErrMissingAssertion indicates that an appropriate assertion element could not be found in the SAML Response


This section is empty.


type AssertionInfo

type AssertionInfo struct {
	NameID      string
	Values      Values
	WarningInfo *WarningInfo

type AttrVal

type AttrVal string

AttrVal is an abstraction for the string value of an XML document, which will ensure that all surrounding space is trimmed during Unmarshaling

func (*AttrVal) UnmarshalXML

func (v *AttrVal) UnmarshalXML(d *xml.Decoder, start xml.StartElement) error

UnmarshalXML implements xml.Unmarshaler

type Attribute

type Attribute struct {
	FriendlyName string    `xml:"FriendlyName,attr"`
	Name         string    `xml:"Name,attr"`
	NameFormat   string    `xml:"NameFormat,attr"`
	Values       []AttrVal `xml:"AttributeValue"`

Attribute holds the assertion name/values returned by the remote hosts

type AuthNRequest

type AuthNRequest struct {
	ID                          string `xml:",attr"`
	Version                     string `xml:",attr"`
	ProtocolBinding             string `xml:",attr"`
	AssertionConsumerServiceURL string `xml:",attr"`

	IssueInstant time.Time `xml:",attr"`

	Destination string `xml:",attr"`
	Issuer      string

AuthNRequest is the go struct representation of an authentication request

type DigestMethod

type DigestMethod struct {
	Algorithm string `xml:",attr"`

DigestMethod is a digest type specification

type EncryptedKey

type EncryptedKey struct {
	// EncryptionMethod string `xml:"EncryptionMethod>Algorithm"`
	X509Data         string `xml:"KeyInfo>X509Data>X509Certificate"`
	CipherValue      string `xml:"CipherData>CipherValue"`
	EncryptionMethod EncryptionMethod

EncryptedKey contains the decryption key data from the saml2 core and xmlenc standards.

func (*EncryptedKey) DecryptSymmetricKey

func (ek *EncryptedKey) DecryptSymmetricKey(cert tls.Certificate) (cipher.Block, error)

DecryptSymmetricKey returns the private key contained in the EncryptedKey document

type EncryptionMethod

type EncryptionMethod struct {
	Algorithm    string `xml:",attr"`
	DigestMethod DigestMethod

EncryptionMethod specifies the type of encryption that was used.

type ErrInvalidValue

type ErrInvalidValue struct {
	Key, Expected, Actual string
	Reason                string

ErrInvalidValue indicates that the expected value did not match the received value.

func (ErrInvalidValue) Error

func (e ErrInvalidValue) Error() string

type ErrMissingElement

type ErrMissingElement struct {
	Tag, Attribute string

ErrMissingElement is the error type that indicates an element and/or attribute is missing. It provides a structured error that can be more appropriately acted upon.

func (ErrMissingElement) Error

func (e ErrMissingElement) Error() string

type ErrParsing

type ErrParsing struct {
	Tag, Value, Type string

ErrParsing indicates that the value present in an assertion could not be parsed. It can be inspected for the specific tag name, the contents, and the intended type.

func (ErrParsing) Error

func (ep ErrParsing) Error() string

type ProxyRestriction

type ProxyRestriction struct {
	Count    int
	Audience []string

type Response

type Response struct {
	Destination      string           `xml:"Destination,attr"`
	Issuer           string           `xml:"Issuer"`
	Value            string           `xml:",attr"`
	EncryptionMethod EncryptionMethod `xml:"EncryptedAssertion>EncryptedData>EncryptionMethod"`
	Key              EncryptedKey     `xml:"EncryptedAssertion>EncryptedData>KeyInfo>EncryptedKey"`
	Data             string           `xml:"EncryptedAssertion>EncryptedData>CipherData>CipherValue"`
	Signature        string           `xml:"Signature>SignatureValue"`
	Digest           string           `xml:"Signature>SignedInfo>Reference>DigestValue"`

Response is an abstraction type for handling the information in a SAML assertion

func NewResponseFromReader

func NewResponseFromReader(r io.Reader) (*Response, error)

NewResponseFromReader returns a Response or error based on the given reader.

func (*Response) Decrypt

func (sr *Response) Decrypt(cert tls.Certificate) ([]byte, error)

Decrypt returns the byte slice contained in the encrypted data.

type SAMLServiceProvider

type SAMLServiceProvider struct {
	IdentityProviderSSOURL      string
	IdentityProviderIssuer      string
	AssertionConsumerServiceURL string
	SignAuthnRequests           bool
	SignAuthnRequestsAlgorithm  string
	AudienceURI                 string
	IDPCertificateStore         dsig.X509CertificateStore
	SPKeyStore                  dsig.X509KeyStore
	NameIdFormat                string
	SkipSignatureValidation     bool
	Clock                       *dsig.Clock
	// contains filtered or unexported fields

func (*SAMLServiceProvider) AuthRedirect

func (sp *SAMLServiceProvider) AuthRedirect(w http.ResponseWriter, r *http.Request, relayState string) (err error)

AuthRedirect takes a ResponseWriter and Request from an http interaction and redirects to the SAMLServiceProvider's configured IdP, including the relayState provided, if any.

func (*SAMLServiceProvider) BuildAuthRequest

func (sp *SAMLServiceProvider) BuildAuthRequest() (string, error)

func (*SAMLServiceProvider) BuildAuthURL

func (sp *SAMLServiceProvider) BuildAuthURL(relayState string) (string, error)

func (*SAMLServiceProvider) RetrieveAssertionInfo

func (sp *SAMLServiceProvider) RetrieveAssertionInfo(encodedResponse string) (*AssertionInfo, error)

RetrieveAssertionInfo takes an encoded response and returns the AssertionInfo contained, or an error message if an error has been encountered.

func (*SAMLServiceProvider) SigningContext

func (sp *SAMLServiceProvider) SigningContext() *dsig.SigningContext

func (*SAMLServiceProvider) Validate

func (sp *SAMLServiceProvider) Validate(el *etree.Element) error

Validate ensures that the assertion passed is valid for the current Service Provider.

func (*SAMLServiceProvider) ValidateEncodedResponse

func (sp *SAMLServiceProvider) ValidateEncodedResponse(encodedResponse string) (*etree.Element, error)

ValidateEncodedResponse both decodes and validates, based on SP configuration, an encoded, signed response. It will also appropriately decrypt a response if the assertion was encrypted

func (*SAMLServiceProvider) VerifyAssertionConditions

func (sp *SAMLServiceProvider) VerifyAssertionConditions(assertionElement, conditionsStatement *etree.Element) (*WarningInfo, error)

VerifyAssertionConditions inspects an assertion element and makes sure that all SAML2 contracts are upheld.

type Values

type Values map[string]Attribute

Values is a convenience wrapper for a map of strings to Attributes, which can be used for easy access to the string values of Attribute lists.

func (Values) Add

func (vals Values) Add(k, v string)

Add appends to any Attribute's set of values, whether or not the key existed already. That is, it will create an attribute with a one-length slice if none existed.

func (Values) Del

func (vals Values) Del(k string)

Delete implements a quick key delete

func (Values) Get

func (vals Values) Get(k string) string

Get is a safe method (nil maps will not panic) for returning the first value for an attribute at a key, or the empty string if none exists.

func (Values) Set

func (vals Values) Set(k, v string)

Set replaces any pre-existing key's values (if any existed) with an attribute containing only the given value.

func (*Values) UnmarshalXML

func (vals *Values) UnmarshalXML(d *xml.Decoder, start xml.StartElement) error

UnmarshalXML implements encoding/xml.Unmarshaler

type WarningInfo

type WarningInfo struct {
	OneTimeUse       bool
	ProxyRestriction *ProxyRestriction
	NotInAudience    bool
	InvalidTime      bool


Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL