Documentation ¶
Overview ¶
Package samlidp a rudimentary SAML identity provider suitable for testing or as a starting point for a more complex service.
Index ¶
- Variables
- type MemoryStore
- type Options
- type Server
- func (s *Server) GetServiceProvider(r *http.Request, serviceProviderID string) (*saml.EntityDescriptor, error)
- func (s *Server) GetSession(w http.ResponseWriter, r *http.Request, req *saml.IdpAuthnRequest) *saml.Session
- func (s *Server) HandleDeleteService(c web.C, w http.ResponseWriter, r *http.Request)
- func (s *Server) HandleDeleteSession(c web.C, w http.ResponseWriter, r *http.Request)
- func (s *Server) HandleDeleteShortcut(c web.C, w http.ResponseWriter, r *http.Request)
- func (s *Server) HandleDeleteUser(c web.C, w http.ResponseWriter, r *http.Request)
- func (s *Server) HandleGetService(c web.C, w http.ResponseWriter, r *http.Request)
- func (s *Server) HandleGetSession(c web.C, w http.ResponseWriter, r *http.Request)
- func (s *Server) HandleGetShortcut(c web.C, w http.ResponseWriter, r *http.Request)
- func (s *Server) HandleGetUser(c web.C, w http.ResponseWriter, r *http.Request)
- func (s *Server) HandleIDPInitiated(c web.C, w http.ResponseWriter, r *http.Request)
- func (s *Server) HandleListServices(c web.C, w http.ResponseWriter, r *http.Request)
- func (s *Server) HandleListSessions(c web.C, w http.ResponseWriter, r *http.Request)
- func (s *Server) HandleListShortcuts(c web.C, w http.ResponseWriter, r *http.Request)
- func (s *Server) HandleListUsers(c web.C, w http.ResponseWriter, r *http.Request)
- func (s *Server) HandleLogin(c web.C, w http.ResponseWriter, r *http.Request)
- func (s *Server) HandlePutService(c web.C, w http.ResponseWriter, r *http.Request)
- func (s *Server) HandlePutShortcut(c web.C, w http.ResponseWriter, r *http.Request)
- func (s *Server) HandlePutUser(c web.C, w http.ResponseWriter, r *http.Request)
- func (s *Server) InitializeHTTP()
- type Service
- type Shortcut
- type Store
- type User
Constants ¶
This section is empty.
Variables ¶
var ErrNotFound = errors.New("not found")
ErrNotFound is returned from Store.Get() when a stored item is not present
Functions ¶
This section is empty.
Types ¶
type MemoryStore ¶
type MemoryStore struct {
// contains filtered or unexported fields
}
MemoryStore is an implementation of Store that resides completely in memory.
func (*MemoryStore) Get ¶
func (s *MemoryStore) Get(key string, value interface{}) error
Get fetches the data stored in `key` and unmarshals it into `value`.
func (*MemoryStore) List ¶
func (s *MemoryStore) List(prefix string) ([]string, error)
List returns all the keys that start with `prefix`. The prefix is stripped from each returned value. So if keys are ["aa", "ab", "cd"] then List("a") would produce []string{"a", "b"}
func (*MemoryStore) Put ¶
func (s *MemoryStore) Put(key string, value interface{}) error
Put marshals `value` and stores it in `key`.
type Options ¶
type Options struct { URL url.URL Key crypto.PrivateKey Logger logger.Interface Certificate *x509.Certificate Store Store }
Options represent the parameters to New() for creating a new IDP server
type Server ¶
type Server struct { http.Handler IDP saml.IdentityProvider // the underlying IDP Store Store // the data store // contains filtered or unexported fields }
Server represents an IDP server. The server provides the following URLs:
/metadata - the SAML metadata /sso - the SAML endpoint to initiate an authentication flow /login - prompt for a username and password if no session established /login/:shortcut - kick off an IDP-initiated authentication flow /services - RESTful interface to Service objects /users - RESTful interface to User objects /sessions - RESTful interface to Session objects /shortcuts - RESTful interface to Shortcut objects
func (*Server) GetServiceProvider ¶
func (s *Server) GetServiceProvider(r *http.Request, serviceProviderID string) (*saml.EntityDescriptor, error)
GetServiceProvider returns the Service Provider metadata for the service provider ID, which is typically the service provider's metadata URL. If an appropriate service provider cannot be found then the returned error must be os.ErrNotExist.
func (*Server) GetSession ¶
func (s *Server) GetSession(w http.ResponseWriter, r *http.Request, req *saml.IdpAuthnRequest) *saml.Session
GetSession returns the *Session for this request.
If the remote user has specified a username and password in the request then it is validated against the user database. If valid it sets a cookie and returns the newly created session object.
If the remote user has specified invalid credentials then a login form is returned with an English-language toast telling the user their password was invalid.
If a session cookie already exists and represents a valid session, then the session is returned
If neither credentials nor a valid session cookie exist, this function sends a login form and returns nil.
func (*Server) HandleDeleteService ¶
HandleDeleteService handles the `DELETE /services/:id` request.
func (*Server) HandleDeleteSession ¶
HandleDeleteSession handles the `DELETE /sessions/:id` request. It invalidates the specified session.
func (*Server) HandleDeleteShortcut ¶
HandleDeleteShortcut handles the `DELETE /shortcuts/:id` request.
func (*Server) HandleDeleteUser ¶
HandleDeleteUser handles the `DELETE /users/:id` request.
func (*Server) HandleGetService ¶
HandleGetService handles the `GET /services/:id` request and responds with the service metadata in XML format.
func (*Server) HandleGetSession ¶
HandleGetSession handles the `GET /sessions/:id` request and responds with the session object in JSON format.
func (*Server) HandleGetShortcut ¶
HandleGetShortcut handles the `GET /shortcuts/:id` request and responds with the shortcut object in JSON format.
func (*Server) HandleGetUser ¶
HandleGetUser handles the `GET /users/:id` request and responds with the user object in JSON format. The HashedPassword field is excluded.
func (*Server) HandleIDPInitiated ¶
HandleIDPInitiated handles a request for an IDP initiated login flow. It looks up the specified shortcut, generates the appropriate SAML assertion and redirects the user via the HTTP-POST binding to the service providers ACS URL.
func (*Server) HandleListServices ¶
HandleListServices handles the `GET /services/` request and responds with a JSON formatted list of service names.
func (*Server) HandleListSessions ¶
HandleListSessions handles the `GET /sessions/` request and responds with a JSON formatted list of session names.
func (*Server) HandleListShortcuts ¶
HandleListShortcuts handles the `GET /shortcuts/` request and responds with a JSON formatted list of shortcut names.
func (*Server) HandleListUsers ¶
HandleListUsers handles the `GET /users/` request and responds with a JSON formatted list of user names.
func (*Server) HandleLogin ¶
HandleLogin handles the `POST /login` and `GET /login` forms. If credentials are present in the request body, then they are validated. For valid credentials, the response is a 200 OK and the JSON session object. For invalid credentials, the HTML login prompt form is sent.
func (*Server) HandlePutService ¶
HandlePutService handles the `PUT /shortcuts/:id` request. It accepts the XML-formatted service metadata in the request body and stores it.
func (*Server) HandlePutShortcut ¶
HandlePutShortcut handles the `PUT /shortcuts/:id` request. It accepts a JSON formatted shortcut object in the request body and stores it.
func (*Server) HandlePutUser ¶
HandlePutUser handles the `PUT /users/:id` request. It accepts a JSON formatted user object in the request body and stores it. If the PlaintextPassword field is present then it is hashed and stored in HashedPassword. If the PlaintextPassword field is not present then HashedPassword retains it's stored value.
func (*Server) InitializeHTTP ¶
func (s *Server) InitializeHTTP()
InitializeHTTP sets up the HTTP handler for the server. (This function is called automatically for you by New, but you may need to call it yourself if you don't create the object using New.)
type Service ¶
type Service struct { // Name is the name of the service provider Name string // Metdata is the XML metadata of the service provider. Metadata saml.EntityDescriptor }
Service represents a configured SP for whom this IDP provides authentication services.
type Shortcut ¶
type Shortcut struct { // The name of the shortcut. Name string `json:"name"` // The entity ID of the service provider to use for this shortcut, i.e. // https://someapp.example.com/saml/metadata. ServiceProviderID string `json:"service_provider"` // If specified then the relay state is the fixed string provided RelayState *string `json:"relay_state,omitempty"` // If true then the URL suffix is used as the relayState. So for example, a user // requesting https://idp.example.com/login/myservice/foo will get redirected // to the myservice endpoint with a RelayState of "foo". URISuffixAsRelayState bool `json:"url_suffix_as_relay_state,omitempty"` }
Shortcut represents an IDP-initiated SAML flow. When a user navigates to /login/:shortcut it initiates the login flow to the specified service provider with the specified RelayState.
type Store ¶
type Store interface { // Get fetches the data stored in `key` and unmarshals it into `value`. Get(key string, value interface{}) error // Put marshals `value` and stores it in `key`. Put(key string, value interface{}) error // Delete removes `key` Delete(key string) error // List returns all the keys that start with `prefix`. The prefix is // stripped from each returned value. So if keys are ["aa", "ab", "cd"] // then List("a") would produce []string{"a", "b"} List(prefix string) ([]string, error) }
Store is an interface that describes an abstract key-value store.
type User ¶
type User struct { Name string `json:"name"` PlaintextPassword *string `json:"password,omitempty"` // not stored HashedPassword []byte `json:"hashed_password,omitempty"` Groups []string `json:"groups,omitempty"` Email string `json:"email,omitempty"` CommonName string `json:"common_name,omitempty"` Surname string `json:"surname,omitempty"` GivenName string `json:"given_name,omitempty"` }
User represents a stored user. The data here are used to populate user once the user has authenticated.