saml

package module
v1.0.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 20, 2021 License: MIT Imports: 15 Imported by: 0

README

go-saml

High-level API library for Single Sign On with SAML 2.0 based on etree and signedxml, a pure Go implementation. The library provides the Identity Provider Implementation with support of both IDPInitiated and SPInitiated flow.

Features

  • Generating identity provider metadata
  • Validating Redirect/Post Binding signed/unsigned AuthnRequests
  • Generating Post signed Responses
  • Validating Redirect/Post Binding signed/unsigned LogoutRequest
  • Generating Post signed LogoutResponses
  • SessionIndex

Installation

Install go-saml into your $GOPATH using go get:

go get github.com/OSMeteor/go-saml

Usage

Below are samples to show how you might use the library.

Create Idp Provider Instance
idp := saml.IdentityProvider{
    IsIdpInitiated:       false,
    Issuer:               "https://identity-provider.com/",
    Audiences:            "https://service-provider.com/",
    IDPCert:              "<IDPCert PEM Format>",
    IDPKey:               "<IDPKey PEM Format>",
    SPCert:               "<SPCert PEM Format>",
    NameIdentifier:       "john@idp.com",
    NameIdentifierFormat: saml.AttributeFormatUnspecified,
    ACSLocation:          "https://service-provider-acs.com", //Service Provider Login Url
    ACSBinging:           saml.HTTPPostBinding,
    SessionIndex:         "1ac5bc03-06a1-413d-8542-e7a7e7d9e9f2",
    LogoutUrl:            "https://service-provider-acs.com/logout" //Service Provider Logout Url
}

//Add Attributes
idp.AddAttribute("Fname", "john", saml.AttributeFormatUnspecified)
Validate and Parse AuthnRequest
//This validate the AuthnRequest and set parsed value in the idp instance, 
//that used in Generating the SAML Response with InResponseTo property.

//Get Querystring and Payload values from request with url.Value{} type
validationError := idp.ValidateAuthnRequest(method"POST",query url.Values,payload url.Values);
if validationError !=nil {
  return validationError
}
Generate Login Response
signedXML, signedXMLErr := idp.NewSignedLoginResponse()
if signedXMLErr != nil {
    return signedXMLErr
}

//Generate html content for Post
html, err := idp.ResponseHtml(signedXML, "Response")
if err !=nil {
  return err
}
Validate and Parse Logout Request
//This validate the AuthnRequest and set parsed value in the idp instance, 
//that is used in Generating the SAML Logout Response with InResponseTo property

//Get Querystring and Payload values from request with url.Value{} type
validationError := idp.ValidateLogoutRequest(method"POST",query url.Values,payload url.Values);
if validationError !=nil {
  return validationError
}
Generate Logout Response
signedXML, signedXMLErr := idp.NewSignedLoginResponse()
if signedXMLErr != nil {
    return signedXMLErr
}

//Generate html content for Post
html, err := idp.ResponseHtml(signedXML, "LogoutResponse")
if err !=nil {
  return err
}
Metadata Identity Provider
idp := saml.IdentityProvider{
    Issuer:               "https://identity-provider.com/",
    Audiences:            "https://service-provider.com/",
    IDPCert:              "<IDPCert PEM Format>",
    NameIdentifierFormat: saml.AttributeFormatUnspecified,
}

idp.AddSingleSignOnService(saml.MetadataBinding{
    Binding:  saml.HTTPPostBinding,
    Location: "https://identity-provider.com/saml/post",
})

idp.AddSingleSignOnService(saml.MetadataBinding{
    Binding:  saml.HTTPRedirectBinding,
    Location: "https://identity-provider.com/saml/redirect",
})

idp.AddSingleSignOutService(saml.MetadataBinding{
    Binding:  saml.HTTPPostBinding,
    Location: "https://identity-provider.com/saml/post/logout",
})

// Generate xml for IDP Metadata
xml, xmlerr :=  idp.MetaDataResponse()
Example

Please see examples for how to use the library to be an identity provider.

Contributing

Would love any contribution by you, including better documentation, tests or more robust functionality. Please follow the contributing guide

License

MIT

Documentation

Index

Constants

View Source 
const (
	NameIdFormatPersistent      = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
	NameIdFormatTransient       = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
	NameIdFormatEmailAddress    = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
	NameIdFormatUnspecified     = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
	NameIdFormatX509SubjectName = "urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName"

	HTTPPostBinding     = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
	HTTPRedirectBinding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"

	AttributeFormatUnspecified = "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
	AttributeFormatBasic       = "urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
	AttributeFormatUri         = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
)
View Source 
const (
	SignatureAlgorithmRSASHA1   = "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
	SignatureAlgorithmRSASHA256 = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
)

Supported signature algorithms for responses

View Source 
const (
	DigestAlgorithmSHA1   = "http://www.w3.org/2000/09/xmldsig#sha1"
	DigestAlgorithmSHA256 = "http://www.w3.org/2001/04/xmlenc#sha256"
)

Supported digest algorithms for responses

Variables

This section is empty.

Functions

This section is empty.

Types

type AuthnReq 

type AuthnReq struct {
	ID           string
	ForceAuthn   string
	IsPassive    string
	ProviderName string
}

type ContactPerson 

type ContactPerson struct {
	ContactType  string
	GivenName    string
	SurName      string
	EmailAddress string
}

type IdentityProvider 

type IdentityProvider struct {
	IsIdpInitiated       bool
	Issuer               string
	Audiences            []string
	IDPCert              string
	IDPKey               string
	SPCert               string
	IDPCertFilePath      string
	IDPKeyFilePath       string
	SPCertFilePath       string
	Attributes           []map[string]string
	SignatureAlgorithm   string // RSA-SHA256 is the default
	SignaturePrefix      string
	DigestAlgorithm      string // SHA256 is the default
	LifetimeInSeconds    int64
	NameIdentifier       string
	NameIdentifierFormat string
	ACSLocation          string
	ACSBinging           string
	LogoutUrl            string
	RelayState           string
	SessionIndex         string
	SingleSignOnService  []MetadataBinding
	SingleSignOutService []MetadataBinding

	Organization  *Organization
	ContactPerson *[]ContactPerson
	// contains filtered or unexported fields
}

func (*IdentityProvider) AddAttribute 

func (idp *IdentityProvider) AddAttribute(name string, value string, format string)

func (*IdentityProvider) AddContactPerson 

func (idp *IdentityProvider) AddContactPerson(contactPerson ContactPerson)

func (*IdentityProvider) AddContactPersons 

func (idp *IdentityProvider) AddContactPersons(contactPersons ...ContactPerson)

func (*IdentityProvider) AddOrganization 

func (idp *IdentityProvider) AddOrganization(organization Organization)

func (*IdentityProvider) AddSingleSignOnService 

func (idp *IdentityProvider) AddSingleSignOnService(service MetadataBinding)

func (*IdentityProvider) AddSingleSignOutService 

func (idp *IdentityProvider) AddSingleSignOutService(service MetadataBinding)

func (*IdentityProvider) AuthnRequestTTL 

func (idp *IdentityProvider) AuthnRequestTTL(duration time.Duration)

func (*IdentityProvider) MetaDataResponse 

func (idp *IdentityProvider) MetaDataResponse() (string, *Reject)

func (*IdentityProvider) NewSignedLoginResponse 

func (idp *IdentityProvider) NewSignedLoginResponse() (string, *Reject)

func (*IdentityProvider) NewSignedLogoutResponse 

func (idp *IdentityProvider) NewSignedLogoutResponse() (string, *Reject)

func (*IdentityProvider) ResponseHtml 

func (idp *IdentityProvider) ResponseHtml(signedXML string, requestType string) (string, *Reject)

func (*IdentityProvider) ValidateAuthnRequest 

func (idp *IdentityProvider) ValidateAuthnRequest(method string, query url.Values, payload url.Values) (*AuthnReq, *Reject)

func (*IdentityProvider) ValidateLogoutRequest 

func (idp *IdentityProvider) ValidateLogoutRequest(method string, query url.Values, payload url.Values) *Reject

type MetadataBinding 

type MetadataBinding struct {
	Binding  string
	Location string
}

type Organization 

type Organization struct {
	OrganizationName        string
	OrganizationDisplayName string
	OrganizationURL         string
}

type Reject 

type Reject struct {
	Error  error
	Reason string
}

type SamlRequestParam 

type SamlRequestParam struct {
	Method        string
	RequestBuffer []byte
	SAMLRequest   string
	RelayState    string
	SigAlg        string
	Signature     string
	AuthnRequest  *lib.AuthnRequest
	LogoutRequest *lib.LogoutRequest
}

func (*SamlRequestParam) CheckSignature 

func (s *SamlRequestParam) CheckSignature(idp *IdentityProvider) error

func (*SamlRequestParam) GetOctetString 

func (s *SamlRequestParam) GetOctetString() string

func (*SamlRequestParam) ParseAuthnRequest 

func (s *SamlRequestParam) ParseAuthnRequest() error

func (*SamlRequestParam) ParseLogoutRequest 

func (s *SamlRequestParam) ParseLogoutRequest() error

Source Files

View all Source files

Directories

Path Synopsis
utitlity

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.