samlutils

Documentation

Index

• Constants
• Variables
• func FetchMetadata(ctx context.Context, httpClient *http.Client, metadataURL *url.URL) (*saml.EntityDescriptor, []byte, error)
• func FindChild(parentEl *etree.Element, childNS string, childTag string) (*etree.Element, error)
• func ParseMetadataFromFile(fileLocation string) (*saml.EntityDescriptor, []byte, error)
• func ParseMetadataFromXml(xml string) (*saml.EntityDescriptor, []byte, error)
• func ResolveMetadata(ctx context.Context, metadataSource string, opts ...MetadataResolverOptions) (*saml.EntityDescriptor, []byte, error)
• func VerifySignature(opts ...SignatureVerifyOptions) error
• func WritePostBindingHTML(formHtml []byte, rw http.ResponseWriter) error
• type FixedAuthnRequest
  • func NewFixedAuthenticationRequest(sp *saml.ServiceProvider, idpURL string, binding string, resultBinding string) (*FixedAuthnRequest, error)
  • func (req *FixedAuthnRequest) Redirect(relayState string, sp *saml.ServiceProvider) (*url.URL, error)
• type FixedLogoutRequest
  • func NewFixedLogoutRequest(sp *saml.ServiceProvider, idpURL, nameID string) (*FixedLogoutRequest, error)
  • func (req *FixedLogoutRequest) Redirect(relayState string, sp *saml.ServiceProvider) (*url.URL, error)
• type MetadataResolverOption
• type MetadataResolverOptions
  • func WithHttpClient(client *http.Client) MetadataResolverOptions
• type ParsableSamlTypes
• type SAMLObjectParseResult
  • func ParseSAMLObject[T ParsableSamlTypes](gc *gin.Context, dest *T) (ret SAMLObjectParseResult)
• type SignatureContext
• type SignatureVerifyOptions
  • func MetadataSignature(data []byte, certs ...*x509.Certificate) SignatureVerifyOptions

Constants

const (
	HttpParamSAMLRequest  = `SAMLRequest`
	HttpParamSAMLResponse = `SAMLResponse`
	HttpParamSigAlg       = `SigAlg`
	HttpParamSignature    = `Signature`
	HttpParamRelayState   = `RelayState`
	HttpParamSAMLEncoding = `SAMLEncoding`
)

const SAMLEncodingDeflate = `urn:oasis:names:tc:SAML:2.0:bindings:URL-Encoding:DEFLATE`

Variables

var ErrorXMLNotSigned = errors.New("XML document is not signed")

Functions

func FetchMetadata

func FetchMetadata(ctx context.Context, httpClient *http.Client, metadataURL *url.URL) (*saml.EntityDescriptor, []byte, error)

func FindChild

func FindChild(parentEl *etree.Element, childNS string, childTag string) (*etree.Element, error)

FindChild search direct child XML element matching given NS and Tag in the given parent element

func ParseMetadataFromFile

func ParseMetadataFromFile(fileLocation string) (*saml.EntityDescriptor, []byte, error)

func ParseMetadataFromXml

func ParseMetadataFromXml(xml string) (*saml.EntityDescriptor, []byte, error)

func ResolveMetadata

func ResolveMetadata(ctx context.Context, metadataSource string, opts ...MetadataResolverOptions) (*saml.EntityDescriptor, []byte, error)

ResolveMetadata try to resolve metadata from given metadata source Following modes are supported - if the source start with "<", it's treated as inline XML text - if the source is a valid HTTP/HTTPS URL, metadata is fetched over network using http.Client - if the source is a valid FILE URL (file://), metadata is loaded from file system - for any other source value, it's treated as file path

func VerifySignature

func VerifySignature(opts ...SignatureVerifyOptions) error

VerifySignature verify signature of SAML Request/Response/Metadata This function would choose signing protocol based on bindings and provided information. - saml.HTTPRedirectBinding uses Deflated Encoding. SignatureContext.Request and SignatureContext.Certs is required in this mode - saml.HTTPPostBinding uses enveloped XMLDSign. SignatureContext.XMLData is required in this mode - Enveloped XMLDSign is used when Binding is any other value. SignatureContext.XMLData is required in this mode

func WritePostBindingHTML

func WritePostBindingHTML(formHtml []byte, rw http.ResponseWriter) error

WritePostBindingHTML takes HTML of a request/response submitting form and wrap it in HTML document with proper script security tags and send it to given ResponseWriter

Types

type FixedAuthnRequest

type FixedAuthnRequest struct {
	saml.AuthnRequest
}

func NewFixedAuthenticationRequest

func NewFixedAuthenticationRequest(sp *saml.ServiceProvider, idpURL string, binding string, resultBinding string) (*FixedAuthnRequest, error)

func (*FixedAuthnRequest) Redirect

func (req *FixedAuthnRequest) Redirect(relayState string, sp *saml.ServiceProvider) (*url.URL, error)

Redirect crewjam/saml 0.4.8 hotfix.

type FixedLogoutRequest

type FixedLogoutRequest struct {
	saml.LogoutRequest
}

func NewFixedLogoutRequest

func NewFixedLogoutRequest(sp *saml.ServiceProvider, idpURL, nameID string) (*FixedLogoutRequest, error)

func (*FixedLogoutRequest) Redirect

func (req *FixedLogoutRequest) Redirect(relayState string, sp *saml.ServiceProvider) (*url.URL, error)

Redirect crewjam/saml 0.4.8 hotfix.

type MetadataResolverOption

type MetadataResolverOption struct {
	HttpClient *http.Client
}

type MetadataResolverOptions

type MetadataResolverOptions func(opt *MetadataResolverOption)

func WithHttpClient

func WithHttpClient(client *http.Client) MetadataResolverOptions

type ParsableSamlTypes

type ParsableSamlTypes interface {
	saml.LogoutRequest | saml.LogoutResponse | saml.AuthnRequest | saml.Response
}

type SAMLObjectParseResult

type SAMLObjectParseResult struct {
	Binding string
	Encoded string
	Decoded []byte
	Err     error
}

func ParseSAMLObject

func ParseSAMLObject[T ParsableSamlTypes](gc *gin.Context, dest *T) (ret SAMLObjectParseResult)

type SignatureContext

type SignatureContext struct {
	Binding string
	Certs   []*x509.Certificate
	Request *http.Request
	XMLData []byte
}

type SignatureVerifyOptions

type SignatureVerifyOptions func(sc *SignatureContext)

func MetadataSignature

func MetadataSignature(data []byte, certs ...*x509.Certificate) SignatureVerifyOptions

MetadataSignature returns SignatureVerifyOptions for metadata validation