Documentation
¶
Index ¶
- Constants
- Variables
- func Clock(clock *dsig.Clock) func(v *validator)
- func CreateAuthorizationRequest(settings *Settings, issuer string, options ...func(o *opts)) (string, error)
- func DecodeAuthResponse(samlResponse string) (kolide.Auth, error)
- func RelayState(v string) func(*opts)
- type Assertion
- type AssertionConsumerService
- type Attribute
- type AttributeStatement
- type AttributeValue
- type AuthnContextClassRef
- type AuthnRequest
- type CanonicalizationMethod
- type Conditions
- type DigestMethod
- type DigestValue
- type EntityAttributes
- type EntityDescriptor
- type Extensions
- type IDPSSODescriptor
- type Issuer
- type KeyDescriptor
- type KeyInfo
- type Metadata
- type NameID
- type NameIDFormat
- type NameIDPolicy
- type RequestedAuthnContext
- type Response
- type SPSSODescriptor
- type SPSSODescriptors
- type SamlsigReference
- type Session
- type SessionStore
- type Settings
- type Signature
- type SignatureMethod
- type SignatureValue
- type SignedInfo
- type SingleLogoutService
- type SingleSignOnService
- type Status
- type StatusCode
- type Subject
- type SubjectConfirmation
- type SubjectConfirmationData
- type Transform
- type Transforms
- type Validator
- type X509Certificate
- type X509Data
Constants ¶
View Source
const ( // These are response status codes described in the core SAML spec section // 3.2.2.1 See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf Success int = iota Requestor Responder VersionMismatch AuthnFailed InvalidAttrNameOrValue InvalidNameIDPolicy NoAuthnContext NoAvailableIDP NoPassive NoSupportedIDP PartialLogout ProxyCountExceeded RequestDenied RequestUnsupported RequestVersionDeprecated RequestVersionTooHigh RequestVersionTooLow ResourceNotRecognized TooManyResponses UnknownAttrProfile UnknownPrincipal UnsupportedBinding )
View Source
const ( PasswordProtectedTransport = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" RedirectBinding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" )
Variables ¶
View Source
var ErrSessionNotFound = errors.New("session not found")
Functions ¶
func CreateAuthorizationRequest ¶
func CreateAuthorizationRequest(settings *Settings, issuer string, options ...func(o *opts)) (string, error)
CreateAuthorizationRequest creates a url suitable for use to satisfy the SAML redirect binding. See http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf Section 3.4
func DecodeAuthResponse ¶
DecodeAuthResponse extracts SAML assertions from IDP response
Types ¶
type Assertion ¶
type Assertion struct {
XMLName xml.Name
ID string `xml:"ID,attr"`
Version string `xml:"Version,attr"`
XS string `xml:"xmlns:xs,attr"`
XSI string `xml:"xmlns:xsi,attr"`
SAML string `xml:"saml,attr"`
IssueInstant string `xml:"IssueInstant,attr"`
Issuer Issuer `xml:"Issuer"`
Subject Subject
Conditions Conditions
AttributeStatement AttributeStatement
}
type AttributeStatement ¶
type AttributeValue ¶
type AuthnContextClassRef ¶
type AuthnRequest ¶
type AuthnRequest struct {
XMLName xml.Name
SAMLP string `xml:"xmlns:samlp,attr"`
SAML string `xml:"xmlns:saml,attr"`
SAMLSIG string `xml:"xmlns:samlsig,attr,omitempty"`
ID string `xml:"ID,attr"`
Version string `xml:"Version,attr"`
ProtocolBinding string `xml:"ProtocolBinding,attr,omitempty"`
AssertionConsumerServiceURL string `xml:"AssertionConsumerServiceURL,attr"`
Destination string `xml:"Destination,attr"`
IssueInstant string `xml:"IssueInstant,attr"`
ProviderName string `xml:"ProviderName,attr"`
Issuer Issuer `xml:"Issuer"`
NameIDPolicy *NameIDPolicy `xml:"NameIDPolicy,omitempty"`
RequestedAuthnContext *RequestedAuthnContext `xml:"RequestedAuthnContext,omitempty"`
Signature *Signature `xml:"Signature,omitempty"`
// contains filtered or unexported fields
}
AuthnRequest contains information needed to request authorization from an IDP See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf Section 3.4.1
type CanonicalizationMethod ¶
type Conditions ¶
type DigestMethod ¶
type DigestValue ¶
type EntityAttributes ¶
type EntityDescriptor ¶
type EntityDescriptor struct {
XMLName xml.Name
DS string `xml:"xmlns:ds,attr"`
XMLNS string `xml:"xmlns,attr"`
MD string `xml:"xmlns:md,attr"`
EntityId string `xml:"entityID,attr"`
Extensions Extensions `xml:"Extensions"`
SPSSODescriptor SPSSODescriptor `xml:"SPSSODescriptor"`
}
type Extensions ¶
type IDPSSODescriptor ¶
type IDPSSODescriptor struct {
XMLName xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:metadata IDPSSODescriptor"`
KeyDescriptors []KeyDescriptor `xml:"KeyDescriptor"`
NameIDFormats []NameIDFormat `xml:"NameIDFormat"`
SingleSignOnService []SingleSignOnService `xml:"SingleSignOnService"`
Attributes []Attribute `xml:"Attribute"`
}
type KeyDescriptor ¶
type Metadata ¶
type Metadata struct {
XMLName xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:metadata EntityDescriptor"`
EntityID string `xml:"entityID,attr"`
IDPSSODescriptor IDPSSODescriptor `xml:"IDPSSODescriptor"`
}
func GetMetadata ¶
GetMetadata retrieves information describing how to interact with a particular IDP via a remote URL. metadataURL is the location where the metadata is located and timeout defines how long to wait to get a response form the metadata server.
func ParseMetadata ¶
ParseMetadata writes metadata xml to a struct
type NameIDFormat ¶
type NameIDPolicy ¶
type RequestedAuthnContext ¶
type RequestedAuthnContext struct {
XMLName xml.Name
SAMLP string `xml:"xmlns:samlp,attr"`
Comparison string `xml:"Comparison,attr"`
AuthnContextClassRef AuthnContextClassRef `xml:"AuthnContextClassRef"`
}
type Response ¶
type Response struct {
XMLName xml.Name
SAMLP string `xml:"xmlns:samlp,attr"`
SAML string `xml:"xmlns:saml,attr"`
SAMLSIG string `xml:"xmlns:samlsig,attr"`
Destination string `xml:"Destination,attr"`
ID string `xml:"ID,attr"`
Version string `xml:"Version,attr"`
IssueInstant string `xml:"IssueInstant,attr"`
InResponseTo string `xml:"InResponseTo,attr"`
Assertion Assertion `xml:"Assertion"`
Signature Signature `xml:"Signature"`
Issuer Issuer `xml:"Issuer"`
Status Status `xml:"Status"`
// contains filtered or unexported fields
}
Response is submitted to the service provider (Kolide) from the IDP via a callback. It will contain information about a authenticated user that can in turn be used to generate a session token. See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf Section 3.3.3.
type SPSSODescriptor ¶
type SPSSODescriptor struct {
XMLName xml.Name
ProtocolSupportEnumeration string `xml:"protocolSupportEnumeration,attr"`
SigningKeyDescriptor KeyDescriptor
EncryptionKeyDescriptor KeyDescriptor
AssertionConsumerServices []AssertionConsumerService
}
type SPSSODescriptors ¶
type SPSSODescriptors struct {
}
type SamlsigReference ¶
type SamlsigReference struct {
XMLName xml.Name
URI string `xml:"URI,attr"`
Transforms Transforms `xml:",innerxml"`
DigestMethod DigestMethod `xml:",innerxml"`
DigestValue DigestValue `xml:",innerxml"`
}
type Session ¶
type Session struct {
// OriginalURL is the resource being accessed when login request was triggered
OriginalURL string `json:"original_url"`
// UserName is only assigned from the IDP auth response, if present it
// indicates the that user has authenticated against the IDP.
UserName string `json:"user_name"`
// ExpiresAt session will be removed after this time.
ExpiresAt time.Time `json:"expires_at"`
Metadata string `json:"metadata"`
}
Session stores state for the lifetime of a single sign on session
type SessionStore ¶
type SessionStore interface {
Get(requestID string) (*Session, error)
Expire(requestID string) error
// contains filtered or unexported methods
}
SessionStore persists state of a sso session across process boundries and method calls by associating the state of the sign on session with a unique token created by the user agent (browser SPA). The lifetime of the state object is constrained in the backing store (Redis) so if the sso process is not completed in a reasonable amount of time, it automatically expires and is removed.
func NewSessionStore ¶
func NewSessionStore(pool *redis.Pool) SessionStore
NewSessionStore creates a SessionStore
type Settings ¶
type Settings struct {
Metadata *Metadata
// AssertionConsumerServiceURL is the call back on the service provider which responds
// to the IDP
AssertionConsumerServiceURL string
SessionStore SessionStore
OriginalURL string
}
type Signature ¶
type Signature struct {
XMLName xml.Name
Id string `xml:"Id,attr"`
SignedInfo SignedInfo
SignatureValue SignatureValue
KeyInfo KeyInfo
}
type SignatureMethod ¶
type SignatureValue ¶
type SignedInfo ¶
type SignedInfo struct {
XMLName xml.Name
CanonicalizationMethod CanonicalizationMethod
SignatureMethod SignatureMethod
SamlsigReference SamlsigReference
}
type SingleLogoutService ¶
type SingleSignOnService ¶
type Status ¶
type Status struct {
XMLName xml.Name
StatusCode StatusCode `xml:"StatusCode"`
}
type StatusCode ¶
type Subject ¶
type Subject struct {
XMLName xml.Name
NameID NameID
SubjectConfirmation SubjectConfirmation
}
type SubjectConfirmation ¶
type SubjectConfirmation struct {
XMLName xml.Name
Method string `xml:",attr"`
SubjectConfirmationData SubjectConfirmationData
}
type SubjectConfirmationData ¶
type Transforms ¶
type Validator ¶
type Validator interface {
ValidateSignature(auth kolide.Auth) (kolide.Auth, error)
ValidateResponse(auth kolide.Auth) error
}
func NewValidator ¶
NewValidator is used to validate the response to an auth request. metadata is from the IDP.
type X509Certificate ¶
type X509Data ¶
type X509Data struct {
XMLName xml.Name
X509Certificate X509Certificate `xml:",innerxml"`
}
Source Files
Click to show internal directories.
Click to hide internal directories.