README
¶
go-saml
(Work In Progress) Ideas and Tools for SAML
See Also
- https://github.com/lestrrat/go-xmlsec
- https://github.com/lestrrat/go-libxml2
- https://www.oasis-open.org/committees/download.php/56777/sstc-saml-core-errata-2.0-wd-07-diff.pdf
Credits
- Work on this library was generously sponsored by HDE Inc (https://www.hde.co.jp)
Documentation
¶
Index ¶
- Constants
- Variables
- type Assertion
- type AssertionConsumerService
- type Attribute
- type AttributeStatement
- type AttributeValue
- type AudienceRestriction
- type AuthenticationMethod
- type AuthnContext
- type AuthnRequest
- func DecodeAuthnRequest(b []byte, verify bool) (*AuthnRequest, error)
- func DecodeAuthnRequestString(s string, verify bool) (*AuthnRequest, error)
- func NewAuthnRequest() *AuthnRequest
- func ParseAuthnRequest(src []byte) (*AuthnRequest, error)
- func ParseAuthnRequestString(src string) (*AuthnRequest, error)
- type AuthnStatement
- type Conditions
- type ConfirmationMethod
- type Endpoint
- type EntityID
- type IndexedEndpoint
- type MakeXMLNoder
- type Message
- type NameID
- type NameIDPolicy
- type Request
- type RequestedAuthnContext
- type Response
- type StatusCode
- type Subject
- type SubjectConfirmation
Constants ¶
View Source
const ( Bearer ConfirmationMethod = `urn:oasis:names:tc:SAML:2.0:cm:bearer` PasswordProtectedTransport AuthenticationMethod = `urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport` )
View Source
const TimeFormat = "2006-01-02T15:04:05"
TimeFormat is the format defined in xs:dateTime
Variables ¶
View Source
var UUIDURL = "github.com/lestrrat/go-saml"
Functions ¶
This section is empty.
Types ¶
type Assertion ¶
type Assertion struct {
AuthnStatement AuthnStatement
AttributeStatement AttributeStatement
Conditions Conditions
ID string
IssueInstant time.Time
Issuer string
Subject Subject
Version string
}
func NewAssertion ¶
func NewAssertion() *Assertion
func (*Assertion) AddAttribute ¶
type AssertionConsumerService ¶
func (AssertionConsumerService) MakeXMLNode ¶
type Attribute ¶
type Attribute struct {
Attrs map[string]string
FriendlyName string
Name string
Values []AttributeValue
}
type AttributeStatement ¶
type AttributeStatement struct {
Attributes []Attribute // Probably multiple attributes allowed?
}
func (AttributeStatement) MakeXMLNode ¶
type AttributeValue ¶
func (AttributeValue) MakeXMLNode ¶
type AudienceRestriction ¶
type AudienceRestriction struct {
Audience []string
}
func (AudienceRestriction) MakeXMLNode ¶
type AuthenticationMethod ¶
type AuthenticationMethod string
func (AuthenticationMethod) String ¶
func (am AuthenticationMethod) String() string
type AuthnContext ¶
type AuthnContext struct {
AuthnContextClassRef AuthenticationMethod
}
func (AuthnContext) MakeXMLNode ¶
type AuthnRequest ¶
type AuthnRequest struct {
Request
NameIDPolicy *NameIDPolicy
ForceAuthn bool
IsPassive bool
ProtocolBinding binding.Protocol
AssertionConsumerServiceURL string
AssertionConsumerServiceIndex uint8
AttributeConsumingServiceIndex uint8
ProviderName string
RequestedAuthnContext *RequestedAuthnContext
}
func DecodeAuthnRequest ¶
func DecodeAuthnRequest(b []byte, verify bool) (*AuthnRequest, error)
DecodeAuthnRequest takes in a byte buffer, decodes it from base64, inflates it, and then parses the resulting XML. If verify is true, it looks for the signature in the payload and does signature validation using go-xmlsec.
func DecodeAuthnRequestString ¶
func DecodeAuthnRequestString(s string, verify bool) (*AuthnRequest, error)
DecodeAuthnRequestString takes in a byte buffer, decodes it from base64, inflates it, and then parses the resulting XML. If verify is true, it looks for the signature in the payload and does signature validation using go-xmlsec.
func NewAuthnRequest ¶
func NewAuthnRequest() *AuthnRequest
func ParseAuthnRequest ¶
func ParseAuthnRequest(src []byte) (*AuthnRequest, error)
func ParseAuthnRequestString ¶
func ParseAuthnRequestString(src string) (*AuthnRequest, error)
func (AuthnRequest) Encode ¶
func (ar AuthnRequest) Encode(key *crypto.Key) ([]byte, error)
Encode takes the Authentication Request, generates the XML string, deflates it, and base64 encodes it. URL encoding is done in the HTTP protocol. If the key value is not nil, it will attempt to generate a signature using that specified key
func (AuthnRequest) MakeXMLNode ¶
func (*AuthnRequest) PopulateFromXML ¶
func (ar *AuthnRequest) PopulateFromXML(n types.Node) error
func (AuthnRequest) Serialize ¶
func (ar AuthnRequest) Serialize() (string, error)
type AuthnStatement ¶
type AuthnStatement struct {
AuthnInstant time.Time
SessionIndex string
AuthnContext AuthnContext
}
func (AuthnStatement) MakeXMLNode ¶
type Conditions ¶
type Conditions struct {
NotBefore time.Time
NotOnOrAfter time.Time
AudienceRestriction AudienceRestriction
Condition []interface{}
}
func (*Conditions) AddAudience ¶
func (c *Conditions) AddAudience(s string)
func (Conditions) MakeXMLNode ¶
func (*Conditions) SetNotBefore ¶
func (c *Conditions) SetNotBefore(t time.Time)
type ConfirmationMethod ¶
type ConfirmationMethod string
func (ConfirmationMethod) String ¶
func (cm ConfirmationMethod) String() string
type Endpoint ¶
type IndexedEndpoint ¶
type MakeXMLNoder ¶
MakeXMLNoder defines the interface for things that can marshal itself into libxml2 Nodes
type Message ¶
type Message struct {
Consent string
Destination string
// ID is an identifier for the request. It is of type xs:ID and
// MUST follow the requirementsspecified in Section 1.3.4 for
// identifier uniqueness. The values of the ID attribute in a
// request and the InResponseTo attribute in the corresponding
// response MUST match
ID string
IssueInstant time.Time
Issuer string
Version string
}
func (*Message) Initialize ¶
type NameIDPolicy ¶
func NewNameIDPolicy ¶
func NewNameIDPolicy(f nameid.Format, allowCreate bool) *NameIDPolicy
func (NameIDPolicy) MakeXMLNode ¶
func (*NameIDPolicy) PopulateFromXML ¶
func (nip *NameIDPolicy) PopulateFromXML(n types.Element) error
type Request ¶
type Request struct {
Message
}
Request represents the RequestAbstracttype from SAML specification
type RequestedAuthnContext ¶
func NewRequestedAuthnContext ¶
func NewRequestedAuthnContext(cmp, classRef string) *RequestedAuthnContext
func (RequestedAuthnContext) MakeXMLNode ¶
type Response ¶
type Response struct {
Message
Status StatusCode
InResponseTo string
Assertion *Assertion
}
func NewResponse ¶
func NewResponse() *Response
type StatusCode ¶
type StatusCode string
const ( // StatusSuccess means the request succeeded. Additional information MAY // be returned in the <StatusMessage> and/or <StatusDetail> elements. StatusSuccess StatusCode = "urn:oasis:names:tc:SAML:2.0:status:Success" // ErrRequester means that the request could not be performed due to // an error on the part of the requester ErrRequester StatusCode = "urn:oasis:names:tc:SAML:2.0:status:Requester" // ErrResponder means the request could not be performed due to an error // on the part of the SAML responder or SAML authority. ErrResponder StatusCode = "urn:oasis:names:tc:SAML:2.0:status:Responder" // ErrVersionMismatch the SAML responder could not process the request // because the version of the request message was incorrect. ErrVersionMismatch StatusCode = "urn:oasis:names:tc:SAML:2.0:status:VersionMismatch" )
Top-level status codes
const ( // ErrAuthnFailed means the responding provider was unable to // successfully authenticate the principal. ErrAuthnFailed StatusCode = "urn:oasis:names:tc:SAML:2.0:status:AuthnFailed" // ErrInvalidAttrNameOrValue means an unexpected or invalid content // was encountered within a <saml:Attribute> or <saml:AttributeValue> // element. ErrInvalidAttrNameOrValue StatusCode = "urn:oasis:names:tc:SAML:2.0:status:InvalidAttrNameOrValue" // ErrInvalidNameIDPolicy means the responding provider cannot or // will not support the requested name identifier policy. ErrInvalidNameIDPolicy StatusCode = "urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy" // ErrNoAuthnContext means the specified authentication context // requirements cannot be met by the responder. ErrNoAuthnContext StatusCode = "urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext" // ErrNoAvailableIDP is used by an intermediary to indicate that // none of the supported identity provider <Loc> elements in an // <IDPList> can be resolved or that none of the supported identity // providers are available. ErrNoAvailableIDP StatusCode = "urn:oasis:names:tc:SAML:2.0:status:NoAvailableIDP" // ErrNoPassive indicates the responding provider cannot authenticate // the principal passively, as has been requested. ErrNoPassive StatusCode = "urn:oasis:names:tc:SAML:2.0:status:NoPassive" // ErrNoSupportedIDP is used by an intermediary to indicate that none // of the identity providers in an <IDPList> are supported by the // intermediary. ErrNoSupportedIDP StatusCode = "urn:oasis:names:tc:SAML:2.0:status:NoSupportedIDP" // ErrPartialLogout is used by a session authority to indicate to // a session participant that it was not able to propagate logout // to all other session participants. ErrPartialLogout StatusCode = "urn:oasis:names:tc:SAML:2.0:status:PartialLogout" // ErrProxyCountExceeded indicates that a responding provider cannot // authenticate the principal directly and is not permitted to proxy // the request further. ErrProxyCountExceeded StatusCode = "urn:oasis:names:tc:SAML:2.0:status:ProxyCountExceeded" // ErrRequestDenied means the SAML responder or SAML authority is // able to process the request but has chosen not to respond. This // status code MAY be used when there is concern about the security // context of the request message or the sequence of request messages // received from a particular requester. ErrRequestDenied StatusCode = "urn:oasis:names:tc:SAML:2.0:status:RequestDenied" // ErrRequestUnsupported means the SAML responder or SAML authority // does not support the request. ErrRequestUnsupported StatusCode = "urn:oasis:names:tc:SAML:2.0:status:RequestUnsupported" // ErrRequestVersionDeprecated means the SAML responder cannot process // any requests with the protocol version specified in the request. ErrRequestVersionDeprecated StatusCode = "urn:oasis:names:tc:SAML:2.0:status:RequestVersionDeprecated" // ErrRequestVersionTooHigh means the SAML responder cannot process // the request because the protocol version specified in the request // message is a major upgrade from the highest protocol version supported // by the responder. ErrRequestVersionTooHigh StatusCode = "urn:oasis:names:tc:SAML:2.0:status:RequestVersionTooHigh" // ErrRequestVersionTooLow means the SAML responder cannot process // the request because the protocol version specified in the request // message is too low. ErrRequestVersionTooLow StatusCode = "urn:oasis:names:tc:SAML:2.0:status:RequestVersionTooLow" // ErrResourceNotRecognized means the resource value provided in the // request message is invalid or unrecognized. ErrResourceNotRecognized StatusCode = "urn:oasis:names:tc:SAML:2.0:status:ResourceNotRecognized" // ErrTooManyResponses means the response message would contain more // elements than the SAML responder is able to return. ErrTooManyResponses StatusCode = "urn:oasis:names:tc:SAML:2.0:status:TooManyResponses" // ErrUnknownAttrProfile means an entity that has no knowledge of a // particular attribute profile has been presented with an attribute // drawn from that profile. ErrUnknownAttrProfile StatusCode = "urn:oasis:names:tc:SAML:2.0:status:UnknownAttrProfile" // ErrUnknownPrincipal means the responding provider does not recognize // the principal specified or implied by the request. ErrUnknownPrincipal StatusCode = "urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal" // ErrUnsupportedBinding means the SAML responder cannot properly fulfill // the request using the protocol binding specified in the request. ErrUnsupportedBinding StatusCode = "urn:oasis:names:tc:SAML:2.0:status:UnsupportedBinding" )
Second-level status codes described in https://www.oasis-open.org/committees/download.php/56777/sstc-saml-core-errata-2.0-wd-07-diff.pdf. Quoth: "System entities are free to define more specific status codes by defining appropriate URI references.
func (StatusCode) String ¶
func (s StatusCode) String() string
type Subject ¶
type Subject struct {
NameID
SubjectConfirmation
}
type SubjectConfirmation ¶
type SubjectConfirmation struct {
Method ConfirmationMethod
InResponseTo string
Recipient string
NotOnOrAfter time.Time
}
func (SubjectConfirmation) MakeXMLNode ¶
Source Files
¶
Directories
Click to show internal directories.
Click to hide internal directories.