README
¶
saml
Provides a pure Go implementation of the Security Assertion Markup Language SAML 2.0 specification.
Service Provider Example
A SAML service provider is a program that consumes assertions from an identity provider. For example, an end user might try to access a web page exposed by a service provider and be redirected to an indentity provider for authentication. An example service provider is included that demonstrates various ways of using this package. See the example README for details on usage.
Development
Run the following make commands to set up your development environment and install dependencies.
make deps
make generate
make test
make deps installs package dependencies.
make generate bundles various files in the built binary.
make test runs unit tests.
Documentation
¶
Index ¶
- Constants
- Variables
- func RelayState(rs string) func() interface{}
- func WithTimeout(timeout time.Duration) func() interface{}
- type Assertion
- type Attribute
- type AttributeStatement
- type AttributeValue
- type AuthnContextClassRef
- type AuthnRequest
- type CallbackResponse
- type CanonicalizationMethod
- type Conditions
- type DigestMethod
- type DigestValue
- type EntityDescriptor
- type ExternallyInitiatedLogout
- type IDPSSODescriptor
- type Identity
- type Issuer
- type KeyDescriptor
- type KeyInfo
- type LogoutRequest
- type LogoutResponse
- type NameID
- type NameIDFormat
- type NameIDPolicy
- type RequestedAuthnContext
- type Response
- type SamlsigReference
- type SelfInitiatedLogout
- type ServiceProvider
- type Signature
- type SignatureMethod
- type SignatureValue
- type SignedInfo
- type SingleLogOutProfile
- type SingleLogoutService
- type SingleSignOnProfile
- type SingleSignOnService
- type Status
- type StatusCode
- type Subject
- type SubjectConfirmation
- type SubjectConfirmationData
- type Transform
- type Transforms
- type X509Certificate
- type X509Data
Constants ¶
const ( // ResponseQueryKey ResponseQueryKey = "SAMLResponse" RequestQueryKey = "SAMLRequest" RelayStateQueryKey = "RelayState" )
const ( // These are response status codes described in the core SAML spec section // 3.2.2.1 See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf Success int = iota Requestor Responder VersionMismatch AuthnFailed InvalidAttrNameOrValue InvalidNameIDPolicy NoAuthnContext NoAvailableIDP NoPassive NoSupportedIDP PartialLogout ProxyCountExceeded RequestDenied RequestUnsupported RequestVersionDeprecated RequestVersionTooHigh RequestVersionTooLow ResourceNotRecognized TooManyResponses UnknownAttrProfile UnknownPrincipal UnsupportedBinding )
const ( // user identifier support NameIDEmail = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" NameIDUnspecified = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameIDX509SubjectName = "urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName" NameIDWindowsDomainName = "urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName" NameIDKerboros = "urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos" )
Variables ¶
var ( // ErrBindingNotSupported occurs when the SP binding is not supported by the IDP ErrBindingNotSupported = errors.New("binding not supported by IDP") )
Functions ¶
func RelayState ¶
func RelayState(rs string) func() interface{}
RelayState use to pass optional relay state to redirect binding
func WithTimeout ¶
WithTimeout pass an optional timeout to GetMetadataURL
Types ¶
type Assertion ¶
type Assertion struct {
XMLName xml.Name
ID string `xml:"ID,attr"`
Version string `xml:"Version,attr"`
XS string `xml:"xmlns:xs,attr"`
XSI string `xml:"xmlns:xsi,attr"`
SAML string `xml:"saml,attr"`
IssueInstant string `xml:"IssueInstant,attr"`
Issuer Issuer `xml:"Issuer"`
Subject Subject
Conditions Conditions
AttributeStatement AttributeStatement
}
type Attribute ¶
type Attribute struct {
XMLName xml.Name
Name string `xml:",attr"`
FriendlyName string `xml:",attr"`
NameFormat string `xml:",attr"`
AttributeValues []AttributeValue `xml:"AttributeValue"`
}
Attribute contains a colleciton of AttributeValue
type AttributeStatement ¶
type AttributeValue ¶
type AttributeValue struct {
XMLName xml.Name
Type string `xml:"xsi:type,attr"`
Value string `xml:",innerxml"`
}
AttributeValue contains the attributes supported by the identity provider
type AuthnContextClassRef ¶
type AuthnRequest ¶
type AuthnRequest struct {
XMLName xml.Name
SAMLP string `xml:"xmlns:samlp,attr"`
SAML string `xml:"xmlns:saml,attr"`
SAMLSIG string `xml:"xmlns:samlsig,attr,omitempty"`
ID string `xml:"ID,attr"`
Version string `xml:"Version,attr"`
ProtocolBinding string `xml:"ProtocolBinding,attr"`
AssertionConsumerServiceURL string `xml:"AssertionConsumerServiceURL,attr"`
Destination string `xml:"Destination,attr"`
IssueInstant string `xml:"IssueInstant,attr"`
ProviderName string `xml:"ProviderName,attr"`
Issuer Issuer `xml:"Issuer"`
NameIDPolicy *NameIDPolicy `xml:"NameIDPolicy,omitempty"`
RequestedAuthnContext *RequestedAuthnContext `xml:"RequestedAuthnContext,omitempty"`
Signature *Signature `xml:"Signature,omitempty"`
// contains filtered or unexported fields
}
AuthnRequest contains information needed to request authorization from an IDP See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf Section 3.4.1
type CallbackResponse ¶
type CallbackResponse struct {
*Identity
*SelfInitiatedLogout
*ExternallyInitiatedLogout
}
type CanonicalizationMethod ¶
type Conditions ¶
type DigestMethod ¶
type DigestValue ¶
type EntityDescriptor ¶
type EntityDescriptor struct {
XMLName xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:metadata EntityDescriptor"`
EntityID string `xml:"entityID,attr"`
IDPSSODescriptor IDPSSODescriptor `xml:"IDPSSODescriptor"`
}
EntityDescriptor specifies metadata for a single SAML entity.
func GetMetadataFromFile ¶
func GetMetadataFromFile(metadataPath string) (*EntityDescriptor, error)
GetMetadataFromFile parses IDP metadata stored in file.
func GetMetadataFromURL ¶
func GetMetadataFromURL(url string, opts ...func() interface{}) (*EntityDescriptor, error)
GetMetadataFromURL parses IDP metadata and returns an EntityDescriptor
type ExternallyInitiatedLogout ¶
type ExternallyInitiatedLogout struct {
RedirectURL string
}
type IDPSSODescriptor ¶
type IDPSSODescriptor struct {
XMLName xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:metadata IDPSSODescriptor"`
KeyDescriptors []KeyDescriptor `xml:"KeyDescriptor"`
SingleLogoutService []SingleLogoutService `xml:"SingleLogoutService"`
NameIDFormats []NameIDFormat `xml:"NameIDFormat"`
SingleSignOnService []SingleSignOnService `xml:"SingleSignOnService"`
Attributes []Attribute `xml:"Attribute"`
}
IDPSSODescriptor contains information about the identity provider.
type Identity ¶
Identity contains information about the principal that was authenticated with the IDP. Typically check the user is known to the SP.
type KeyDescriptor ¶
type KeyDescriptor struct {
XMLName xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:metadata KeyDescriptor"`
Use string `xml:"use,attr"`
KeyInfo KeyInfo `xml:"KeyInfo"`
}
KeyDescriptor element provides information about the cryptographic key(s) that an entity uses to sign data or receive encrypted keys, along with additional cryptographic details.
type KeyInfo ¶
type KeyInfo struct {
XMLName xml.Name `xml:"http://www.w3.org/2000/09/xmldsig# KeyInfo"`
X509Data X509Data `xml:"X509Data"`
}
KeyInfo wrapper for crypto key
type LogoutRequest ¶
type LogoutRequest struct {
XMLName xml.Name
SAMLP string `xml:"xmlns:samlp,attr"`
SAML string `xml:"xmlns:saml,attr"`
SAMLSIG string `xml:"xmlns:samlsig,attr,omitempty"`
ID string `xml:"ID,attr"`
IssueInstant string `xml:"IssueInstant,attr"`
Version string `xml:"Version,attr"`
Issuer Issuer
NameID NameID
}
LogoutRequest is sent to the IDP when the Service Provider initiates the logout request. If the IDP initiates the request, the logout request is sent to the service provider. See https://www.oasis-open.org/committees/download.php/35711/sstc-saml-core-errata-2.0-wd-06-diff.pdf Section 3.7.1 Also Single Logout Profile See https://www.oasis-open.org/committees/download.php/35389/sstc-saml-profiles-errata-2.0-wd-06-diff.pdf Section 4.4.
type LogoutResponse ¶
type LogoutResponse struct {
XMLName xml.Name
InResponseTo string `xml:"InResponseTo,attr"`
Version string `xml:"Version,attr"`
IssueInstant string `xml:"IssueInstant,attr"`
SAMLP string `xml:"xmlns:samlp,attr"`
SAMLSIG string `xml:"xmlns:samlsig,attr,omitempty"`
ID string `xml:"ID,attr"`
Issuer Issuer `xml:"Issuer"`
Status Status `xml:"Status"`
}
LogoutResponse this is either send to the Service Provider in response to a LogoutRequest sent to the IDP, or may be returned to the IDP in the event the the IDP initiates the logout request.
type NameIDFormat ¶
type NameIDFormat struct {
XMLName xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:metadata NameIDFormat"`
Value string `xml:",chardata"`
}
NameIDFormat information about user identifiers
type NameIDPolicy ¶
type NameIDPolicy struct {
XMLName xml.Name
AllowCreate bool `xml:"AllowCreate,attr"`
Format string `xml:"Format,attr"`
}
NameIDPolicy types of user identifiers requested by the assertion consumer
type RequestedAuthnContext ¶
type RequestedAuthnContext struct {
XMLName xml.Name
SAMLP string `xml:"xmlns:samlp,attr"`
Comparison string `xml:"Comparison,attr"`
AuthnContextClassRef AuthnContextClassRef `xml:"AuthnContextClassRef"`
}
RequestedAuthnContext requirements that the requestor places on the authorization context
type Response ¶
type Response struct {
XMLName xml.Name
SAMLP string `xml:"xmlns:samlp,attr"`
SAML string `xml:"xmlns:saml,attr"`
SAMLSIG string `xml:"xmlns:samlsig,attr"`
Destination string `xml:"Destination,attr"`
ID string `xml:"ID,attr"`
Version string `xml:"Version,attr"`
IssueInstant string `xml:"IssueInstant,attr"`
InResponseTo string `xml:"InResponseTo,attr"`
Assertion Assertion `xml:"Assertion"`
Signature Signature `xml:"Signature"`
Issuer Issuer `xml:"Issuer"`
Status Status `xml:"Status"`
// contains filtered or unexported fields
}
Response is submitted to the service provider from the IDP via a callback. It will contain information about a authenticated user. See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf Section 3.3.3.
type SamlsigReference ¶
type SamlsigReference struct {
XMLName xml.Name
URI string `xml:"URI,attr"`
Transforms Transforms `xml:",innerxml"`
DigestMethod DigestMethod `xml:",innerxml"`
DigestValue DigestValue `xml:",innerxml"`
}
type SelfInitiatedLogout ¶
type SelfInitiatedLogout struct {
RelayURL string
}
type ServiceProvider ¶
type ServiceProvider struct {
// IssuerURI uniquely identifies this type of service provider to the IDP
IssuerURI string
// NameIDFormats are the identifiers the service provider expects when checking if
// the user ID returned in an AuthnResponse is known to this SP
NameIDFormats []string
// AssertionConsumerServiceURL is the URL of the service provider handler for
// the AuthnResponse sent by the IDP after sign on.
AssertionConsumerServiceURL string
}
ServiceProvider describes this service provider and various attributes that is supports.
type Signature ¶
type Signature struct {
XMLName xml.Name
Id string `xml:"Id,attr"`
SignedInfo SignedInfo
SignatureValue SignatureValue
KeyInfo KeyInfo
}
Signature contains a digital signature of the enclosing element See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf Section 5
type SignatureMethod ¶
type SignatureValue ¶
type SignedInfo ¶
type SignedInfo struct {
XMLName xml.Name
CanonicalizationMethod CanonicalizationMethod
SignatureMethod SignatureMethod
SamlsigReference SamlsigReference
}
type SingleLogOutProfile ¶
type SingleLogOutProfile struct {
// contains filtered or unexported fields
}
SingleLogOutProfile provides single log out services
func NewSingleLogOutProfile ¶
func NewSingleLogOutProfile(spDescription *ServiceProvider, entity *EntityDescriptor) *SingleLogOutProfile
NewSingleLogOutProfile creates a SingleLogOutProfile
func (*SingleLogOutProfile) HandlePostResponse ¶
func (slp *SingleLogOutProfile) HandlePostResponse(r *http.Request, thisInstant time.Time) (*CallbackResponse, error)
HandlePostResponse validates the IDP response to the logout request. If successful, nil is returned and the host should be logged out.
func (*SingleLogOutProfile) RedirectBinding ¶
func (slp *SingleLogOutProfile) RedirectBinding(email string) (string, error)
RedirectBinding generates a redirect binding that can be used to send a logout request for the user identified by email to an IDP.
type SingleLogoutService ¶
type SingleLogoutService struct {
XMLName xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:metadata SingleLogoutService"`
Binding string `xml:"Binding,attr"`
Location string `xml:"Location,attr"`
}
SingleLogoutService contains parameters needed to connect to the IPD and logout.
type SingleSignOnProfile ¶
type SingleSignOnProfile struct {
// contains filtered or unexported fields
}
SingleSignOnProfile supplies single sign on functionality
func NewSingleSignOnProfile ¶
func NewSingleSignOnProfile(spDescription *ServiceProvider, idpDescription *IDPSSODescriptor) *SingleSignOnProfile
NewSingleSignOnProfile creates an SSOProvider
func (*SingleSignOnProfile) HandlePostResponse ¶
func (sp *SingleSignOnProfile) HandlePostResponse(samlResponse string, thisInstant time.Time) (*CallbackResponse, error)
HandlePostResponse validates the IDP AuthnResponse. If successful information about the IDP authorized user is returned. The samlResponse argument is extracted from the form posted from the IDP in the SAMLResponse form value. TODO: change samlResponse to http.Request and handle form parsing, and key retrieval in this method TODO: probably want to create interface for http.Request for better testing
func (*SingleSignOnProfile) RedirectBinding ¶
func (sp *SingleSignOnProfile) RedirectBinding(opts ...func() interface{}) (string, error)
RedirectBinding returns a url suitable for use to satisfy the SAML redirect binding. Optionally a relay state may be supplied. Typically this would be the URL of the protected resource the user was trying to access when they were prompted to log in. On successful log in the app would redirect to the url contained in RelayState. See http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf Section 3.4
type SingleSignOnService ¶
type SingleSignOnService struct {
XMLName xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:metadata SingleSignOnService"`
Binding string `xml:"Binding,attr"`
Location string `xml:"Location,attr"`
}
SingleSignOnService contains information about how to connect to the IDP and sign on.
type Status ¶
type Status struct {
XMLName xml.Name
StatusCode StatusCode `xml:"StatusCode"`
}
type StatusCode ¶
type Subject ¶
type Subject struct {
XMLName xml.Name
NameID NameID
SubjectConfirmation SubjectConfirmation
}
type SubjectConfirmation ¶
type SubjectConfirmation struct {
XMLName xml.Name
Method string `xml:",attr"`
SubjectConfirmationData SubjectConfirmationData
}
type SubjectConfirmationData ¶
type Transforms ¶
type X509Certificate ¶
type X509Certificate struct {
XMLName xml.Name `xml:"http://www.w3.org/2000/09/xmldsig# X509Certificate"`
Data string `xml:",chardata"`
}
X509Certificate the certificate that will be used to verify the signature of AuthnResponse
type X509Data ¶
type X509Data struct {
XMLName xml.Name `xml:"http://www.w3.org/2000/09/xmldsig# X509Data"`
X509Certificate X509Certificate `xml:"X509Certificate"`
}
X509Data wraps the X509 cert.
Source Files
Directories