Documentation
¶
Index ¶
- Constants
- Variables
- func GetAuthnRequestURL(baseURL string, b64XML string, state string) (string, error)
- func ID() string
- func SignRequest(xml string, privateKeyPath string) (string, error)
- func SignResponse(xml string, privateKeyPath string) (string, error)
- func VerifyRequestSignature(xml string, publicCertPath string) error
- func VerifyResponseSignature(xml string, publicCertPath string) error
- type Assertion
- type AssertionConsumerService
- type Attribute
- type AttributeStatement
- type AttributeValue
- type AudienceRestriction
- type AuthnContext
- type AuthnContextClassRef
- type AuthnRequest
- func (r *AuthnRequest) CompressedEncodedSignedString(privateKeyPath string) (string, error)
- func (r *AuthnRequest) CompressedEncodedString() (string, error)
- func (r *AuthnRequest) EncodedSignedString(privateKeyPath string) (string, error)
- func (r *AuthnRequest) EncodedString() (string, error)
- func (r *AuthnRequest) SignedString(privateKeyPath string) (string, error)
- func (r *AuthnRequest) String() (string, error)
- func (r *AuthnRequest) Validate(publicCertPath string) error
- type AuthnStatement
- type CanonicalizationMethod
- type Conditions
- type DigestMethod
- type DigestValue
- type EntityAttributes
- type EntityDescriptor
- type Extensions
- type IDPList
- type IdentityProviderSettings
- type Issuer
- type KeyDescriptor
- type KeyInfo
- type NameID
- type NameIDPolicy
- type RequestedAuthnContext
- type Response
- func (r *Response) AddAttribute(name, value string)
- func (r *Response) CompressedEncodedSignedString(privateKeyPath string) (string, error)
- func (r *Response) EncodedSignedString(privateKeyPath string) (string, error)
- func (r *Response) GetAttributeValue(name string) string
- func (r *Response) GetAttributeValues(name string) []string
- func (r *Response) SetIssuer(issuer string)
- func (r *Response) SetNameID(nameID string)
- func (r *Response) SetResponseTo(responseTo string)
- func (r *Response) SignedString(privateKeyPath string) (string, error)
- func (r *Response) String() (string, error)
- func (r *Response) Validate(s *ServiceProviderSettings) error
- type SPSSODescriptor
- type SPSSODescriptors
- type SamlsigReference
- type Scoping
- type ServiceProviderSettings
- func (s *ServiceProviderSettings) GetAuthnRequest() *AuthnRequest
- func (s *ServiceProviderSettings) GetEntityDescriptor() (string, error)
- func (s *ServiceProviderSettings) IDPPublicCert() string
- func (s *ServiceProviderSettings) Init() (err error)
- func (s *ServiceProviderSettings) PrivateKey() string
- func (s *ServiceProviderSettings) PublicCert() string
- type Signature
- type SignatureMethod
- type SignatureValue
- type SignedInfo
- type SingleLogoutService
- type Status
- type StatusCode
- type Subject
- type SubjectConfirmation
- type SubjectConfirmationData
- type Transform
- type Transforms
- type X509Certificate
- type X509Data
Constants ¶
const ( RESP_STATUS_SUCCESS = "urn:oasis:names:tc:SAML:2.0:status:Success" RESP_STATUS_REQUESTER = "urn:oasis:names:tc:SAML:2.0:status:Requester" RESP_STATUS_RESPONDER = "urn:oasis:names:tc:SAML:2.0:status:Responder" RESP_STATUS_VERSION_MISMATCH = "urn:oasis:names:tc:SAML:2.0:status:VersionMismatch" RESP_STATUS_AUTHN_FAILED = "urn:oasis:names:tc:SAML:2.0:status:AuthnFailed" RESP_STATUS_INVALID_ATTR_NAME_OR_VALUE = "urn:oasis:names:tc:SAML:2.0:status:InvalidAttrNameOrValue" RESP_STATUS_INVALID_NAMEID_POLICY = "urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy" RESP_STATUS_NO_AUTHN_CONTEXT = "urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext" RESP_STATUS_NO_AVAILABLE_IDP = "urn:oasis:names:tc:SAML:2.0:status:NoAvailableIDP" RESP_STATUS_NO_PASSIVE = "urn:oasis:names:tc:SAML:2.0:status:NoPassive" RESP_STATUS_NO_SUPPORTED_IDP = "urn:oasis:names:tc:SAML:2.0:status:NoSupportedIDP" RESP_STATUS_PARTIAL_LOGOUT = "urn:oasis:names:tc:SAML:2.0:status:PartialLogout" RESP_STATUS_PROXY_COUNT_EXCEEDED = "urn:oasis:names:tc:SAML:2.0:status:ProxyCountExceeded" RESP_STATUS_REQUEST_DENIED = "urn:oasis:names:tc:SAML:2.0:status:RequestDenied" RESP_STATUS_REQUEST_UNSUPPORTED = "urn:oasis:names:tc:SAML:2.0:status:RequestUnsupported" RESP_STATUS_REQUEST_VERSION_DEPRECATED = "urn:oasis:names:tc:SAML:2.0:status:RequestVersionDeprecated" RESP_STATUS_REQUEST_VERSION_TOO_HIGH = "urn:oasis:names:tc:SAML:2.0:status:RequestVersionTooHigh" RESP_STATUS_REQUEST_VERSION_TOO_LOW = "urn:oasis:names:tc:SAML:2.0:status:RequestVersionTooLow" RESP_STATUS_RESOURCE_NOT_RECOGNIZED = "urn:oasis:names:tc:SAML:2.0:status:ResourceNotRecognized" RESP_STATUS_TOO_MANY_RESPONSES = "urn:oasis:names:tc:SAML:2.0:status:TooManyResponses" RESP_STATUS_UNKNOWN_ATTR_PROFILE = "urn:oasis:names:tc:SAML:2.0:status:UnknownAttrProfile" RESP_STATUS_UNKNOWN_PRINCIPAL = "urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal" RESP_STATUS_UNSUPPORTED_BINDING = "urn:oasis:names:tc:SAML:2.0:status:UnsupportedBinding" )
const (
SAML_BINDING_HTTP_POST = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
)
Variables ¶
var ( ERR_RESP_UNSUPPORT_VERSION = errors.New("Unsupport saml version!") ERR_RESP_NEED_ID = errors.New("Missing ID attribute on SAML Response") ERR_RESP_NEED_ASSERTION = errors.New("Need Assertions!") ERR_RESP_NEED_SIGNATURE = errors.New("Need signature!") ERR_RESP_DEST_MISMATH = errors.New("Destination mismath!") ERR_RESP_METHOD_WRONG = errors.New("Wrong assertion method!") ERR_RESP_RECIP_MISMATH = errors.New("Subject recipient mismatch!") ERR_RESP_ASSERTION_EXPIRED = errors.New("Assertion has expired!") )
Functions ¶
func GetAuthnRequestURL ¶
GetAuthnRequestURL generate a URL for the AuthnRequest to the IdP with the SAMLRequst parameter encoded
func SignRequest ¶
SignRequest sign a SAML 2.0 AuthnRequest `privateKeyPath` must be a path on the filesystem, xmlsec1 is run out of process through `exec`
func SignResponse ¶
SignResponse sign a SAML 2.0 Response `privateKeyPath` must be a path on the filesystem, xmlsec1 is run out of process through `exec`
func VerifyRequestSignature ¶
VerifyRequestSignature verify signature of a SAML 2.0 AuthnRequest document `publicCertPath` must be a path on the filesystem, xmlsec1 is run out of process through `exec`
func VerifyResponseSignature ¶
VerifyResponseSignature verify signature of a SAML 2.0 Response document `publicCertPath` must be a path on the filesystem, xmlsec1 is run out of process through `exec`
Types ¶
type Assertion ¶
type Assertion struct { XMLName xml.Name ID string `xml:"ID,attr"` Version string `xml:"Version,attr"` XS string `xml:"xmlns:xs,attr"` XSI string `xml:"xmlns:xsi,attr"` IssueInstant string `xml:"IssueInstant,attr"` Issuer Issuer `xml:"Issuer"` Subject Subject Conditions Conditions AuthnStatement AuthnStatement AttributeStatement AttributeStatement Signature *Signature `xml:"ds:Signature,omitempty"` }
SAML response assertion
type AttributeStatement ¶
type AttributeValue ¶
type AudienceRestriction ¶
type AudienceRestriction struct {
Audience string `xml:"saml:Audience"`
}
type AuthnContext ¶
type AuthnContext struct {
ClassRef string `xml:"saml:AuthnContextClassRef"`
}
type AuthnContextClassRef ¶
type AuthnRequest ¶
type AuthnRequest struct { XMLName xml.Name SAMLP string `xml:"xmlns:samlp,attr"` SAML string `xml:"xmlns:saml,attr"` SAMLSIG string `xml:"xmlns:samlsig,attr,omitempty"` ID string `xml:"ID,attr"` Version string `xml:"Version,attr"` ProtocolBinding string `xml:"ProtocolBinding,attr"` AssertionConsumerServiceURL string `xml:"AssertionConsumerServiceURL,attr"` IssueInstant string `xml:"IssueInstant,attr"` AssertionConsumerServiceIndex int `xml:"AssertionConsumerServiceIndex,attr"` AttributeConsumingServiceIndex int `xml:"AttributeConsumingServiceIndex,attr"` Issuer Issuer `xml:"Issuer"` NameIDPolicy NameIDPolicy `xml:"NameIDPolicy,omitempty"` RequestedAuthnContext RequestedAuthnContext `xml:"RequestedAuthnContext"` Signature *Signature `xml:"Signature,omitempty"` Subject Subject `xml:"Subject,omitempty"` Conditions Conditions `xml:"Conditions,omitempty"` Scoping Scoping `xml:"Scoping,omitempty"` // contains filtered or unexported fields }
An AuthnRequest is generated by SP(Service Provider) and send to IdP(Identity Provider) Refer: http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf [Page 36, 48]
Attributes and Sequences
Name Type Description ID ID required; An identifier for the request. Version string required; The version of the request. IssueInstant dateTime required; The time instant of issue of the request. Destination anyURI optional; A URI reference indicating the address to which this request has been sent. Consent anyURI optional; Indicates whether or not consent has been obtained from a principal. ForceAuthn boolean optional; Indicate IdP MUST authenticate directly or not. IsPassive boolean optional; IdP can take control of the user interface or not. ProtocolBinding anyURI optional; A URI reference that indetifies RESPONSE protocol binding. AssertionConsumerServiceIndex uint optional; Indirectly identifies the location to which the <Response> message should be returned to the requester. AssertionConsumerServiceURL anyURI optional; Specifies by value the location to which the <Response> message MUST be returned to the requester. AttributeConsumingServiceIndex uint optional; Indirectly identifies the SAML attributes to be supplied by the identity provider ProviderName string optional; Specifies the human-readable name of the requester for use by the presenter's user agent or the identity provider. Issuer Issuer optional; Identifies the entity that generated the request message. Signature Signature optional; An XML Signature that authenticates the requester and provides message integrity. Subject Subject optional; Specifies the requested subject of the resulting assertion(s). Conditions Conditions optional; Specifies the SAML conditions the requester expects to limit the validity and/or use of the resulting assertion(s). Scoping Scoping optional; Specifies a set of identity providers trusted by the requester to authenticate the presenter
func NewAuthnRequest ¶
func NewAuthnRequest() *AuthnRequest
func ParseCompressedEncodedRequest ¶
func ParseCompressedEncodedRequest(b64RequestXML string) (*AuthnRequest, error)
func ParseEncodedRequest ¶
func ParseEncodedRequest(b64RequestXML string) (*AuthnRequest, error)
func (*AuthnRequest) CompressedEncodedSignedString ¶
func (r *AuthnRequest) CompressedEncodedSignedString(privateKeyPath string) (string, error)
func (*AuthnRequest) CompressedEncodedString ¶
func (r *AuthnRequest) CompressedEncodedString() (string, error)
func (*AuthnRequest) EncodedSignedString ¶
func (r *AuthnRequest) EncodedSignedString(privateKeyPath string) (string, error)
GetAuthnRequestURL generate a URL for the AuthnRequest to the IdP with the SAMLRequst parameter encoded
func (*AuthnRequest) EncodedString ¶
func (r *AuthnRequest) EncodedString() (string, error)
func (*AuthnRequest) SignedString ¶
func (r *AuthnRequest) SignedString(privateKeyPath string) (string, error)
func (*AuthnRequest) String ¶
func (r *AuthnRequest) String() (string, error)
func (*AuthnRequest) Validate ¶
func (r *AuthnRequest) Validate(publicCertPath string) error
type AuthnStatement ¶
type CanonicalizationMethod ¶
type Conditions ¶
type Conditions struct { XMLName xml.Name NotBefore string `xml:",attr"` NotOnOrAfter string `xml:",attr"` AudienceRestriction AudienceRestriction `xml:"saml:AudienceRestriction"` }
type DigestMethod ¶
type DigestValue ¶
type EntityAttributes ¶
type EntityDescriptor ¶
type EntityDescriptor struct { XMLName xml.Name DS string `xml:"xmlns:ds,attr"` XMLNS string `xml:"xmlns,attr"` MD string `xml:"xmlns:md,attr"` EntityId string `xml:"entityID,attr"` Extensions Extensions `xml:"Extensions"` SPSSODescriptor SPSSODescriptor `xml:"SPSSODescriptor"` }
type Extensions ¶
type IdentityProviderSettings ¶
type IdentityProviderSettings struct { }
type Issuer ¶
type KeyDescriptor ¶
type NameIDPolicy ¶
type NameIDPolicy struct { XMLName xml.Name SPNameQualifier string `xml:"SPNameQualifier,attr,omitempty"` AllowCreate bool `xml:"AllowCreate,attr,omitempty"` Format string `xml:"Format,attr,omitempty"` }
func NewNameIDPolicy ¶
func NewNameIDPolicy() *NameIDPolicy
type RequestedAuthnContext ¶
type RequestedAuthnContext struct { XMLName xml.Name SAMLP string `xml:"xmlns:samlp,attr"` Comparison string `xml:"Comparison,attr"` AuthnContextClassRef AuthnContextClassRef `xml:"AuthnContextClassRef"` }
type Response ¶
type Response struct { XMLName xml.Name SAMLP string `xml:"xmlns:samlp,attr"` SAML string `xml:"xmlns:saml,attr"` Destination string `xml:"Destination,attr"` ID string `xml:"ID,attr"` Version string `xml:"Version,attr"` IssueInstant string `xml:"IssueInstant,attr"` InResponseTo string `xml:"InResponseTo,attr"` Issuer Issuer `xml:"Issuer"` Signature Signature `xml:"Signature,omitempty"` Status Status `xml:"Status"` Assertion Assertion `xml:"Assertion"` // contains filtered or unexported fields }
SAML Response structure
func NewSignedResponse ¶
func NewSignedResponse() *Response
NewSignedResponse create a new signed response
func ParseEncodedResponse ¶
func (*Response) AddAttribute ¶
AddAttribute add strong attribute to the Response
func (*Response) CompressedEncodedSignedString ¶
func (*Response) EncodedSignedString ¶
func (*Response) GetAttributeValue ¶
GetAttributeValue by Name or by FriendlyName. Return blank string if not found
func (*Response) GetAttributeValues ¶
GetAttributeValues returns attribute's values
func (*Response) SetResponseTo ¶
set repsonse to
func (*Response) SignedString ¶
func (*Response) Validate ¶
func (r *Response) Validate(s *ServiceProviderSettings) error
type SPSSODescriptor ¶
type SPSSODescriptor struct { XMLName xml.Name ProtocolSupportEnumeration string `xml:"protocolSupportEnumeration,attr"` SigningKeyDescriptor KeyDescriptor EncryptionKeyDescriptor KeyDescriptor // SingleLogoutService SingleLogoutService `xml:"SingleLogoutService"` AssertionConsumerServices []AssertionConsumerService }
type SPSSODescriptors ¶
type SPSSODescriptors struct { }
type SamlsigReference ¶
type SamlsigReference struct { XMLName xml.Name URI string `xml:"URI,attr"` Transforms Transforms `xml:",innerxml"` DigestMethod DigestMethod `xml:",innerxml"` DigestValue DigestValue `xml:",innerxml"` }
type ServiceProviderSettings ¶
type ServiceProviderSettings struct { PublicCertPath string PrivateKeyPath string IDPSSOURL string IDPSSODescriptorURL string IDPPublicCertPath string AssertionConsumerServiceURL string SPSignRequest bool // contains filtered or unexported fields }
ServiceProviderSettings provides settings to configure server acting as a SAML Service Provider. Expect only one IDP per SP in this configuration. If you need to configure multipe IDPs for an SP then configure multiple instances of this module
func (*ServiceProviderSettings) GetAuthnRequest ¶
func (s *ServiceProviderSettings) GetAuthnRequest() *AuthnRequest
GetSignedAuthnRequest returns a singed XML document that represents a AuthnRequest SAML document
func (*ServiceProviderSettings) GetEntityDescriptor ¶
func (s *ServiceProviderSettings) GetEntityDescriptor() (string, error)
func (*ServiceProviderSettings) IDPPublicCert ¶
func (s *ServiceProviderSettings) IDPPublicCert() string
func (*ServiceProviderSettings) Init ¶
func (s *ServiceProviderSettings) Init() (err error)
func (*ServiceProviderSettings) PrivateKey ¶
func (s *ServiceProviderSettings) PrivateKey() string
func (*ServiceProviderSettings) PublicCert ¶
func (s *ServiceProviderSettings) PublicCert() string
type Signature ¶
type Signature struct { XMLName xml.Name SAMLSIG string `xml:"xmlns:ds,attr"` SignedInfo SignedInfo SignatureValue SignatureValue KeyInfo KeyInfo }
func NewSignature ¶
func NewSignature() *Signature
type SignatureMethod ¶
type SignatureValue ¶
type SignedInfo ¶
type SignedInfo struct { XMLName xml.Name CanonicalizationMethod CanonicalizationMethod SignatureMethod SignatureMethod SamlsigReference SamlsigReference }
func NewSignedInfo ¶
func NewSignedInfo() *SignedInfo
type SingleLogoutService ¶
type Status ¶
type Status struct { XMLName xml.Name StatusCode StatusCode `xml:"StatusCode"` }
type StatusCode ¶
type Subject ¶
type Subject struct { XMLName xml.Name NameID NameID SubjectConfirmation SubjectConfirmation }
structure of <Subject>
type SubjectConfirmation ¶
type SubjectConfirmation struct { XMLName xml.Name Method string `xml:",attr"` SubjectConfirmationData SubjectConfirmationData }
structure of <Subject>
type SubjectConfirmationData ¶
type SubjectConfirmationData struct { XMLName xml.Name InResponseTo string `xml:",attr,omitempty"` NotOnOrAfter string `xml:",attr,omitempty"` NotBefore string `xml:",attr,omitempty"` Recipient string `xml:",attr,omitempty"` Address string `xml:",attr,omitempty"` }
It specifies additional data that allows the subject to be confirmed or constrains the circumstances under which the act of subject confirmation can take place
type Transforms ¶
type X509Certificate ¶
type X509Data ¶
type X509Data struct { XMLName xml.Name X509Certificate X509Certificate `xml:",innerxml"` }