Documentation ¶
Overview ¶
Copyright 2016 Russell Haering et al.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
https://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Copyright 2016 Russell Haering et al.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
https://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Copyright 2016 Russell Haering et al.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
https://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Copyright 2016 Russell Haering et al.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
https://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Index ¶
- Constants
- type Assertion
- type Attribute
- type AttributeStatement
- type AttributeValue
- type Audience
- type AudienceRestriction
- type AuthnContext
- type AuthnContextClassRef
- type AuthnStatement
- type Conditions
- type DigestMethod
- type EncryptedAssertion
- type EncryptedKey
- type EncryptionMethod
- type Endpoint
- type EntityDescriptor
- type Extensions
- type IDPSSODescriptor
- type IndexedEndpoint
- type Issuer
- type KeyDescriptor
- type LogoutResponse
- type NameID
- type NameIDFormat
- type OneTimeUse
- type ProxyRestriction
- type Response
- type SPSSODescriptor
- type Signature
- type SigningMethod
- type SingleLogoutService
- type SingleSignOnService
- type Status
- type StatusCode
- type Subject
- type SubjectConfirmation
- type SubjectConfirmationData
- type UnverifiedBaseResponse
Constants ¶
const ( MethodRSAOAEP = "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" MethodRSAOAEP2 = "http://www.w3.org/2009/xmlenc11#rsa-oaep" MethodRSAv1_5 = "http://www.w3.org/2001/04/xmlenc#rsa-1_5" )
Well-known public-key encryption methods
const ( MethodAES128GCM = "http://www.w3.org/2009/xmlenc11#aes128-gcm" MethodAES128CBC = "http://www.w3.org/2001/04/xmlenc#aes128-cbc" MethodAES256CBC = "http://www.w3.org/2001/04/xmlenc#aes256-cbc" MethodTripleDESCBC = "http://www.w3.org/2001/04/xmlenc#tripledes-cbc" )
Well-known private key encryption methods
const ( MethodSHA1 = "http://www.w3.org/2000/09/xmldsig#sha1" MethodSHA256 = "http://www.w3.org/2000/09/xmldsig#sha256" MethodSHA512 = "http://www.w3.org/2000/09/xmldsig#sha512" )
Well-known hash methods
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Assertion ¶
type Assertion struct { XMLName xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:assertion Assertion"` Version string `xml:"Version,attr"` ID string `xml:"ID,attr"` IssueInstant time.Time `xml:"IssueInstant,attr"` Issuer *Issuer `xml:"Issuer"` Signature *Signature `xml:"Signature"` Subject *Subject `xml:"Subject"` Conditions *Conditions `xml:"Conditions"` AttributeStatement *AttributeStatement `xml:"AttributeStatement"` AuthnStatement *AuthnStatement `xml:"AuthnStatement"` SignatureValidated bool `xml:"-"` // not read, not dumped }
type AttributeStatement ¶
type AttributeValue ¶
type AudienceRestriction ¶
type AuthnContext ¶ added in v0.2.0
type AuthnContext struct { XMLName xml.Name `xml:urn:oasis:names:tc:SAML:2.0:assertion AuthnContext"` AuthnContextClassRef *AuthnContextClassRef `xml:"AuthnContextClassRef"` }
type AuthnContextClassRef ¶ added in v0.2.0
type AuthnStatement ¶
type AuthnStatement struct { XMLName xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:assertion AuthnStatement"` //Section 4.1.4.2 - https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf //If the identity provider supports the Single Logout profile, defined in Section 4.4 //, any such authentication statements MUST include a SessionIndex attribute to enable //per-session logout requests by the service provider. SessionIndex string `xml:"SessionIndex,attr,omitempty"` AuthnInstant *time.Time `xml:"AuthnInstant,attr,omitempty"` SessionNotOnOrAfter *time.Time `xml:"SessionNotOnOrAfter,attr,omitempty"` AuthnContext *AuthnContext `xml:"AuthnContext"` }
type Conditions ¶
type Conditions struct { XMLName xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:assertion Conditions"` NotBefore string `xml:"NotBefore,attr"` NotOnOrAfter string `xml:"NotOnOrAfter,attr"` AudienceRestrictions []AudienceRestriction `xml:"AudienceRestriction"` OneTimeUse *OneTimeUse `xml:"OneTimeUse"` ProxyRestriction *ProxyRestriction `xml:"ProxyRestriction"` }
type DigestMethod ¶
type DigestMethod struct {
Algorithm string `xml:",attr,omitempty"`
}
DigestMethod is a digest type specification
type EncryptedAssertion ¶
type EncryptedAssertion struct { XMLName xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:assertion EncryptedAssertion"` EncryptionMethod EncryptionMethod `xml:"EncryptedData>EncryptionMethod"` EncryptedKey EncryptedKey `xml:"EncryptedData>KeyInfo>EncryptedKey"` DetEncryptedKey EncryptedKey `xml:"EncryptedKey"` // detached EncryptedKey element CipherValue string `xml:"EncryptedData>CipherData>CipherValue"` }
func (*EncryptedAssertion) Decrypt ¶
func (ea *EncryptedAssertion) Decrypt(cert *tls.Certificate) (*Assertion, error)
Decrypt decrypts and unmarshals the EncryptedAssertion.
func (*EncryptedAssertion) DecryptBytes ¶
func (ea *EncryptedAssertion) DecryptBytes(cert *tls.Certificate) ([]byte, error)
type EncryptedKey ¶
type EncryptedKey struct { // EncryptionMethod string `xml:"EncryptionMethod>Algorithm"` X509Data string `xml:"KeyInfo>X509Data>X509Certificate"` CipherValue string `xml:"CipherData>CipherValue"` EncryptionMethod EncryptionMethod }
EncryptedKey contains the decryption key data from the saml2 core and xmlenc standards.
func (*EncryptedKey) DecryptSymmetricKey ¶
func (ek *EncryptedKey) DecryptSymmetricKey(cert *tls.Certificate) (cipher.Block, error)
DecryptSymmetricKey returns the private key contained in the EncryptedKey document
type EncryptionMethod ¶
type EncryptionMethod struct { Algorithm string `xml:",attr,omitempty"` //Digest method is present for algorithms like RSA-OAEP. //See https://www.w3.org/TR/xmlenc-core1/. //To convey the digest methods an entity supports, //DigestMethod in extensions element is used. //See http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-metadata-algsupport.html. DigestMethod *DigestMethod `xml:",omitempty"` }
EncryptionMethod specifies the type of encryption that was used.
type EntityDescriptor ¶
type EntityDescriptor struct { XMLName xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:metadata EntityDescriptor"` ValidUntil time.Time `xml:"validUntil,attr"` // SAML 2.0 8.3.6 Entity Identifier could be used to represent issuer EntityID string `xml:"entityID,attr"` SPSSODescriptor *SPSSODescriptor `xml:"SPSSODescriptor,omitempty"` IDPSSODescriptor *IDPSSODescriptor `xml:"IDPSSODescriptor,omitempty"` Extensions *Extensions `xml:"Extensions,omitempty"` }
type Extensions ¶ added in v0.4.1
type Extensions struct { DigestMethod *DigestMethod `xml:",omitempty"` SigningMethod *SigningMethod `xml:",omitempty"` }
type IDPSSODescriptor ¶
type IDPSSODescriptor struct { XMLName xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:metadata IDPSSODescriptor"` WantAuthnRequestsSigned bool `xml:"WantAuthnRequestsSigned,attr"` KeyDescriptors []KeyDescriptor `xml:"KeyDescriptor"` NameIDFormats []NameIDFormat `xml:"NameIDFormat"` SingleSignOnServices []SingleSignOnService `xml:"SingleSignOnService"` SingleLogoutServices []SingleLogoutService `xml:"SingleLogoutService"` Attributes []Attribute `xml:"Attribute"` Extensions *Extensions `xml:"Extensions,omitempty"` }
type IndexedEndpoint ¶
type KeyDescriptor ¶
type LogoutResponse ¶ added in v0.4.1
type LogoutResponse struct { XMLName xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:protocol LogoutResponse"` ID string `xml:"ID,attr"` InResponseTo string `xml:"InResponseTo,attr"` Destination string `xml:"Destination,attr"` Version string `xml:"Version,attr"` IssueInstant time.Time `xml:"IssueInstant,attr"` Status *Status `xml:"Status"` Issuer *Issuer `xml:"Issuer"` SignatureValidated bool `xml:"-"` // not read, not dumped }
type NameIDFormat ¶
type OneTimeUse ¶
type ProxyRestriction ¶
type Response ¶
type Response struct { XMLName xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:protocol Response"` ID string `xml:"ID,attr"` InResponseTo string `xml:"InResponseTo,attr"` Destination string `xml:"Destination,attr"` Version string `xml:"Version,attr"` IssueInstant time.Time `xml:"IssueInstant,attr"` Status *Status `xml:"Status"` Issuer *Issuer `xml:"Issuer"` Assertions []Assertion `xml:"Assertion"` EncryptedAssertions []EncryptedAssertion `xml:"EncryptedAssertion"` SignatureValidated bool `xml:"-"` // not read, not dumped }
type SPSSODescriptor ¶
type SPSSODescriptor struct { XMLName xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:metadata SPSSODescriptor"` AuthnRequestsSigned bool `xml:"AuthnRequestsSigned,attr"` WantAssertionsSigned bool `xml:"WantAssertionsSigned,attr"` ProtocolSupportEnumeration string `xml:"protocolSupportEnumeration,attr"` KeyDescriptors []KeyDescriptor `xml:"KeyDescriptor"` SingleLogoutServices []Endpoint `xml:"SingleLogoutService"` NameIDFormats []string `xml:"NameIDFormat"` AssertionConsumerServices []IndexedEndpoint `xml:"AssertionConsumerService"` Extensions *Extensions `xml:"Extensions,omitempty"` }
type SigningMethod ¶ added in v0.4.1
type SingleLogoutService ¶ added in v0.4.1
type SingleSignOnService ¶
type Status ¶
type Status struct { XMLName xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:protocol Status"` StatusCode *StatusCode `xml:"StatusCode"` }
type StatusCode ¶
type Subject ¶
type Subject struct { XMLName xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:assertion Subject"` NameID *NameID `xml:"NameID"` SubjectConfirmation *SubjectConfirmation `xml:"SubjectConfirmation"` }
type SubjectConfirmation ¶
type SubjectConfirmation struct { XMLName xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:assertion SubjectConfirmation"` Method string `xml:"Method,attr"` SubjectConfirmationData *SubjectConfirmationData `xml:"SubjectConfirmationData"` }
type SubjectConfirmationData ¶
type UnverifiedBaseResponse ¶ added in v0.3.0
type UnverifiedBaseResponse struct { XMLName xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:protocol Response"` ID string `xml:"ID,attr"` InResponseTo string `xml:"InResponseTo,attr"` Destination string `xml:"Destination,attr"` Version string `xml:"Version,attr"` Issuer *Issuer `xml:"Issuer"` }
UnverifiedBaseResponse extracts several basic attributes of a SAML Response which may be useful in deciding how to validate the Response. An UnverifiedBaseResponse is parsed by this library prior to any validation of the Response, so the values it contains may have been supplied by an attacker and should not be trusted as authoritative from the IdP.