sp

package
v0.14.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 24, 2024 License: Apache-2.0 Imports: 42 Imported by: 0

README

SAML SP

This module enables a service to act as an SP (allows login with third party using SAML protocol). This feature has two feature configurers.

login feature configurer does the following:

  1. Add metadata endpoint (/saml/metadata)
  2. Add ACS endpoint (/saml/SSO)
  3. Add metadata refresh middleware that covers the above two endpoints
  4. Make the metadata endpoint and acs endpoint public
  5. Add an authentication entry point that will trigger the saml login process

logout feature configurer does the following:

  1. Add single logout endpoint
  2. Add metadata refresh middleware that covers the endpoint
  3. Add logout handler
  4. Add logout entry point (the entry point to send out the logout request to the IDP)

When SAML login feature is enabled, these middleware and endpoints are added to the web security configuration.

Misc

Create saml private key and cert using the following command

openssl genrsa -out saml.key -aes256 1024

openssl req -key saml.key -new -x509 -days 36500 -out saml.crt

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	FeatureId       = security.FeatureId("saml_login", security.FeatureOrderSamlLogin)
	LogoutFeatureId = security.FeatureId("saml_logout", security.FeatureOrderSamlLogout)
)
View Source 
var ErrSamlSloRequired = security.NewAuthenticationError("SAML SLO required")
View Source 
var Module = &bootstrap.Module{
	Name:       "saml authenticator",
	Precedence: security.MinSecurityPrecedence + 30,
	Options: []fx.Option{
		fx.Invoke(register),
	},
}
View Source 
var SupportedBindings = utils.NewStringSet(saml.HTTPRedirectBinding, saml.HTTPPostBinding)

Functions

func NewTrackedRequestSuccessHandler 

func NewTrackedRequestSuccessHandler(tracker samlsp.RequestTracker) security.AuthenticationSuccessHandler

func Use 

func Use()

Types

type AssertionCandidate 

type AssertionCandidate struct {
	Assertion  *saml.Assertion
	DetailsMap map[string]interface{}
}

func (*AssertionCandidate) Credentials 

func (a *AssertionCandidate) Credentials() interface{}

func (*AssertionCandidate) Details 

func (a *AssertionCandidate) Details() interface{}

func (*AssertionCandidate) Principal 

func (a *AssertionCandidate) Principal() interface{}

type Authenticator 

type Authenticator struct {
	// contains filtered or unexported fields
}

func (*Authenticator) Authenticate 

func (a *Authenticator) Authenticate(ctx context.Context, candidate security.Candidate) (security.Authentication, error)

type CacheableIdpClientManager 

type CacheableIdpClientManager struct {
	// contains filtered or unexported fields
}

func NewCacheableIdpClientManager 

func NewCacheableIdpClientManager(template saml.ServiceProvider) *CacheableIdpClientManager

func (*CacheableIdpClientManager) GetAllClients 

func (m *CacheableIdpClientManager) GetAllClients() []*saml.ServiceProvider

func (*CacheableIdpClientManager) GetClientByComparator 

func (m *CacheableIdpClientManager) GetClientByComparator(comparator func(details samlctx.SamlIdentityProvider) bool) (client *saml.ServiceProvider, ok bool)

func (*CacheableIdpClientManager) GetClientByDomain 

func (m *CacheableIdpClientManager) GetClientByDomain(domain string) (client *saml.ServiceProvider, ok bool)

func (*CacheableIdpClientManager) GetClientByEntityId 

func (m *CacheableIdpClientManager) GetClientByEntityId(entityId string) (client *saml.ServiceProvider, ok bool)

func (*CacheableIdpClientManager) RefreshCache 

func (m *CacheableIdpClientManager) RefreshCache(ctx context.Context, identityProviders []samlctx.SamlIdentityProvider)

type CookieRequestTracker 

type CookieRequestTracker struct {
	NamePrefix string
	Codec      samlsp.TrackedRequestCodec
	MaxAge     time.Duration
	SameSite   http.SameSite
	Secure     bool
	Path       string
}

CookieRequestTracker tracks requests by setting a uniquely named cookie for each request.

func (CookieRequestTracker) GetTrackedRequest 

func (t CookieRequestTracker) GetTrackedRequest(r *http.Request, index string) (*samlsp.TrackedRequest, error)

GetTrackedRequest returns a pending tracked request.

func (CookieRequestTracker) GetTrackedRequests 

func (t CookieRequestTracker) GetTrackedRequests(r *http.Request) []samlsp.TrackedRequest

GetTrackedRequests returns all the pending tracked requests

func (CookieRequestTracker) StopTrackingRequest 

func (t CookieRequestTracker) StopTrackingRequest(w http.ResponseWriter, r *http.Request, index string) error

StopTrackingRequest stops tracking the SAML request given by index, which is a string previously returned from TrackRequest

func (CookieRequestTracker) TrackRequest 

func (t CookieRequestTracker) TrackRequest(w http.ResponseWriter, r *http.Request, samlRequestID string) (string, error)

TrackRequest starts tracking the SAML request with the given ID. It returns an `index` that should be used as the RelayState in the SAMl request flow.

type Feature 

type Feature struct {
	// contains filtered or unexported fields
}

func New 

func New() *Feature

func NewLogout 

func NewLogout() *Feature

func (*Feature) ErrorPath 

func (f *Feature) ErrorPath(path string) *Feature

func (*Feature) Identifier 

func (f *Feature) Identifier() security.FeatureIdentifier

func (*Feature) Issuer 

func (f *Feature) Issuer(issuer security.Issuer) *Feature

type SLOState 

type SLOState int
const (
	SLOInitiated SLOState = 1 << iota
	SLOCompletedFully
	SLOCompletedPartially
	SLOFailed
	SLOCompleted = SLOCompletedFully | SLOCompletedPartially | SLOFailed
)

func (SLOState) Is 

func (s SLOState) Is(mask SLOState) bool

type SPLoginMiddleware 

type SPLoginMiddleware struct {
	SPMetadataMiddleware
	// contains filtered or unexported fields
}

SPLoginMiddleware * A SAML service provider should be able to work with multiple identity providers. Because the saml package assumes a service provider is configured with one idp only, we use the internal field to store information about this service provider, and we will create new saml.ServiceProvider struct for each new idp connection when its needed.

func NewLoginMiddleware 

func NewLoginMiddleware(sp saml.ServiceProvider, tracker samlsp.RequestTracker,
	idpManager idp.IdentityProviderManager,
	clientManager *CacheableIdpClientManager,
	handler security.AuthenticationSuccessHandler, authenticator security.Authenticator,
	errorPath string) *SPLoginMiddleware

func (*SPLoginMiddleware) ACSHandlerFunc 

func (sp *SPLoginMiddleware) ACSHandlerFunc() gin.HandlerFunc

ACSHandlerFunc Assertion Consumer Service handler endpoint. IDP redirect to this endpoint with authentication response

func (*SPLoginMiddleware) Commence 

func (sp *SPLoginMiddleware) Commence(c context.Context, r *http.Request, w http.ResponseWriter, _ error)

func (*SPLoginMiddleware) MakeAuthenticationRequest 

func (sp *SPLoginMiddleware) MakeAuthenticationRequest(ctx context.Context, r *http.Request, w http.ResponseWriter) error

MakeAuthenticationRequest Since we support multiple domains each with different IDP, the auth request specify which matching ACS should be used for IDP to call back.

type SPLogoutMiddleware 

type SPLogoutMiddleware struct {
	SPMetadataMiddleware
	// contains filtered or unexported fields
}

func NewLogoutMiddleware 

func NewLogoutMiddleware(sp saml.ServiceProvider,
	idpManager idp.IdentityProviderManager,
	clientManager *CacheableIdpClientManager,
	successHandler security.AuthenticationSuccessHandler) *SPLogoutMiddleware

func (*SPLogoutMiddleware) Commence 

func (m *SPLogoutMiddleware) Commence(ctx context.Context, r *http.Request, w http.ResponseWriter, err error)

Commence implements security.AuthenticationEntryPoint. It's used when SP initiated SLO is required

func (*SPLogoutMiddleware) LogoutHandlerFunc 

func (m *SPLogoutMiddleware) LogoutHandlerFunc() gin.HandlerFunc

LogoutHandlerFunc returns the handler function that handles LogoutResponse/LogoutRequest sent by IdP. This is used to handle response of SP initiated SLO, if it's initiated by us. We need to continue our internal logout process

func (*SPLogoutMiddleware) MakeSingleLogoutRequest 

func (m *SPLogoutMiddleware) MakeSingleLogoutRequest(ctx context.Context, r *http.Request, w http.ResponseWriter) error

MakeSingleLogoutRequest initiate SLO at IdP by sending logout request with supported binding

type SPMetadataMiddleware 

type SPMetadataMiddleware struct {
	// contains filtered or unexported fields
}

SPMetadataMiddleware A SAML service provider should be able to work with multiple identity providers. Because the saml package assumes a service provider is configured with one idp only, we use the internal field to store information about this service provider, and we will create new saml.ServiceProvider struct for each new idp connection when its needed.

func (*SPMetadataMiddleware) MetadataHandlerFunc 

func (m *SPMetadataMiddleware) MetadataHandlerFunc() gin.HandlerFunc

MetadataHandlerFunc endpoint that provide SP's metadata

func (*SPMetadataMiddleware) RefreshMetadataHandler 

func (m *SPMetadataMiddleware) RefreshMetadataHandler() gin.HandlerFunc

RefreshMetadataHandler MW that responsible to refresh IDP's metadata whenever SAML Login/Logout related endpoint is called

type SPOptions 

type SPOptions struct {
	Key               *rsa.PrivateKey
	Certificate       *x509.Certificate
	Intermediates     []*x509.Certificate
	AllowIDPInitiated bool
	SignRequest       bool
	ForceAuthn        bool
	NameIdFormat      string
	// contains filtered or unexported fields
}

type SamlAssertionAuthentication 

type SamlAssertionAuthentication interface {
	security.Authentication
	Assertion() *saml.Assertion
}

type SamlAuthConfigurer 

type SamlAuthConfigurer struct {
	// contains filtered or unexported fields
}

func (*SamlAuthConfigurer) Apply 

func (c *SamlAuthConfigurer) Apply(feature security.Feature, ws security.WebSecurity) error

type SamlLogoutConfigurer 

type SamlLogoutConfigurer struct {
	// contains filtered or unexported fields
}

func (*SamlLogoutConfigurer) Apply 

func (c *SamlLogoutConfigurer) Apply(feature security.Feature, ws security.WebSecurity) error

type SingleLogoutHandler 

type SingleLogoutHandler struct{}

func NewSingleLogoutHandler 

func NewSingleLogoutHandler() *SingleLogoutHandler

func (*SingleLogoutHandler) HandleLogout 

func (h *SingleLogoutHandler) HandleLogout(ctx context.Context, _ *http.Request, _ http.ResponseWriter, auth security.Authentication) error

func (*SingleLogoutHandler) ShouldLogout 

func (h *SingleLogoutHandler) ShouldLogout(ctx context.Context, _ *http.Request, _ http.ResponseWriter, auth security.Authentication) error

ShouldLogout is a logout.ConditionalLogoutHandler method that interrupt logout process by returning authentication error, which would trigger authentication entry point and initiate SLO

type TrackedRequestSuccessHandler 

type TrackedRequestSuccessHandler struct {
	// contains filtered or unexported fields
}

func (*TrackedRequestSuccessHandler) HandleAuthenticationSuccess 

func (t *TrackedRequestSuccessHandler) HandleAuthenticationSuccess(c context.Context, r *http.Request, rw http.ResponseWriter, from, to security.Authentication)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.