Documentation ¶
Index ¶
- Variables
- func NewTrackedRequestSuccessHandler(tracker samlsp.RequestTracker) security.AuthenticationSuccessHandler
- func Use()
- type AssertionCandidate
- type Authenticator
- type CacheableIdpClientManager
- func (m *CacheableIdpClientManager) GetAllClients() []*saml.ServiceProvider
- func (m *CacheableIdpClientManager) GetClientByComparator(comparator func(details samlctx.SamlIdentityProvider) bool) (client *saml.ServiceProvider, ok bool)
- func (m *CacheableIdpClientManager) GetClientByDomain(domain string) (client *saml.ServiceProvider, ok bool)
- func (m *CacheableIdpClientManager) GetClientByEntityId(entityId string) (client *saml.ServiceProvider, ok bool)
- func (m *CacheableIdpClientManager) RefreshCache(ctx context.Context, identityProviders []samlctx.SamlIdentityProvider)
- type CookieRequestTracker
- func (t CookieRequestTracker) GetTrackedRequest(r *http.Request, index string) (*samlsp.TrackedRequest, error)
- func (t CookieRequestTracker) GetTrackedRequests(r *http.Request) []samlsp.TrackedRequest
- func (t CookieRequestTracker) StopTrackingRequest(w http.ResponseWriter, r *http.Request, index string) error
- func (t CookieRequestTracker) TrackRequest(w http.ResponseWriter, r *http.Request, samlRequestID string) (string, error)
- type Feature
- type SLOState
- type SPLoginMiddleware
- type SPLogoutMiddleware
- type SPMetadataMiddleware
- type SPOptions
- type SamlAssertionAuthentication
- type SamlAuthConfigurer
- type SamlLogoutConfigurer
- type SingleLogoutHandler
- type TrackedRequestSuccessHandler
Constants ¶
This section is empty.
Variables ¶
var ( FeatureId = security.FeatureId("saml_login", security.FeatureOrderSamlLogin) LogoutFeatureId = security.FeatureId("saml_logout", security.FeatureOrderSamlLogout) )
var ErrSamlSloRequired = security.NewAuthenticationError("SAML SLO required")
var Module = &bootstrap.Module{ Name: "saml authenticator", Precedence: security.MinSecurityPrecedence + 30, Options: []fx.Option{ fx.Invoke(register), }, }
var SupportedBindings = utils.NewStringSet(saml.HTTPRedirectBinding, saml.HTTPPostBinding)
Functions ¶
func NewTrackedRequestSuccessHandler ¶
func NewTrackedRequestSuccessHandler(tracker samlsp.RequestTracker) security.AuthenticationSuccessHandler
Types ¶
type AssertionCandidate ¶
func (*AssertionCandidate) Credentials ¶
func (a *AssertionCandidate) Credentials() interface{}
func (*AssertionCandidate) Details ¶
func (a *AssertionCandidate) Details() interface{}
func (*AssertionCandidate) Principal ¶
func (a *AssertionCandidate) Principal() interface{}
type Authenticator ¶
type Authenticator struct {
// contains filtered or unexported fields
}
func (*Authenticator) Authenticate ¶
func (a *Authenticator) Authenticate(ctx context.Context, candidate security.Candidate) (security.Authentication, error)
type CacheableIdpClientManager ¶
type CacheableIdpClientManager struct {
// contains filtered or unexported fields
}
func NewCacheableIdpClientManager ¶
func NewCacheableIdpClientManager(template saml.ServiceProvider) *CacheableIdpClientManager
func (*CacheableIdpClientManager) GetAllClients ¶
func (m *CacheableIdpClientManager) GetAllClients() []*saml.ServiceProvider
func (*CacheableIdpClientManager) GetClientByComparator ¶
func (m *CacheableIdpClientManager) GetClientByComparator(comparator func(details samlctx.SamlIdentityProvider) bool) (client *saml.ServiceProvider, ok bool)
func (*CacheableIdpClientManager) GetClientByDomain ¶
func (m *CacheableIdpClientManager) GetClientByDomain(domain string) (client *saml.ServiceProvider, ok bool)
func (*CacheableIdpClientManager) GetClientByEntityId ¶
func (m *CacheableIdpClientManager) GetClientByEntityId(entityId string) (client *saml.ServiceProvider, ok bool)
func (*CacheableIdpClientManager) RefreshCache ¶
func (m *CacheableIdpClientManager) RefreshCache(ctx context.Context, identityProviders []samlctx.SamlIdentityProvider)
type CookieRequestTracker ¶
type CookieRequestTracker struct { NamePrefix string Codec samlsp.TrackedRequestCodec MaxAge time.Duration SameSite http.SameSite Secure bool Path string }
CookieRequestTracker tracks requests by setting a uniquely named cookie for each request.
func (CookieRequestTracker) GetTrackedRequest ¶
func (t CookieRequestTracker) GetTrackedRequest(r *http.Request, index string) (*samlsp.TrackedRequest, error)
GetTrackedRequest returns a pending tracked request.
func (CookieRequestTracker) GetTrackedRequests ¶
func (t CookieRequestTracker) GetTrackedRequests(r *http.Request) []samlsp.TrackedRequest
GetTrackedRequests returns all the pending tracked requests
func (CookieRequestTracker) StopTrackingRequest ¶
func (t CookieRequestTracker) StopTrackingRequest(w http.ResponseWriter, r *http.Request, index string) error
StopTrackingRequest stops tracking the SAML request given by index, which is a string previously returned from TrackRequest
func (CookieRequestTracker) TrackRequest ¶
func (t CookieRequestTracker) TrackRequest(w http.ResponseWriter, r *http.Request, samlRequestID string) (string, error)
TrackRequest starts tracking the SAML request with the given ID. It returns an `index` that should be used as the RelayState in the SAMl request flow.
type Feature ¶
type Feature struct {
// contains filtered or unexported fields
}
func (*Feature) Identifier ¶
func (f *Feature) Identifier() security.FeatureIdentifier
type SLOState ¶
type SLOState int
const ( SLOInitiated SLOState = 1 << iota SLOCompletedFully SLOCompletedPartially SLOFailed SLOCompleted = SLOCompletedFully | SLOCompletedPartially | SLOFailed )
type SPLoginMiddleware ¶
type SPLoginMiddleware struct { SPMetadataMiddleware // contains filtered or unexported fields }
SPLoginMiddleware * A SAML service provider should be able to work with multiple identity providers. Because the saml package assumes a service provider is configured with one idp only, we use the internal field to store information about this service provider, and we will create new saml.ServiceProvider struct for each new idp connection when its needed.
func NewLoginMiddleware ¶
func NewLoginMiddleware(sp saml.ServiceProvider, tracker samlsp.RequestTracker, idpManager idp.IdentityProviderManager, clientManager *CacheableIdpClientManager, handler security.AuthenticationSuccessHandler, authenticator security.Authenticator, errorPath string) *SPLoginMiddleware
func (*SPLoginMiddleware) ACSHandlerFunc ¶
func (sp *SPLoginMiddleware) ACSHandlerFunc() gin.HandlerFunc
ACSHandlerFunc Assertion Consumer Service handler endpoint. IDP redirect to this endpoint with authentication response
func (*SPLoginMiddleware) Commence ¶
func (sp *SPLoginMiddleware) Commence(c context.Context, r *http.Request, w http.ResponseWriter, _ error)
func (*SPLoginMiddleware) MakeAuthenticationRequest ¶
func (sp *SPLoginMiddleware) MakeAuthenticationRequest(ctx context.Context, r *http.Request, w http.ResponseWriter) error
MakeAuthenticationRequest Since we support multiple domains each with different IDP, the auth request specify which matching ACS should be used for IDP to call back.
type SPLogoutMiddleware ¶
type SPLogoutMiddleware struct { SPMetadataMiddleware // contains filtered or unexported fields }
func NewLogoutMiddleware ¶
func NewLogoutMiddleware(sp saml.ServiceProvider, idpManager idp.IdentityProviderManager, clientManager *CacheableIdpClientManager, successHandler security.AuthenticationSuccessHandler) *SPLogoutMiddleware
func (*SPLogoutMiddleware) Commence ¶
func (m *SPLogoutMiddleware) Commence(ctx context.Context, r *http.Request, w http.ResponseWriter, err error)
Commence implements security.AuthenticationEntryPoint. It's used when SP initiated SLO is required
func (*SPLogoutMiddleware) LogoutHandlerFunc ¶
func (m *SPLogoutMiddleware) LogoutHandlerFunc() gin.HandlerFunc
LogoutHandlerFunc returns the handler function that handles LogoutResponse/LogoutRequest sent by IdP. This is used to handle response of SP initiated SLO, if it's initiated by us. We need to continue our internal logout process
func (*SPLogoutMiddleware) MakeSingleLogoutRequest ¶
func (m *SPLogoutMiddleware) MakeSingleLogoutRequest(ctx context.Context, r *http.Request, w http.ResponseWriter) error
MakeSingleLogoutRequest initiate SLO at IdP by sending logout request with supported binding
type SPMetadataMiddleware ¶
type SPMetadataMiddleware struct {
// contains filtered or unexported fields
}
SPMetadataMiddleware A SAML service provider should be able to work with multiple identity providers. Because the saml package assumes a service provider is configured with one idp only, we use the internal field to store information about this service provider, and we will create new saml.ServiceProvider struct for each new idp connection when its needed.
func (*SPMetadataMiddleware) MetadataHandlerFunc ¶
func (m *SPMetadataMiddleware) MetadataHandlerFunc() gin.HandlerFunc
MetadataHandlerFunc endpoint that provide SP's metadata
func (*SPMetadataMiddleware) RefreshMetadataHandler ¶
func (m *SPMetadataMiddleware) RefreshMetadataHandler() gin.HandlerFunc
RefreshMetadataHandler MW that responsible to refresh IDP's metadata whenever SAML Login/Logout related endpoint is called
type SPOptions ¶
type SPOptions struct { Key *rsa.PrivateKey Certificate *x509.Certificate Intermediates []*x509.Certificate AllowIDPInitiated bool SignRequest bool ForceAuthn bool NameIdFormat string // contains filtered or unexported fields }
type SamlAssertionAuthentication ¶
type SamlAssertionAuthentication interface { security.Authentication Assertion() *saml.Assertion }
type SamlAuthConfigurer ¶
type SamlAuthConfigurer struct {
// contains filtered or unexported fields
}
func (*SamlAuthConfigurer) Apply ¶
func (c *SamlAuthConfigurer) Apply(feature security.Feature, ws security.WebSecurity) error
type SamlLogoutConfigurer ¶
type SamlLogoutConfigurer struct {
// contains filtered or unexported fields
}
func (*SamlLogoutConfigurer) Apply ¶
func (c *SamlLogoutConfigurer) Apply(feature security.Feature, ws security.WebSecurity) error
type SingleLogoutHandler ¶
type SingleLogoutHandler struct{}
func NewSingleLogoutHandler ¶
func NewSingleLogoutHandler() *SingleLogoutHandler
func (*SingleLogoutHandler) HandleLogout ¶
func (h *SingleLogoutHandler) HandleLogout(ctx context.Context, _ *http.Request, _ http.ResponseWriter, auth security.Authentication) error
func (*SingleLogoutHandler) ShouldLogout ¶
func (h *SingleLogoutHandler) ShouldLogout(ctx context.Context, _ *http.Request, _ http.ResponseWriter, auth security.Authentication) error
ShouldLogout is a logout.ConditionalLogoutHandler method that interrupt logout process by returning authentication error, which would trigger authentication entry point and initiate SLO
type TrackedRequestSuccessHandler ¶
type TrackedRequestSuccessHandler struct {
// contains filtered or unexported fields
}
func (*TrackedRequestSuccessHandler) HandleAuthenticationSuccess ¶
func (t *TrackedRequestSuccessHandler) HandleAuthenticationSuccess(c context.Context, r *http.Request, rw http.ResponseWriter, from, to security.Authentication)