README
¶
go-saml
A just good enough SAML client library written in Go. This library is by no means complete and has been developed to solve several specific integration efforts. However, it's a start, and it would be great to see it evolve into a more fleshed out implemention.
Inspired by the early work of Matt Baird.
The library supports:
- generating signed/unsigned AuthnRequests
- validating signed AuthnRequests
- generating service provider metadata
- generating signed Responses
- validating signed Responses
Installation
$ go get github.com/etdev/go-saml
Here's a convenient way to generate a certificate:
curl -sSL https://raw.githubusercontent.com/frntn/x509-san/master/gencert.sh | CRT_CN="mycert" bash
Usage
Below are samples to show how you might use the library.
Generating Signed AuthnRequests
sp := saml.ServiceProviderSettings{
PublicCertPath: "../default.crt",
PrivateKeyPath: "../default.key",
IDPSSOURL: "http://idp/saml2",
IDPSSODescriptorURL: "http://idp/issuer",
IDPPublicCertPath: "idpcert.crt",
SPSignRequest: "true",
AssertionConsumerServiceURL: "http://localhost:8000/saml_consume",
}
sp.Init()
// generate the AuthnRequest and then get a base64 encoded string of the XML
authnRequest := sp.GetAuthnRequest()
b64XML, err := authnRequest.EncodedSignedString(sp.PrivateKeyPath)
if err != nil {
panic(err)
}
// for convenience, get a URL formed with the SAMLRequest parameter
url, err := saml.GetAuthnRequestURL(sp.IDPSSOURL, b64XML)
if err != nil {
panic(err)
}
// below is bonus for how you might respond to a request with a form that POSTs to the IdP
data := struct {
Base64AuthRequest string
URL string
}{
Base64AuthRequest: b64XML,
URL: url,
}
t := template.New("saml")
t, err = t.Parse("<html><body style=\"display: none\" onload=\"document.frm.submit()\"><form method=\"post\" name=\"frm\" action=\"{{.URL}}\"><input type=\"hidden\" name=\"SAMLRequest\" value=\"{{.Base64AuthRequest}}\" /><input type=\"submit\" value=\"Submit\" /></form></body></html>")
// how you might respond to a request with the templated form that will auto post
t.Execute(w, data)
Validating a received SAML Response
response = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
encodedXML := r.FormValue("SAMLResponse")
if encodedXML == "" {
httpcommon.SendBadRequest(w, "SAMLResponse form value missing")
return
}
response, err := saml.ParseEncodedResponse(encodedXML)
if err != nil {
httpcommon.SendBadRequest(w, "SAMLResponse parse: "+err.Error())
return
}
err = response.Validate(&sp)
if err != nil {
httpcommon.SendBadRequest(w, "SAMLResponse validation: "+err.Error())
return
}
samlID := response.GetAttribute("uid")
if samlID == "" {
httpcommon.SendBadRequest(w, "SAML attribute identifier uid missing")
return
}
//...
}
Service provider metadata
func samlMetadataHandler(sp *saml.ServiceProviderSettings) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
md, err := sp.GetEntityDescriptor()
if err != nil {
w.WriteHeader(500)
w.Write([]byte("Error: " + err.Error()))
return
}
w.Header().Set("Content-Type", "application/xml")
w.Write([]byte(md))
})
}
Receiving a authnRequest
b64Request := r.URL.Query().Get("SAMLRequest")
if b64Request == "" {
w.WriteHeader(400)
w.Write([]byte("SAMLRequest parameter missing"))
return
}
defated, err := base64.StdEncoding.DecodeString(b64Request)
if err != nil {
w.WriteHeader(500)
w.Write([]byte("Error: " + err.Error()))
return
}
// enflate and unmarshal
var buffer bytes.Buffer
rdr := flate.NewReader(bytes.NewReader(defated))
io.Copy(&buffer, rdr)
var authnRequest saml.AuthnRequest
err = xml.Unmarshal(buffer.Bytes(), &authnRequest)
if err != nil {
w.WriteHeader(500)
w.Write([]byte("Error: " + err.Error()))
return
}
if authnRequest.Issuer.Url != issuerURL {
w.WriteHeader(500)
w.Write([]byte("unauthorized issuer "+authnRequest.Issuer.Url))
return
}
Creating a SAML Response (if acting as an IdP)
issuer := "http://localhost:8000/saml"
authnResponse := saml.NewSignedResponse()
authnResponse.Issuer.Url = issuer
authnResponse.Assertion.Issuer.Url = issuer
authnResponse.Signature.KeyInfo.X509Data.X509Certificate.Cert = stringValueOfCert
authnResponse.Assertion.Subject.NameID.Value = userIdThatYouAuthenticated
authnResponse.AddAttribute("uid", userIdThatYouAuthenticated)
authnResponse.AddAttribute("email", "someone@domain")
authnResponse.Assertion.Subject.SubjectConfirmation.SubjectConfirmationData.InResponseTo = authnRequestIdRespondingTo
authnResponse.InResponseTo = authnRequestIdRespondingTo
authnResponse.Assertion.Subject.SubjectConfirmation.SubjectConfirmationData.Recipient = issuer
// signed XML string
signed, err := authnResponse.SignedString("/path/to/private.key")
// or signed base64 encoded XML string
b64XML, err := authnResponse.EncodedSignedString("/path/to/private.key")
Contributing
Would love any contributions you having including better documentation, tests, or more robust functionality.
git clone git@github.com:etdev/go-saml.git
make init
make test
Contact
Made with ❤ by Robots & Pencils (@robotsNpencils)
Maintainers
Documentation
¶
Index ¶
- func GetAuthnRequestURL(baseURL string, b64XML string, state string) (string, error)
- func SignRequest(xml string, privateKeyPath string) (string, error)
- func SignResponse(xml string, privateKeyPath string) (string, error)
- func VerifyRequestSignature(xml string, publicCertPath string) error
- func VerifyResponseSignature(xml string, publicCertPath string) error
- type Assertion
- type AssertionConsumerService
- type Attribute
- type AttributeStatement
- type AttributeValue
- type AuthnContextClassRef
- type AuthnRequest
- func (r *AuthnRequest) CompressedEncodedSignedString(privateKeyPath string) (string, error)
- func (r *AuthnRequest) CompressedEncodedString() (string, error)
- func (r *AuthnRequest) EncodedSignedString(privateKeyPath string) (string, error)
- func (r *AuthnRequest) EncodedString() (string, error)
- func (r *AuthnRequest) SignedString(privateKeyPath string) (string, error)
- func (r *AuthnRequest) String() (string, error)
- func (r *AuthnRequest) Validate(publicCertPath string) error
- type CanonicalizationMethod
- type Conditions
- type DigestMethod
- type DigestValue
- type EntityAttributes
- type EntityDescriptor
- type Extensions
- type IdentityProviderSettings
- type Issuer
- type KeyDescriptor
- type KeyInfo
- type NameID
- type NameIDPolicy
- type RequestedAuthnContext
- type Response
- func (r *Response) AddAttribute(name, value string)
- func (r *Response) CompressedEncodedSignedString(privateKeyPath string) (string, error)
- func (r *Response) EncodedSignedString(privateKeyPath string) (string, error)
- func (r *Response) GetAttribute(name string) string
- func (r *Response) SignedString(privateKeyPath string) (string, error)
- func (r *Response) String() (string, error)
- func (r *Response) Validate(s *ServiceProviderSettings) error
- type SPSSODescriptor
- type SPSSODescriptors
- type SamlsigReference
- type ServiceProviderSettings
- func (s *ServiceProviderSettings) GetAuthnRequest() *AuthnRequest
- func (s *ServiceProviderSettings) GetEntityDescriptor() (string, error)
- func (s *ServiceProviderSettings) IDPPublicCert() string
- func (s *ServiceProviderSettings) Init() (err error)
- func (s *ServiceProviderSettings) PrivateKey() string
- func (s *ServiceProviderSettings) PublicCert() string
- type Signature
- type SignatureMethod
- type SignatureValue
- type SignedInfo
- type SingleLogoutService
- type Status
- type StatusCode
- type Subject
- type SubjectConfirmation
- type SubjectConfirmationData
- type Transform
- type Transforms
- type X509Certificate
- type X509Data
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func GetAuthnRequestURL ¶
GetAuthnRequestURL generate a URL for the AuthnRequest to the IdP with the SAMLRequst parameter encoded
func SignRequest ¶
SignRequest sign a SAML 2.0 AuthnRequest `privateKeyPath` must be a path on the filesystem, xmlsec1 is run out of process through `exec`
func SignResponse ¶
SignResponse sign a SAML 2.0 Response `privateKeyPath` must be a path on the filesystem, xmlsec1 is run out of process through `exec`
func VerifyRequestSignature ¶
VerifyRequestSignature verify signature of a SAML 2.0 AuthnRequest document `publicCertPath` must be a path on the filesystem, xmlsec1 is run out of process through `exec`
func VerifyResponseSignature ¶
VerifyResponseSignature verify signature of a SAML 2.0 Response document `publicCertPath` must be a path on the filesystem, xmlsec1 is run out of process through `exec`
Types ¶
type Assertion ¶
type Assertion struct {
XMLName xml.Name
ID string `xml:"ID,attr"`
Version string `xml:"Version,attr"`
XS string `xml:"xmlns:xs,attr"`
XSI string `xml:"xmlns:xsi,attr"`
SAML string `xml:"saml,attr"`
IssueInstant string `xml:"IssueInstant,attr"`
Issuer Issuer `xml:"Issuer"`
Subject Subject
Conditions Conditions
AttributeStatement AttributeStatement
}
type AttributeStatement ¶
type AttributeValue ¶
type AuthnContextClassRef ¶
type AuthnRequest ¶
type AuthnRequest struct {
XMLName xml.Name
SAMLP string `xml:"xmlns:samlp,attr"`
SAML string `xml:"xmlns:saml,attr"`
SAMLSIG string `xml:"xmlns:samlsig,attr"`
ID string `xml:"ID,attr"`
Version string `xml:"Version,attr"`
ProtocolBinding string `xml:"ProtocolBinding,attr"`
AssertionConsumerServiceURL string `xml:"AssertionConsumerServiceURL,attr"`
IssueInstant string `xml:"IssueInstant,attr"`
AssertionConsumerServiceIndex int `xml:"AssertionConsumerServiceIndex,attr"`
AttributeConsumingServiceIndex int `xml:"AttributeConsumingServiceIndex,attr"`
Issuer Issuer `xml:"Issuer"`
NameIDPolicy NameIDPolicy `xml:"NameIDPolicy"`
RequestedAuthnContext RequestedAuthnContext `xml:"RequestedAuthnContext"`
Signature Signature `xml:"Signature,omitempty"`
// contains filtered or unexported fields
}
func NewAuthnRequest ¶
func NewAuthnRequest() *AuthnRequest
func ParseCompressedEncodedRequest ¶
func ParseCompressedEncodedRequest(b64RequestXML string) (*AuthnRequest, error)
func ParseEncodedRequest ¶
func ParseEncodedRequest(b64RequestXML string) (*AuthnRequest, error)
func (*AuthnRequest) CompressedEncodedSignedString ¶
func (r *AuthnRequest) CompressedEncodedSignedString(privateKeyPath string) (string, error)
func (*AuthnRequest) CompressedEncodedString ¶
func (r *AuthnRequest) CompressedEncodedString() (string, error)
func (*AuthnRequest) EncodedSignedString ¶
func (r *AuthnRequest) EncodedSignedString(privateKeyPath string) (string, error)
GetAuthnRequestURL generate a URL for the AuthnRequest to the IdP with the SAMLRequst parameter encoded
func (*AuthnRequest) EncodedString ¶
func (r *AuthnRequest) EncodedString() (string, error)
func (*AuthnRequest) SignedString ¶
func (r *AuthnRequest) SignedString(privateKeyPath string) (string, error)
func (*AuthnRequest) String ¶
func (r *AuthnRequest) String() (string, error)
func (*AuthnRequest) Validate ¶
func (r *AuthnRequest) Validate(publicCertPath string) error
type CanonicalizationMethod ¶
type Conditions ¶
type DigestMethod ¶
type DigestValue ¶
type EntityAttributes ¶
type EntityDescriptor ¶
type EntityDescriptor struct {
XMLName xml.Name
DS string `xml:"xmlns:ds,attr"`
XMLNS string `xml:"xmlns,attr"`
MD string `xml:"xmlns:md,attr"`
EntityId string `xml:"entityID,attr"`
Extensions Extensions `xml:"Extensions"`
SPSSODescriptor SPSSODescriptor `xml:"SPSSODescriptor"`
}
type Extensions ¶
type IdentityProviderSettings ¶
type IdentityProviderSettings struct {
}
type KeyDescriptor ¶
type NameIDPolicy ¶
type RequestedAuthnContext ¶
type RequestedAuthnContext struct {
XMLName xml.Name
SAMLP string `xml:"xmlns:samlp,attr"`
Comparison string `xml:"Comparison,attr"`
AuthnContextClassRef AuthnContextClassRef `xml:"AuthnContextClassRef"`
}
type Response ¶
type Response struct {
XMLName xml.Name
SAMLP string `xml:"xmlns:samlp,attr"`
SAML string `xml:"xmlns:saml,attr"`
SAMLSIG string `xml:"xmlns:samlsig,attr"`
Destination string `xml:"Destination,attr"`
ID string `xml:"ID,attr"`
Version string `xml:"Version,attr"`
IssueInstant string `xml:"IssueInstant,attr"`
InResponseTo string `xml:"InResponseTo,attr"`
Assertion Assertion `xml:"Assertion"`
Signature Signature `xml:"Signature"`
Issuer Issuer `xml:"Issuer"`
Status Status `xml:"Status"`
// contains filtered or unexported fields
}
func NewSignedResponse ¶
func NewSignedResponse() *Response
func ParseEncodedResponse ¶
func (*Response) AddAttribute ¶
AddAttribute add strong attribute to the Response
func (*Response) CompressedEncodedSignedString ¶
func (*Response) EncodedSignedString ¶
func (*Response) GetAttribute ¶
GetAttribute by Name or by FriendlyName. Return blank string if not found
func (*Response) SignedString ¶
func (*Response) Validate ¶
func (r *Response) Validate(s *ServiceProviderSettings) error
type SPSSODescriptor ¶
type SPSSODescriptor struct {
XMLName xml.Name
ProtocolSupportEnumeration string `xml:"protocolSupportEnumeration,attr"`
SigningKeyDescriptor KeyDescriptor
EncryptionKeyDescriptor KeyDescriptor
// SingleLogoutService SingleLogoutService `xml:"SingleLogoutService"`
AssertionConsumerServices []AssertionConsumerService
}
type SPSSODescriptors ¶
type SPSSODescriptors struct {
}
type SamlsigReference ¶
type SamlsigReference struct {
XMLName xml.Name
URI string `xml:"URI,attr"`
Transforms Transforms `xml:",innerxml"`
DigestMethod DigestMethod `xml:",innerxml"`
DigestValue DigestValue `xml:",innerxml"`
}
type ServiceProviderSettings ¶
type ServiceProviderSettings struct {
PublicCertPath string
PrivateKeyPath string
IDPSSOURL string
IDPSSODescriptorURL string
IDPPublicCertPath string
AssertionConsumerServiceURL string
SPSignRequest bool
// contains filtered or unexported fields
}
ServiceProviderSettings provides settings to configure server acting as a SAML Service Provider. Expect only one IDP per SP in this configuration. If you need to configure multipe IDPs for an SP then configure multiple instances of this module
func (*ServiceProviderSettings) GetAuthnRequest ¶
func (s *ServiceProviderSettings) GetAuthnRequest() *AuthnRequest
GetSignedAuthnRequest returns a singed XML document that represents a AuthnRequest SAML document
func (*ServiceProviderSettings) GetEntityDescriptor ¶
func (s *ServiceProviderSettings) GetEntityDescriptor() (string, error)
func (*ServiceProviderSettings) IDPPublicCert ¶
func (s *ServiceProviderSettings) IDPPublicCert() string
func (*ServiceProviderSettings) Init ¶
func (s *ServiceProviderSettings) Init() (err error)
func (*ServiceProviderSettings) PrivateKey ¶
func (s *ServiceProviderSettings) PrivateKey() string
func (*ServiceProviderSettings) PublicCert ¶
func (s *ServiceProviderSettings) PublicCert() string
type Signature ¶
type Signature struct {
XMLName xml.Name
Id string `xml:"Id,attr"`
SignedInfo SignedInfo
SignatureValue SignatureValue
KeyInfo KeyInfo
}
type SignatureMethod ¶
type SignatureValue ¶
type SignedInfo ¶
type SignedInfo struct {
XMLName xml.Name
CanonicalizationMethod CanonicalizationMethod
SignatureMethod SignatureMethod
SamlsigReference SamlsigReference
}
type SingleLogoutService ¶
type Status ¶
type Status struct {
XMLName xml.Name
StatusCode StatusCode `xml:"StatusCode"`
}
type StatusCode ¶
type Subject ¶
type Subject struct {
XMLName xml.Name
NameID NameID
SubjectConfirmation SubjectConfirmation
}
type SubjectConfirmation ¶
type SubjectConfirmation struct {
XMLName xml.Name
Method string `xml:",attr"`
SubjectConfirmationData SubjectConfirmationData
}
type SubjectConfirmationData ¶
type Transforms ¶
type X509Certificate ¶
type X509Data ¶
type X509Data struct {
XMLName xml.Name
X509Certificate X509Certificate `xml:",innerxml"`
}
Source Files
¶
Directories
Click to show internal directories.
Click to hide internal directories.