Documentation ¶
Index ¶
- Constants
- type Assertion
- type Attribute
- type AuthnRequest
- type BaseID
- type Comparison
- type Conditions
- type ConfirmationMethod
- type EncryptedID
- type Extensions
- type IDPEntry
- type IDPList
- type Issuer
- type NameFormat
- type NameID
- type NameIDFormat
- type NameIDPolicy
- type NameIDType
- type RequestResponseCommon
- type RequestedAuthnContext
- type Response
- type Scoping
- type ServiceBinding
- type StatusCodeType
- type StatusRequestType
- type Subject
- type SubjectConfirmation
- type SubjectConfirmationData
- type TBD
Constants ¶
const (
SAMLVersion2 = "2.0"
)
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Assertion ¶
Assertion is a SAML Assertion element. See 2.3.3 http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
func (*Assertion) Attributes ¶
Attributes returns the attributes of the Assertion. If there is no AttributeStatement or no contained Attributes, an empty list is returned.
func (*Assertion) Issuer ¶
Issuer returns the issuer of the Assertion if it exists. Otherwise, it returns an empty string.
func (*Assertion) SubjectNameID ¶
SubjectNameID returns the value of the NameID element if it exists in the Subject of the Assertion. Otherwise, it returns an empty string.
type Attribute ¶
Attribute is a SAML Attribute element. See 2.7.3.1 http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
type AuthnRequest ¶
type AuthnRequest struct { XMLName xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:protocol AuthnRequest"` StatusRequestType Subject *Subject NameIDPolicy *NameIDPolicy `xml:",omitempty"` Conditions *Conditions RequestedAuthContext *RequestedAuthnContext Scoping *Scoping ForceAuthn bool `xml:",attr,omitempty"` IsPassive bool `xml:",attr,omitempty"` AssertionConsumerServiceIndex string `xml:",attr,omitempty"` AssertionConsumerServiceURL string `xml:",attr"` // A URI reference that identifies a SAML protocol binding to be used when // returning the Response message. ProtocolBinding ServiceBinding `xml:",attr"` AttributeConsumingServiceIndex string `xml:",attr,omitempty"` ProviderName string `xml:",attr,omitempty"` }
See 3.4.1 http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf TODO Finish this
func (*AuthnRequest) CreateXMLDocument ¶
func (a *AuthnRequest) CreateXMLDocument(indent int) ([]byte, error)
CreateXMLDocument creates an AuthnRequest XML document.
type BaseID ¶
type BaseID struct { NameQualifier string `xml:",attr,omitempty"` SPNameQualifier string `xml:",attr,omitempty"` }
See 2.2.1 http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
type Comparison ¶
type Comparison string
Comparison specifies the comparison method used to evaluate the requested context classes or statements. Possible values: "exact", "minimum", "maximum", "better"
const ( // ComparisonExact requires that the resulting authentication context in the authentication // statement MUST be the exact match of at least one of the authentication contexts specified. ComparisonExact Comparison = "exact" // default // ComparisonMin requires that the resulting authentication context in the authentication // statement MUST be at least as strong (as deemed by the responder) as one of the authentication // contexts specified. ComparsionMin Comparison = "minimum" // ComparisonMax requires that the resulting authentication context in the authentication // statement MUST be stronger (as deemed by the responder) than any one of the authentication contexts // specified. ComparsionMax Comparison = "maximum" // ComparisonBetter requires that the resulting authentication context in the authentication // statement MUST be as strong as possible (as deemed by the responder) without exceeding the strength // of at least one of the authentication contexts specified. ComparisonBetter Comparison = "better" )
type Conditions ¶
type Conditions struct{}
type ConfirmationMethod ¶
type ConfirmationMethod string
ConfirmationMethod indicates the sepcific method to be used by the relying parte to determine that the request or message came from a system entity that is associated with the subject of the assertion, within the context of a particular profile.
See 3. http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf
const ( // ConfirmationMethodHolderOfKey indicates that the key holder itself can confirm // itself as the subject. If this method is given, the SubjectConfirmationData MUST // contain one or more KeyInfo elements, where KeyInfo identifies a cryptographic key. // // See 3.1 http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf ConfirmationMethodHolderOfKey ConfirmationMethod = "urn:oasis:names:tc:SAML:2.0:cm:holder-of-key" // ConfirmationMethodSenderVouches indicates that no other information is available about // the context of use of the assertion. // // See 3.2 http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf ConfirmationMethodSenderVouches ConfirmationMethod = "urn:oasis:names:tc:SAML:2.0:cm:sender-vouches" // ConfirmationMethodBearer indicates that the bearer can confirm itself as the subject. // // See 3.3 http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf ConfirmationMethodBearer ConfirmationMethod = "urn:oasis:names:tc:SAML:2.0:cm:bearer" )
type EncryptedID ¶
type EncryptedID struct { EncryptedData xmlenc.EncryptedData EncryptedKey xmlenc.EncryptedKey }
See 2.2.3 http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
type Extensions ¶
type Extensions struct{}
type IDPEntry ¶
type IDPEntry struct { // ProviderID is the unique identifier of the identity provider. ProviderID string `xml:",attr"` // Name is a human-readable name for the identity provider. Name string // Loc is a URI reference representing the location of a profile-specific endpoint // supporting the authentication request protocol. Loc string }
IDPEntry specifies a single identity provider trusted by the requester to authenticate the presenter. See 3.4.1.3 http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
type IDPList ¶
IDPList specifies the identity providers trusted by the requester to authenticate the presenter. See 3.4.1.3 http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
type Issuer ¶
type Issuer struct { XMLName xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:assertion Issuer"` NameIDType }
Issuer, with type NameIDType, provides information about the issuer of a SAML assertion. See 2.2.5 http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
type NameFormat ¶
type NameFormat string
const (
NameFormatURI NameFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
)
type NameID ¶
type NameID = NameIDType
See 2.2.3 http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
type NameIDFormat ¶
type NameIDFormat string
See 8.3 http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
const ( // See 8.3.1 - 8.3.8 http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf NameIDFormatUnspecified NameIDFormat = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameIDFormatEmail NameIDFormat = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" NameIDFormatX509SubjectName NameIDFormat = "urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName" NameIDFormatWindowsDomainQualifiedName NameIDFormat = "urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName" NameIDFormatKerberos NameIDFormat = "urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos" NameIDFormatEntity NameIDFormat = "urn:oasis:names:tc:SAML:2.0:nameid-format:entity" NameIDFormatPersistent NameIDFormat = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameIDFormatTransient NameIDFormat = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient" )
type NameIDPolicy ¶
type NameIDPolicy struct { Format NameIDFormat `xml:",omitempty"` SPNameQualifier string `xml:",attr,omitempty"` AllowCreate bool `xml:",attr"` }
NameIDPolicy specifies constraints on the name identifier to be used to represent the requested subject. See 3.4.1.1 http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
type NameIDType ¶
type NameIDType struct { NameQualifier string `xml:",attr,omitempty"` SPNameQualifier string `xml:",attr,omitempty"` Format NameIDFormat `xml:",attr,omitempty"` SPProvidedID string `xml:",attr,omitempty"` Value string `xml:",chardata"` }
See 2.2.2 http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
type RequestResponseCommon ¶
type RequestResponseCommon struct { ID string `xml:",attr"` // required Version string `xml:",attr"` // required // The time instant of issue of the request. IssueInstant time.Time `xml:",attr"` // required Consent string `xml:",attr,omitempty"` // optional TODO: define constants Issuer *Issuer // recommended Singature string `xml:",omitempty"` // recommended Extensions *Extensions // optional Destination string `xml:",attr"` }
See 3.2 http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
type RequestedAuthnContext ¶
type RequestedAuthnContext struct { XMLName xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:protocol RequestedAuthnContext"` AuthnContextClassRef []string `xml:"urn:oasis:names:tc:SAML:2.0:assertion AuthnContextClassRef"` Comparison Comparison `xml:",attr"` }
RequestedAuthnContext specifies the authentication context requirements of authentication statements returned in response to a request or query. See 3.3.2.2.1 http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
type Response ¶
Response is a SAML Response element. See 3.3.3 http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
func (*Response) Assertions ¶
Assertions returns the assertions in the Response.
type Scoping ¶
type Scoping struct { // ProxyCount specifies the number of proxying indirections permissible between the // identity provider that receives this AuthnRequest and the identity provider who // ultimately authenticates the principal. ProxyCount int `xml:",attr"` IDPList *IDPList RequesterID []string }
Scoping ... (TODO: not important for the first MVP) See 3.4.1.2 http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
type ServiceBinding ¶
type ServiceBinding string
const ( ServiceBindingHTTPPost ServiceBinding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ServiceBindingHTTPRedirect ServiceBinding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" ServiceBindingSOAP ServiceBinding = "urn:oasis:names:tc:SAML:2.0:bindings:SOAP" )
type StatusCodeType ¶
type StatusCodeType string
StatusCodeType defines the possible status codes in a SAML Response. The possible status codes are defined in: 3.2.2.2 http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
const ( // StatusCodeSuccess indicates that the request succeeded. StatusCodeSuccess StatusCodeType = "urn:oasis:names:tc:SAML:2.0:status:Success" // StatusCodeRequester indicates that the request could not be performed due to // an error on the part of the requester. StatusCodeRequester StatusCodeType = "urn:oasis:names:tc:SAML:2.0:status:Requester" // StatusCodeResponder indicatest that the request could not be performed due to // an error on the part of the SAML responder or SAML authority. StatusCodeResponder StatusCodeType = "urn:oasis:names:tc:SAML:2.0:status:Responder" // StatusCodeVersionMismatch indicates that the SAML responder could not process the // request because the version of the request message was incorrect. StatusCodeVersionMismatch StatusCodeType = "urn:oasis:names:tc:SAML:2.0:status:VersionMismatch" // StatusCodeAuthnFailed indicates that the responding provider was unable to successfully // authenticate the principal. StatusCodeAuthnFailed StatusCodeType = "urn:oasis:names:tc:SAML:2.0:status:AuthnFailed" // StatusCodeInvalidAttrNameOrValue indicates that an unexpected or invalid content was // encountered within a <saml:Attribute> or <saml:AttributeValue> element. StatusCodeInvalidAttrNameOrValue StatusCodeType = "urn:oasis:names:tc:SAML:2.0:status:InvalidAttrNameOrValue" // StatusCodeInvalidNameIDPolicy indicates that the responding provider cannot or will not support the // requested name identifier policy. StatusCodeInvalidNameIDPolicy StatusCodeType = "urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy" // StatusCodeNoAuthnContext indicates that the specified authentication context requirements cannot // be met by the responder. StatusCodeNoAuthnContext StatusCodeType = "urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext" // StatusCodeNoAvailableIDP indicates that the Used by an intermediary to indicate that none of the // supported identity provider <Loc> elements in an <IDPList> can be resolved or that none of the // supported identity providers are available. StatusCodeNoAvailableIDP StatusCodeType = "urn:oasis:names:tc:SAML:2.0:status:NoAvailableIDP" // StatusCodeNoPassive indicates that the responding provider cannot authenticate the principal passively, // as has been requested. StatusCodeNoPassive StatusCodeType = "urn:oasis:names:tc:SAML:2.0:status:NoPassive" // StatusCodeNoSupportedIDP is used by an intermediary to indicate that none of the identity providers in an // <IDPList> are supported by the intermediary. StatusCodeNoSupportedIDP StatusCodeType = "urn:oasis:names:tc:SAML:2.0:status:NoSupportedIDP" // StatusCodePartialLogout is used by a session authority to indicate to a session participant that it // was not able to propagate logout to all other session participants. StatusCodePartialLogout StatusCodeType = "urn:oasis:names:tc:SAML:2.0:status:PartialLogout" // StatusCodeProxyCountExceeded indicates that a responding provider cannot authenticate the principal // directly and is not permitted to proxy the request further. StatusCodeProxyCountExceeded StatusCodeType = "urn:oasis:names:tc:SAML:2.0:status:ProxyCountExceeded" // StatusCodeRequestDenied indicates that the SAML responder or SAML authority is able to process the // request but has chosen not to respond. This status code MAY be used when there is concern about the // security context of the request message or the sequence of request messages received from a particular // requester. StatusCodeRequestDenied StatusCodeType = "urn:oasis:names:tc:SAML:2.0:status:RequestDenied" // StatusCodeRequestUnsupported indicates that the SAML responder or SAML authority does not support the // request. StatusCodeRequestUnsupported StatusCodeType = "urn:oasis:names:tc:SAML:2.0:status:RequestUnsupported" // StatusCodeRequestVersionDeprecated indicates that the SAML responder cannot process any requests with // the protocol version specified in the request. StatusCodeRequestVersionDeprecated StatusCodeType = "urn:oasis:names:tc:SAML:2.0:status:RequestVersionDeprecated" // StatusCodeRequestRequestVersionTooHigh indicates that the SAML responder cannot process the request because // the protocol version specified in the request message is a major upgrade from the highest protocol version // supported by the responder. StatusCodeRequestRequestVersionTooHigh StatusCodeType = "urn:oasis:names:tc:SAML:2.0:status:RequestVersionTooHigh" // StatusCodeRequestRequestVersionTooLow indicates that the SAML responder cannot process the request because // the protocol version specified in the request message is too low. StatusCodeRequestVersionTooLow StatusCodeType = "urn:oasis:names:tc:SAML:2.0:status:RequestVersionTooLow" // StatusCodeRequestResourceNotRecognized indicates that the resource value provided in the request message is // invalid or unrecognized. StatusCodeResourceNotRecognized StatusCodeType = "urn:oasis:names:tc:SAML:2.0:status:ResourceNotRecognized" // StatusCodeTooManyResponses indicates that the response message would contain more elements than the SAML // responder is able to return. StatusCodeTooManyResponses StatusCodeType = "urn:oasis:names:tc:SAML:2.0:status:TooManyResponses" // StatusCodeUnknownAttrProfile indicates that an entity that has no knowledge of a particular attribute // profile has been presented with an attribute drawn from that profile. StatusCodeUnknownAttrProfile StatusCodeType = "urn:oasis:names:tc:SAML:2.0:status:UnknownAttrProfile" // StatusCodeUnknownPrincipal indicates that the responding provider does not recognize the principal // specified or implied by the request. StatusCodeUnknownPrincipal StatusCodeType = "urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal" // StatusCodeUnsupportedBinding indicates that the SAML responder cannot properly fulfill the request using // the protocol binding specified in the request. StatusCodeUnsupportedBinding StatusCodeType = "urn:oasis:names:tc:SAML:2.0:status:UnsupportedBinding" )
type StatusRequestType ¶
type StatusRequestType struct {
RequestResponseCommon
}
See 3.2.1 http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
type Subject ¶
type Subject struct { XMLName xml.Name `xml:"urn:oasis:names:tc:SAML:2.0:assertion Subject"` SubjectConfirmation []*SubjectConfirmation BaseID *BaseID // optional NameID *NameID // optional EncryptedID *EncryptedID // optional }
Subject specifies the requested subject of the resulting assertion(s). If entirely omitted or if no identifier is included, the presenter of the message is presumed to be the requested subject.
See 2.4 http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
type SubjectConfirmation ¶
type SubjectConfirmation struct { Method ConfirmationMethod `xml:",attr"` // required SubjectConfirmationData *SubjectConfirmationData // optional BaseID *BaseID // optional NameID *NameID // optional EncryptedID *EncryptedID // optional }
See 2.4.1.1 http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
type SubjectConfirmationData ¶
type SubjectConfirmationData struct { NotBefore time.Time `xml:",attr"` // optional NotOnOrAfter time.Time `xml:",attr"` // optional Recipient string `xml:",attr"` // optional InResponseTo string `xml:",attr"` // optional Address string `xml:",attr"` // optional }
See 2.4.1.2 http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf