Add SAML Service Provider library #99
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
As part of the tests, this commit refactors the sp.go and adds a test provider with the feature to serve a metadata xml.
Add tests for Config and ServiceProvider
Add tests for CreateAuthnRequest
Add options for CreateMetadata and ParseResponse
Generate xsd:id conform IDs
…84) * Adds ability to provide IdP metadata as XML or individual parameters * DefaultGenerateAuthRequestID to GenerateAuthRequestID * improve error message for URL parsing config params
Add tests for `AuthnRequestRedirect`
SAML Library fixup
* fix (saml): address possible panic if clock.Clock is nil * fix (saml): fix possible panic in WithAdditionalACSEndpoint(...) changed location url to be passed by value to eliminate possible panic * refactor (saml): add WithMetadataNameIDFormat(...) Refactor WithAdditionalNameIDFormat(...) and WithNameIDFormats(...) into one new option WithMetadataNameIDFormat(...) * fix (saml): address possible panics in saml handlers * tests (saml): minor code improvements
More SAML library fixes
* Add caching support to IDPMetadata() Caching the metadata document will avoid an additional round-trip to the IDP for every connection. The Metadata for the OASIS Security Assertion Markup Language says regarding caching: 4.3 Post-Processing of Metadata The following sections describe the post-processing of metadata. 4.3.1 Metadata Instance Caching [E94] Document caching MUST be based on the duration indicated by the cacheDuration attribute of the subject element(s). If metadata elements have parent elements which contain caching policies, the parent element takes precedence. To properly process the cacheDuration attribute, consumers must retain the date and time when an instance was obtained. Note that cache expiration does not imply a lack of validity in the absence of a validUntil attribute or other information; failure to update a cached instance (e.g., due to network failure) need not render metadata invalid, although implementations may offer such controls to deployers. When a document or element has expired, the consumer MUST retrieve a fresh copy, which may require a refresh of the document location(s). Consumers SHOULD process document cache processing according to [RFC2616] Section 13, and MAY request the Last-Modified date and time from the HTTP server. Publishers SHOULD ensure acceptable cache processing as described in [RFC2616] (Section 10.3.5 304 Not Modified). 4.3.2 [E94] Metadata Instance Validity Metadata MUST be considered invalid upon reaching the time specified in a validUntil attribute of the subject element(s). The effective expiration may be adjusted downward by parent element(s) with earlier expirations. Invalid metadata MUST NOT be used. This contrasts with "stale" metadata that may be beyond its optimum cache duration but is not explicitly invalid. Such metadata remains valid and MAY be used at the discretion of the implementation. With this change the cached metadata is used until it expires. This behavior can be disabled using WithCache(). Using a stale document when refreshing it fails is disabled by default and users can opt-in using WithStale(). * Address code review comments * Run go mod tidy * Run go mod tidy * Update saml/sp_test.go Co-authored-by: Jim <[email protected]> --------- Co-authored-by: Jim <[email protected]>
A small refactor and added more unit tests
…ibutes (#104) * saml: adds helpers for response assertions, subject, and attributes * fix up comment * Restructure test, add coverage, add issuer helpers
Add SAML to README
austingebauer
approved these changes
Sep 21, 2023
There was a problem hiding this comment.
Gave this a look and think things would be good to merge to main. The major items we last discussed have been addressed. We should create some GH issues in this repo to address the remaining comments for cleaning up todos, godoc, and future enhancements.
Huge thanks to @hcjulz for all of the effort! Also to @jimlambrt @remilapeyre for the contributions, testing, and review!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds the initial SAML service provider library. It supports the Web Browser SSO Profile and provides the creation of SAML Authentication Requests with the SAML HTTP Redirect and POST bindings, as well as SAML Response parsing and validation. It also comes with a test IDP provider that can be used for unit testing.
A demo can be found under
./saml/demo/main.go. It makes use of example handlers available in the./handlerspackage.